hxxps://pixeldrain[.]com/u/TcV2BREC

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file 5 IoCs

flow	pid	Process
1181	228	msedge.exe
952	228	msedge.exe
1692	228	msedge.exe
1847	228	msedge.exe
1866	228	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Control Panel\International\Geo\Nation	K-Lite_Codec_Pack_1766_Standard.tmp

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
6292	Wave Browser.exe
1236	SWUpdaterSetup.exe
6384	SWUpdater.exe
4944	SWUpdater.exe
1588	SWUpdaterComRegisterShell64.exe
4496	SWUpdaterComRegisterShell64.exe
5712	SWUpdaterComRegisterShell64.exe
1696	SWUpdater.exe
6388	SWUpdater.exe
6720	SWUpdater.exe
7016	WaveInstaller-v1.5.20.5.exe
200	setup.exe
4508	setup.exe
1664	setup.exe
848	setup.exe
5280	wavebrowser.exe
3588	wavebrowser.exe
6048	wavebrowser.exe
1604	wavebrowser.exe
5340	wavebrowser.exe
4192	wavebrowser.exe
1312	wavebrowser.exe
4836	wavebrowser.exe
6928	wavebrowser.exe
5268	wavebrowser.exe
8012	wavebrowser.exe
8140	wavebrowser.exe
8160	wavebrowser.exe
8176	wavebrowser.exe
3468	wavebrowser.exe
6904	wavebrowser.exe
1308	wavebrowser.exe
3488	wavebrowser.exe
1560	wavebrowser.exe
7176	wavebrowser.exe
7800	wavebrowser.exe
6776	wavebrowser.exe
5220	wavebrowser.exe
7948	SWUpdater.exe
6840	wavebrowser.exe
8020	wavebrowser.exe
8004	wavebrowser.exe
1696	wavebrowser.exe
8092	wavebrowser.exe
7660	wavebrowser.exe
7436	wavebrowser.exe
4028	wavebrowser.exe
6220	wavebrowser.exe
7196	wavebrowser.exe
3476	wavebrowser.exe
1668	wavebrowser.exe
7164	wavebrowser.exe
5940	wavebrowser.exe
7120	wavebrowser.exe
3820	wavebrowser.exe
5836	wavebrowser.exe
7824	wavebrowser.exe
7436	wavebrowser.exe
5196	wavebrowser.exe
7664	wavebrowser.exe
7916	wavebrowser.exe
5836	wavebrowser.exe
1512	wavebrowser.exe
2420	wavebrowser.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Wine\Debug	K-Lite_Codec_Pack_1766_Standard.tmp

Loads dropped DLL 64 IoCs

pid	Process
6384	SWUpdater.exe
4944	SWUpdater.exe
1588	SWUpdaterComRegisterShell64.exe
4944	SWUpdater.exe
4496	SWUpdaterComRegisterShell64.exe
4944	SWUpdater.exe
5712	SWUpdaterComRegisterShell64.exe
4944	SWUpdater.exe
1696	SWUpdater.exe
6388	SWUpdater.exe
6720	SWUpdater.exe
6720	SWUpdater.exe
6388	SWUpdater.exe
5280	wavebrowser.exe
3588	wavebrowser.exe
5280	wavebrowser.exe
6048	wavebrowser.exe
1604	wavebrowser.exe
6048	wavebrowser.exe
4192	wavebrowser.exe
5340	wavebrowser.exe
5340	wavebrowser.exe
4192	wavebrowser.exe
1312	wavebrowser.exe
1312	wavebrowser.exe
4836	wavebrowser.exe
4836	wavebrowser.exe
6928	wavebrowser.exe
5340	wavebrowser.exe
5340	wavebrowser.exe
5340	wavebrowser.exe
6928	wavebrowser.exe
5340	wavebrowser.exe
5340	wavebrowser.exe
5340	wavebrowser.exe
5268	wavebrowser.exe
5268	wavebrowser.exe
8012	wavebrowser.exe
8012	wavebrowser.exe
8140	wavebrowser.exe
8140	wavebrowser.exe
8160	wavebrowser.exe
8160	wavebrowser.exe
8176	wavebrowser.exe
8176	wavebrowser.exe
3468	wavebrowser.exe
3468	wavebrowser.exe
6904	wavebrowser.exe
6904	wavebrowser.exe
1308	wavebrowser.exe
1308	wavebrowser.exe
3488	wavebrowser.exe
3488	wavebrowser.exe
1560	wavebrowser.exe
1560	wavebrowser.exe
7176	wavebrowser.exe
7176	wavebrowser.exe
7800	wavebrowser.exe
6776	wavebrowser.exe
7800	wavebrowser.exe
6776	wavebrowser.exe
5220	wavebrowser.exe
5220	wavebrowser.exe
7948	SWUpdater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wavesor SWUpdater = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.139.0\\SWUpdaterCore.exe\""	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 12 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\A:	StellarDataRecovery.exe
File opened (read-only)	\??\B:	StellarDataRecovery.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	StellarDataRecovery.exe
File opened (read-only)	\??\F:	StellarDataRecovery.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs

Web Service

T1102

flow	ioc
98	raw.githubusercontent.com
289	camo.githubusercontent.com
290	camo.githubusercontent.com
1629	raw.githubusercontent.com
1845	raw.githubusercontent.com
97	raw.githubusercontent.com
101	raw.githubusercontent.com
1635	raw.githubusercontent.com
1843	raw.githubusercontent.com
1846	raw.githubusercontent.com
1847	raw.githubusercontent.com
7	raw.githubusercontent.com
100	raw.githubusercontent.com
103	raw.githubusercontent.com
1630	raw.githubusercontent.com
1864	raw.githubusercontent.com
99	raw.githubusercontent.com
102	raw.githubusercontent.com
1631	raw.githubusercontent.com
1633	raw.githubusercontent.com
1634	raw.githubusercontent.com
1866	raw.githubusercontent.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc	pid	Process
880	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html	228	msedge.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	StellarDataRecovery.exe
File opened for modification	\??\PhysicalDrive0	smartctl64Bit.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	wavebrowser.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Stellar Data Recovery\Resources\media\Boot\ja-jp\is-DL2DL.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Boot\nb-no\is-ASTTK.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Microsoft\Boot\Fonts\is-A5R04.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\zh-tw\is-3D3ED.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\SDMTranslation\JA\is-3PC8O.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\VideoTranslation\IT\is-56PO3.tmp	StellarDataRecovery.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\mplayer.exe	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-S60K0.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\imageformats\is-AVNBN.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Boot\uk-ua\is-H900I.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\SDMTranslation\DE\is-IUO0M.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\SDMTranslation\DU\is-FJNUF.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Translation\BR\is-O99UD.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\translations\is-AG0KR.tmp	StellarDataRecovery.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\avformat-lav-56.dll	StellarDataRecovery.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\StellarRepairforPhoto.exe	StellarDataRecovery.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Icaros\Resources\Localize\is-S3SFC.tmp	K-Lite_Codec_Pack_1766_Standard.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\audio\qtaudio_wasapi.dll	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\BootableTranslation\BR\is-3S3GE.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\BootableTranslation\KO\is-ISK5P.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\PhotoTranslation\DE\is-RQL85.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\PhotoTranslation\Ontrack\FR\is-B2GRC.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\SDMTranslation\CN\is-FU2NJ.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\translations\is-T847O.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\VideoTranslation\Ontrack\BR\is-FF9N3.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-HGKN0.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-7B91F.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\Boot\zh-cn\is-141N4.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Boot\lt-lt\is-17Q9U.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Translation\BR\is-Q3BFP.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Translation\JA\is-VNQ53.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Translation\KO\is-S44CK.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\TranslationSS\HI\is-JASDJ.tmp	StellarDataRecovery.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\api-ms-win-core-file-l1-1-0.dll	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-15CNB.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Boot\es-es\is-7NLCA.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\TranslationSS\Ontrack\DE\is-CJ2FJ.tmp	StellarDataRecovery.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Icaros\Resources\is-0DGVP.tmp	K-Lite_Codec_Pack_1766_Standard.tmp
File created	C:\Program Files\Stellar Data Recovery\is-606T2.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\BootableTranslation\HI\is-44V8M.tmp	StellarDataRecovery.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\is-UT81H.tmp	K-Lite_Codec_Pack_1766_Standard.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Icaros\is-5JKUK.tmp	K-Lite_Codec_Pack_1766_Standard.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\api-ms-win-core-libraryloader-l1-1-0.dll	StellarDataRecovery.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\Qt5Widgets.dll	StellarDataRecovery.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\Resources\media\Boot\Resources\bootres.dll	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-M9VB7.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Microsoft\Boot\Fonts\is-1IOO4.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Microsoft\Boot\sv-se\is-JSR6J.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\ko-kr\is-9JLLV.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-L63TB.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-4VCL1.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\PhotoTranslation\CN\is-IROUM.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\PhotoTranslation\IT\is-JVCEP.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\Boot\Fonts\is-BGD9V.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Microsoft\Boot\Fonts\is-6A8KO.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\es-mx\is-UKAT4.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\SDMTranslation\DU\is-H5L73.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\SDMTranslation\FR\is-1K8FJ.tmp	StellarDataRecovery.tmp
File opened for modification	C:\Program Files\Stellar Data Recovery\d3dcompiler_47.dll	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-GE5SS.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\is-2PKIE.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\PhotoTranslation\KO\is-8LBQ6.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\PhotoTranslation\Ontrack\EN\is-5UU7U.tmp	StellarDataRecovery.tmp
File created	C:\Program Files\Stellar Data Recovery\Resources\media\EFI\Microsoft\Boot\Fonts\is-1R753.tmp	StellarDataRecovery.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_606522571\nav_config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_1081402192\automation.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_1081402192\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1306663305\keys.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1485739668\manifest.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\MW	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_606522571\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_458928288\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_378641049\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\PK	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\EE	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\SZ	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\NC	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\BY	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\BO	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1772003159\LICENSE.txt	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\MD	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\MA	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_282544540\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_8336752\ssl_error_assistant.pb	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\XK	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\JP	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\BG	wavebrowser.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\SY	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\KH	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\GF	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\FJ	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_458928288\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\ZA	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1854052685\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_1689491499\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_1550677660\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_267076758\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\BF	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1306663305\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_964232247\ct_config.pb	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1118877702\manifest.fingerprint	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\YE	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\NO	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\CO	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_765155074\cr_en-us_500000_index.bin	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\TK	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\SN	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\LC	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\ES	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\CD	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\AE	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_495589119\manifest.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_563957225\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_964232247\crs.pb	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\SV	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\PT	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\GN	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_2032370090\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_1766664680\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5160_1081402192\travel-facilitated-booking-bing.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\UA	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\TL	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\RO	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\IL	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_284837599\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5280_1294005868\DE	wavebrowser.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Wave Browser.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\StellarDataRecovery.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\The Happy AntiVirus Setup Wizard.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpySheriff.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdwereCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller-v1.5.20.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	K-Lite_Codec_Pack_1766_Standard.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StellarDataRecovery.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Happy Antivirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdaterSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	K-Lite_Codec_Pack_1766_Standard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setacl_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	The Happy AntiVirus Setup Wizard.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setacl_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	The Happy AntiVirus Setup Wizard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StellarDataRecovery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1696	SWUpdater.exe
7948	SWUpdater.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c00000002c3ac-12092.dat	nsis_installer_1
behavioral1/files/0x000c00000002c3ac-12092.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	K-Lite_Codec_Pack_1766_Standard.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	K-Lite_Codec_Pack_1766_Standard.tmp

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	wavebrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Kills process with taskkill 7 IoCs

defense_evasion

pid	Process
8592	taskkill.exe
5552	taskkill.exe
9484	taskkill.exe
6188	taskkill.exe
8828	taskkill.exe
6528	taskkill.exe
9132	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Icaros\UseCoverArt = "1"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Icaros\Cache	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Icaros\Cache\MinFreeSpace = "5120"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Icaros\FrameThresh = "8"	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Icaros\DebugMode = "1"	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875098580299229"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	wavebrowser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Icaros	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Icaros\Offset = "25"	K-Lite_Codec_Pack_1766_Standard.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\WOW6432Node\Interface\{E44B162B-4287-40B0-8E7A-6E251D80B3DF}\NumMethods\ = "17"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\WaveBrwsHTM.737NQ6RNIDPCTOU2VE5UK5L3YA\DefaultIcon\ = "C:\\Users\\Admin\\Wavesor Software\\WaveBrowser\\wavebrowser.exe,3"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C08E3BB-D10B-4CC9-B1B3-701F5BE9D6EC}\ = "Icaros Property Handler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.m2p\shell\play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9991"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.trp\shell\open	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.trp\OpenWithProgids	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{8129608C-48BD-42A6-9EBC-7B0933A5CFA3}\NumMethods\ = "12"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}\NumMethods	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbz\PerceivedType = "image"	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.mpc\ = "Musepack Audio File"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rm\ShellEx	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.ogg\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\Extensions\.3gp2\Source Filter = "{B98D13E7-55DB-4385-A33D-09FD1BA26338}"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{7DFF302B-EA41-49F8-97B1-9413CEF98C68}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\WOW6432Node\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{97518FC7-7CA2-4921-BC40-F4A07E221C1C}\ = "ICoCreateAsyncStatus"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ogv\ExtendedTileInfo = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.ivf\shell\enqueue	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.dff\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe\" /Open \"%L\""	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tp\ShellEx	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.webm\Source Filter = "{B98D13E7-55DB-4385-A33D-09FD1BA26338}"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{44367D77-92C0-45E8-840D-0C098E650CE8}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{D3C865DD-E36B-432E-9E47-554925B86737}\NumMethods	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\WaveBrwsPDF.737NQ6RNIDPCTOU2VE5UK5L3YA\ = "WaveBrowser PDF Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.pmp	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B98D13E7-55DB-4385-A33D-09FD1BA26338}\ = "LAV Splitter Source"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.rm\PreferExecuteOnMismatch = "1"	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flv\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}\ = "{c5aec3ec-e812-4677-a9a7-4fee1f9aa000}"	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "12811"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\WOW6432Node\Interface\{97518FC7-7CA2-4921-BC40-F4A07E221C1C}\ProxyStubClsid32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\CLSID	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{3BE77C6E-0029-4F24-B677-32C9E15CD8F1}\NumMethods	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdmov\PerceivedType = "video"	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.dsf\PreferExecuteOnMismatch = "1"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.mxf\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.m4a\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.bdmv	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{44367D77-92C0-45E8-840D-0C098E650CE8}\NumMethods	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{D669BD5D-A9B6-47FD-B558-81508AEF48C4}\NumMethods\ = "4"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{E4E159E0-7B9C-4D75-AC11-A80628173DE3}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.f4v\InfoTip = "prop:System.ItemType;System.Size;System.Media.Duration;System.OfflineAvailability"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.video\shell\play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.wv\shell\play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9991"	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.ape\ = "Monkey's Audio File"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.amv\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\WOW6432Node\Interface\{7DFF302B-EA41-49F8-97B1-9413CEF98C68}	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{DDF98EF0-2728-4A8D-8B0F-32627DC56437}\ = "ICurrentState"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{171252A0-8820-4AFE-9DF8-5C92B2D66B04}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mkv\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{92333BDA-3022-4A7F-8858-081260EA85DE}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\CLSID\{6C4CCEAC-D03B-4674-B2A9-D44A1D18FD9C}\InprocHandler32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.139.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ogv	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.rec\shell	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.spx\shell\play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9991"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\.svg	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\.opus	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ra\PerceivedType = "audio"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KLCP.WMP.dff\DefaultIcon	K-Lite_Codec_Pack_1766_Standard.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\Extensions\.mov\Media Type = "{E436EB83-524F-11CE-9F53-0020AF0BA770}"	K-Lite_Codec_Pack_1766_Standard.tmp
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\WOW6432Node\Interface\{D669BD5D-A9B6-47FD-B558-81508AEF48C4}\ProxyStubClsid32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Interface\{B2083DCC-1D29-45E6-8386-BEE1488D11AA}\NumMethods\ = "24"	SWUpdaterComRegisterShell64.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe

NTFS ADS 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\scoped_dir5160_1921217884\pefhciejnkgdgoahgfeklebcbpmhnhhd_10612.crx\:Zone.Identifier:$DATA	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\StellarDataRecovery.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpySheriff.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Webstore Downloads\pefhciejnkgdgoahgfeklebcbpmhnhhd_10612.crx:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Wave Browser.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FakeAdwCleaner.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\The Happy AntiVirus Setup Wizard.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
9320	StellarDataRecovery.exe
7148	explorer.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2752	msedge.exe
2752	msedge.exe
6384	SWUpdater.exe
6384	SWUpdater.exe
200	setup.exe
200	setup.exe
200	setup.exe
200	setup.exe
200	setup.exe
200	setup.exe
6384	SWUpdater.exe
6384	SWUpdater.exe
6384	SWUpdater.exe
6384	SWUpdater.exe
9596	StellarDataRecovery.tmp
9596	StellarDataRecovery.tmp
8292	K-Lite_Codec_Pack_1766_Standard.tmp
8292	K-Lite_Codec_Pack_1766_Standard.tmp
7148	explorer.exe
7148	explorer.exe
5624	wavebrowser.exe
5624	wavebrowser.exe
2956	The Happy AntiVirus Setup Wizard.tmp
2956	The Happy AntiVirus Setup Wizard.tmp
6368	SWUpdater.exe
6368	SWUpdater.exe
6368	SWUpdater.exe
6368	SWUpdater.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
9320	StellarDataRecovery.exe
7148	explorer.exe
5160	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6292	Wave Browser.exe
Token: SeDebugPrivilege	6384	SWUpdater.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeDebugPrivilege	6384	SWUpdater.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe
Token: SeCreatePagefilePrivilege	5280	wavebrowser.exe
Token: SeShutdownPrivilege	5280	wavebrowser.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
1664	setup.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
5280	wavebrowser.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
9320	StellarDataRecovery.exe
9320	StellarDataRecovery.exe
9320	StellarDataRecovery.exe
9320	StellarDataRecovery.exe
9320	StellarDataRecovery.exe
7148	explorer.exe
6376	SearchHost.exe
8368	StartMenuExperienceHost.exe
7148	explorer.exe
7148	explorer.exe
7148	explorer.exe
8372	6AdwCleaner.exe
8372	6AdwCleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5160 wrote to memory of 668	5160	msedge.exe	81
PID 5160 wrote to memory of 668	5160	msedge.exe	81
PID 5160 wrote to memory of 228	5160	msedge.exe	82
PID 5160 wrote to memory of 228	5160	msedge.exe	82
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 2660	5160	msedge.exe	83
PID 5160 wrote to memory of 928	5160	msedge.exe	85
PID 5160 wrote to memory of 928	5160	msedge.exe	85
PID 5160 wrote to memory of 928	5160	msedge.exe	85
PID 5160 wrote to memory of 928	5160	msedge.exe	85
PID 5160 wrote to memory of 928	5160	msedge.exe	85
PID 5160 wrote to memory of 928	5160	msedge.exe	85
PID 5160 wrote to memory of 928	5160	msedge.exe	85
PID 5160 wrote to memory of 928	5160	msedge.exe	85
PID 5160 wrote to memory of 928	5160	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pixeldrain.com/u/TcV2BREC
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x1a0,0x7ffba3fbf208,0x7ffba3fbf214,0x7ffba3fbf220
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1848,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  - Mark of the Web detected: This indicates that the page was originally saved or cloned.
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2336,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:2
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2564,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=2676 /prefetch:13
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3436,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3444,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4080,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4140,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:9
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4132,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4296,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:9
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4156,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:14
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4212,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:14
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5256,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:14
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5248,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:14
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5884,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:14
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:14
  2⤵
  PID:3948
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5884,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:14
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6248,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6236 /prefetch:14
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6380,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:14
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6456,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:14
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:14
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6764,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:14
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6944,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:14
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7096,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:14
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6776,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7244 /prefetch:14
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4468,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:14
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=4320,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=4576,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6568,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=4584,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=5976,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6192,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:14
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4200,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6868 /prefetch:14
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7084,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6856 /prefetch:14
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=2948,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=4312,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3924,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6796 /prefetch:14
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7328,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:12
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4408,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:14
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=5416,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7444 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=7588,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=5720,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=5736,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7908,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7900 /prefetch:14
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=7988,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7944 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=8188,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8140 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8396,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=768 /prefetch:14
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8004,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8324 /prefetch:14
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=772,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8448 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=8392,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7924 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=8204,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8220 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=8220,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7936 /prefetch:9
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=8668,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7900 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=8816,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8840 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=8976,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9004 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=9272,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9264 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9568,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=2896 /prefetch:14
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7308,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9104 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8984,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8608 /prefetch:14
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9644,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9668 /prefetch:14
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8304,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8260 /prefetch:14
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8624,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8612 /prefetch:14
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=9756,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=7904 /prefetch:9
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=7860,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9068 /prefetch:1
  2⤵
  PID:7140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9572,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9636 /prefetch:14
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8880,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8940 /prefetch:14
  2⤵
  PID:6840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8960,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:14
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=6480,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9448 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=5600,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9044 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5556,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:14
  2⤵
  PID:6300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --always-read-main-dll --field-trial-handle=8560,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9708 /prefetch:1
  2⤵
  PID:6512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --always-read-main-dll --field-trial-handle=9792,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9780 /prefetch:1
  2⤵
  PID:6576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --always-read-main-dll --field-trial-handle=9976,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9984 /prefetch:1
  2⤵
  PID:6588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --always-read-main-dll --field-trial-handle=9956,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10180 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --always-read-main-dll --field-trial-handle=10020,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10184 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --always-read-main-dll --field-trial-handle=7788,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10540 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --always-read-main-dll --field-trial-handle=10524,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10744 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --always-read-main-dll --field-trial-handle=10900,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10912 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --always-read-main-dll --field-trial-handle=11040,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11064 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --always-read-main-dll --field-trial-handle=10724,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11220 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --always-read-main-dll --field-trial-handle=11328,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11372 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --always-read-main-dll --field-trial-handle=11576,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9008 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --always-read-main-dll --field-trial-handle=11056,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10656 /prefetch:1
  2⤵
  PID:6432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --always-read-main-dll --field-trial-handle=10736,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11776 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --always-read-main-dll --field-trial-handle=10000,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11968 /prefetch:1
  2⤵
  PID:6656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --always-read-main-dll --field-trial-handle=12100,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12132 /prefetch:1
  2⤵
  PID:6660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --always-read-main-dll --field-trial-handle=11972,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12188 /prefetch:1
  2⤵
  PID:6776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --always-read-main-dll --field-trial-handle=12440,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12248 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --always-read-main-dll --field-trial-handle=11532,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12600 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --always-read-main-dll --field-trial-handle=11964,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9632 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --always-read-main-dll --field-trial-handle=10656,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10792 /prefetch:1
  2⤵
  PID:6196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --always-read-main-dll --field-trial-handle=10848,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10068 /prefetch:1
  2⤵
  PID:6180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --always-read-main-dll --field-trial-handle=8900,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9040 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10100,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8856 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3372
- C:\Users\Admin\Downloads\Wave Browser.exe
  "C:\Users\Admin\Downloads\Wave Browser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6292
- - C:\Users\Admin\AppData\Local\Temp\Wave\SWUpdaterSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave\SWUpdaterSetup.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1236
  - - C:\Program Files (x86)\Wavesor\Temp\GUMB538.tmp\SWUpdater.exe
      "C:\Program Files (x86)\Wavesor\Temp\GUMB538.tmp\SWUpdater.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6384
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1588
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4496
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5712
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTM5LjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzkuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9IntEMEFGMDQ4Mi0xMDQyLTQzM0MtQTc1NC03M0VGMzVGRDlGOTB9IiB1c2VyaWQ9Ins1YmExZDU4ZS02MDJkLTQ2MjctODQzNy1kMzNiMDgxMzJlYmV9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0iezNGODE1MDRCLUI2OTMtNERGOC04Q0E5LTdENUUzRUNDRjA5Qn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntGNkY2MEFDRS03MUFELTQ2MTAtODBENC05MjUzNzI5RkI0Qjd9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTM5LjAiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIzMzciLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1696
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /handoff "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1" /installsource otherinstallcmd /sessionid "{D0AF0482-1042-433C-A754-73EF35FD9F90}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:6388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=13368,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=13388 /prefetch:14
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --always-read-main-dll --field-trial-handle=9276,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10128 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --always-read-main-dll --field-trial-handle=11028,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12292 /prefetch:1
  2⤵
  PID:6236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --always-read-main-dll --field-trial-handle=2672,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11252 /prefetch:1
  2⤵
  PID:6400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --always-read-main-dll --field-trial-handle=12544,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9900 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --always-read-main-dll --field-trial-handle=12356,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11004 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --always-read-main-dll --field-trial-handle=11220,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11556 /prefetch:1
  2⤵
  PID:8076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=12548,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10936 /prefetch:14
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2896,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12256 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6536
- C:\Users\Admin\Downloads\StellarDataRecovery.exe
  "C:\Users\Admin\Downloads\StellarDataRecovery.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9556
- - C:\Users\Admin\AppData\Local\Temp\is-J3A4N.tmp\StellarDataRecovery.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-J3A4N.tmp\StellarDataRecovery.tmp" /SL5="$A02DE,125914837,952320,C:\Users\Admin\Downloads\StellarDataRecovery.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:9596
  - - C:\Program Files\Stellar Data Recovery\K-Lite_Codec_Pack_1766_Standard.exe
      "C:\Program Files\Stellar Data Recovery\K-Lite_Codec_Pack_1766_Standard.exe" /VERYSILENT
      4⤵
      System Location Discovery: System Language Discovery
      PID:336
    - - C:\Users\Admin\AppData\Local\Temp\is-DSHCI.tmp\K-Lite_Codec_Pack_1766_Standard.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DSHCI.tmp\K-Lite_Codec_Pack_1766_Standard.tmp" /SL5="$80232,18994698,422400,C:\Program Files\Stellar Data Recovery\K-Lite_Codec_Pack_1766_Standard.exe" /VERYSILENT
        5⤵
        Checks computer location settings
        Identifies Wine through registry keys
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:8292
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub\vsfilter.dll"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8996
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\DirectVobSub64\vsfilter.dll"
        6⤵
        Modifies registry class
        
        PID:9984
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVAudio.ax"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6292
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVVideo.ax"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8532
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV\LAVSplitter.ax"
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9432
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Icaros\32-bit\IcarosThumbnailProvider.dll"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Icaros\32-bit\IcarosPropertyHandler.dll"
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6852
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVAudio.ax"
        6⤵
        
        PID:10000
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVVideo.ax"
        6⤵
        
        PID:9180
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\LAV64\LAVSplitter.ax"
        6⤵
        
        PID:10124
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Icaros\64-bit\IcarosThumbnailProvider.dll"
        6⤵
        
        PID:10096
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Icaros\64-bit\IcarosPropertyHandler.dll"
        6⤵
        Modifies registry class
        
        PID:8528
      - C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe
        
        "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn setowner -ownr "n:S-1-5-32-544;s:y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9140
      - C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe
        
        "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x86.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn ace -ace "n:S-1-5-32-544;s:y;p:full;i:so,sc;m:set;w:dacl"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8256
      - C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe
        
        "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn setowner -ownr "n:S-1-5-32-544;s:y"
        6⤵
        
        PID:8928
      - C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe
        
        "C:\Program Files (x86)\K-Lite Codec Pack\Tools\setacl_x64.exe" -ot reg -on "HKLM\SOFTWARE\Microsoft\DirectShow\Preferred" -actn ace -ace "n:S-1-5-32-544;s:y;p:full;i:so,sc;m:set;w:dacl"
        6⤵
        
        PID:9856
  - - C:\Program Files\Stellar Data Recovery\StellarDataRecovery.exe
      "C:\Program Files\Stellar Data Recovery\StellarDataRecovery.exe"
      4⤵
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:9320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\wbem\WMIC.exe diskdrive get Model,SerialNumber,Index >> C:\Users\Admin\AppData\Local\Temp\DiskDetails.txt
        5⤵
        
        PID:6852
      - C:\Windows\system32\wbem\WMIC.exe
        
        C:\Windows\system32\wbem\WMIC.exe diskdrive get Model,SerialNumber,Index
        6⤵
        
        PID:9092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\wbem\WMIC.exe diskdrive get MediaType,Index >> C:\Users\Admin\AppData\Local\Temp\DiskDetails.txt
        5⤵
        
        PID:8888
      - C:\Windows\system32\wbem\WMIC.exe
        
        C:\Windows\system32\wbem\WMIC.exe diskdrive get MediaType,Index
        6⤵
        
        PID:8304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\wbem\WMIC.exe diskdrive get Model,SerialNumber,Index >> C:\Users\Admin\AppData\Local\Temp\DiskDetails.txt
        5⤵
        
        PID:9140
      - C:\Windows\system32\wbem\WMIC.exe
        
        C:\Windows\system32\wbem\WMIC.exe diskdrive get Model,SerialNumber,Index
        6⤵
        
        PID:8968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\wbem\WMIC.exe diskdrive get MediaType,Index >> C:\Users\Admin\AppData\Local\Temp\DiskDetails.txt
        5⤵
        
        PID:8812
      - C:\Windows\system32\wbem\WMIC.exe
        
        C:\Windows\system32\wbem\WMIC.exe diskdrive get MediaType,Index
        6⤵
        
        PID:8796
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c smartctl64Bit.exe -a /dev/sda >> C:\Users\Admin\AppData\Local\Temp\SMART.txt
        5⤵
        
        PID:8772
      - C:\Program Files\Stellar Data Recovery\smartctl64Bit.exe
        
        smartctl64Bit.exe -a /dev/sda
        6⤵
        Writes to the Master Boot Record (MBR)
        
        PID:9240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.stellarinfo.com/services/data-recovery.php?utm_source=Stellar-Data-Recovery-Standard&utm_medium=EXE-Builds&utm_campaign=In-Lab-Services-co-uk-com
        5⤵
        
        PID:9952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://www.stellarinfo.com/services/data-recovery.php?utm_source=Stellar-Data-Recovery-Standard&utm_medium=EXE-Builds&utm_campaign=In-Lab-Services-co-uk-com
        6⤵
        
        PID:9700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.stellarinfo.com/installation/windows-data-recovery.php
      4⤵
      PID:8892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://www.stellarinfo.com/installation/windows-data-recovery.php
        5⤵
        
        PID:9096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11352,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:14
  2⤵
  PID:9304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --always-read-main-dll --field-trial-handle=10780,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12836 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=12520,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:14
  2⤵
  PID:8704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --always-read-main-dll --field-trial-handle=13012,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=13092 /prefetch:1
  2⤵
  PID:8420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11636,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=13248 /prefetch:14
  2⤵
  PID:6548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --always-read-main-dll --field-trial-handle=13252,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --always-read-main-dll --field-trial-handle=11692,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:7264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --always-read-main-dll --field-trial-handle=8756,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11696 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10132,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:14
  2⤵
  PID:9664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9472,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10748 /prefetch:14
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --always-read-main-dll --field-trial-handle=13372,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:1
  2⤵
  PID:7584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5636,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12276 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --always-read-main-dll --field-trial-handle=8692,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8296 /prefetch:1
  2⤵
  PID:9488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --always-read-main-dll --field-trial-handle=5576,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9460 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --always-read-main-dll --field-trial-handle=8980,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=1028 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=119 --always-read-main-dll --field-trial-handle=8748,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=13136 /prefetch:1
  2⤵
  PID:9924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8024,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11464 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5288
- C:\Users\Admin\Downloads\The Happy AntiVirus Setup Wizard.exe
  "C:\Users\Admin\Downloads\The Happy AntiVirus Setup Wizard.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7988
- - C:\Users\Admin\AppData\Local\Temp\is-U6O1L.tmp\The Happy AntiVirus Setup Wizard.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-U6O1L.tmp\The Happy AntiVirus Setup Wizard.tmp" /SL5="$1302AE,2427357,831488,C:\Users\Admin\Downloads\The Happy AntiVirus Setup Wizard.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
  - - C:\Program Files (x86)\Happy Antivirus\Happy Antivirus.exe
      "C:\Program Files (x86)\Happy Antivirus\Happy Antivirus.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:6528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im sidebar.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:9132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:8828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im firefox.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:6188
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im iexplore.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:8592
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:9484
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im safari.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --always-read-main-dll --field-trial-handle=7936,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8248 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --always-read-main-dll --field-trial-handle=13208,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12848 /prefetch:1
  2⤵
  PID:8156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --always-read-main-dll --field-trial-handle=13472,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11464 /prefetch:1
  2⤵
  PID:8244
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11796,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11548 /prefetch:14
  2⤵
  PID:10036
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11796,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11548 /prefetch:14
  2⤵
  PID:6596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=12400,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11448 /prefetch:14
  2⤵
  PID:6328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=126 --always-read-main-dll --field-trial-handle=8648,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10976 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=127 --always-read-main-dll --field-trial-handle=12516,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12324 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --always-read-main-dll --field-trial-handle=12460,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10320 /prefetch:1
  2⤵
  PID:7600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10580,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8920 /prefetch:14
  2⤵
  PID:8656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8700,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10668 /prefetch:14
  2⤵
  PID:7404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=131 --always-read-main-dll --field-trial-handle=11452,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8316 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9160,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9796 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --always-read-main-dll --field-trial-handle=13536,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=9436 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9772,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=13504 /prefetch:14
  2⤵
  PID:5688
- C:\Users\Admin\Downloads\SpySheriff.exe
  "C:\Users\Admin\Downloads\SpySheriff.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=135 --always-read-main-dll --field-trial-handle=8372,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11280 /prefetch:1
  2⤵
  PID:8344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=10904,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=10332 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:7336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=13548,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=11472 /prefetch:14
  2⤵
  PID:5448
- C:\Users\Admin\Downloads\AdwereCleaner.exe
  "C:\Users\Admin\Downloads\AdwereCleaner.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
    "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
    3⤵
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:8372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11764,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=8400 /prefetch:14
  2⤵
  PID:8896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=12220,i,12668507189767068005,9304738543229187842,262144 --variations-seed-version --mojo-platform-channel-handle=12316 /prefetch:14
  2⤵
  PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4976

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:6720
- C:\Users\Admin\Wavesor Software\SWUpdater\Install\{D571E701-90B5-49C6-9DC0-4D513A8261D9}\WaveInstaller-v1.5.20.5.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\Install\{D571E701-90B5-49C6-9DC0-4D513A8261D9}\WaveInstaller-v1.5.20.5.exe" /installerdata="C:\Users\Admin\AppData\Local\Temp\guiEEB7.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7016
- - C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\wavebrowser.packed.7z" --wid=uqlwbmtn --installerdata="C:\Users\Admin\AppData\Local\Temp\guiEEB7.tmp"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:200
  - - C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.5.20.5 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff7d6808980,0x7ff7d680898c,0x7ff7d6808998
      4⤵
      Executes dropped EXE
      PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\setup.exe" --verbose-logging --installerdata="C:\Users\Admin\AppData\Local\Temp\guiEEB7.tmp" --create-shortcuts=0 --install-level=0
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\nskF213.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.5.20.5 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff7d6808980,0x7ff7d680898c,0x7ff7d6808998
        5⤵
        Executes dropped EXE
        
        PID:848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://install.wavebrowser.co/thank-you?tid=uqlwbmtn&src=d-cp21976981191-lp0-obem-wav-igfJrEHkHAREKAiIcNfAJQ-ab51-w64-brwsr&cid=21976981191&iid=wav&uid=5ba1d58e-602d-4627-8437-d33b08132ebe
      4⤵
      PID:3732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch https://install.wavebrowser.co/thank-you?tid=uqlwbmtn&src=d-cp21976981191-lp0-obem-wav-igfJrEHkHAREKAiIcNfAJQ-ab51-w64-brwsr&cid=21976981191&iid=wav&uid=5ba1d58e-602d-4627-8437-d33b08132ebe
        5⤵
        
        PID:1620
  - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
      "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --install-type=1 --from-installer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6048
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.5.20.5 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb8bed6cf8,0x7ffb8bed6d04,0x7ffb8bed6d10
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTM5LjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzkuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9IntEMEFGMDQ4Mi0xMDQyLTQzM0MtQTc1NC03M0VGMzVGRDlGOTB9IiB1c2VyaWQ9Ins1YmExZDU4ZS02MDJkLTQ2MjctODQzNy1kMzNiMDgxMzJlYmV9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0iezY2QjE5MjU3LURCNkQtNDJENS1BRDg4LTUxNkM4OURBNTY0N30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntFQjE0OUFEMi1DRTRFLTRGNTEtQjdGQy1BMTQ5RkFBNENDQUZ9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjUuMjAuNSIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cHM6Ly9jZG4uc3d1cGRhdGVyLmNvbS9idWlsZC9XYXZlQnJvd3Nlci9zdGFibGUvd2luLzExMjA5ODc3NzQ5ODEvNjQvV2F2ZUluc3RhbGxlci12MS41LjIwLjUuZXhlIiBkb3dubG9hZGVkPSIxMDQwNzA1MDQiIHRvdGFsPSIxMDQwNzA1MDQiIGRvd25sb2FkX3RpbWVfbXM9Ijk3NjEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI3NDIiIGRvd25sb2FkX3RpbWVfbXM9IjExMTExIiBkb3dubG9hZGVkPSIxMDQwNzA1MDQiIHRvdGFsPSIxMDQwNzA1MDQiIGluc3RhbGxfdGltZV9tcz0iMTkwNjYiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004CC
1⤵
PID:3028

C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
"C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --strtl=ti
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5280
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.5.20.5 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb8bed6cf8,0x7ffb8bed6d04,0x7ffb8bed6d10
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3588
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2024,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5340
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --start-stack-profiler --field-trial-handle=1696,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=2100 /prefetch:11
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4192
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2364,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=2524 /prefetch:13
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1312
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2892,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=2948 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5268
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2900,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3156 /prefetch:9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4836
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3984,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3992 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6928
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4548,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4564 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8012
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4696,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8140
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4724,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8160
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4740,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8176
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4756,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3468
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4772,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6904
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4788,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1308
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4804,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3488
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4820,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1560
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --instant-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4828,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7176
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6240,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7800
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6300,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6776
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6316,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5220
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6332,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:6840
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6348,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:8020
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6364,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7464 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:8004
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6380,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6396,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:8092
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=6756,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6252 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:7660
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=6760,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8108 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:7436
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8020,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7920 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8152,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8208 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:6220
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9636,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9656 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:7196
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9644,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9812 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9632,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8044 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10072,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9624 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:7164
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10188,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10180 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:5940
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10028,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6932 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:7120
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9676,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9924 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9776,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9708 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:5836
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9740,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10488 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:7824
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9724,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10632 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:7436
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10220,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10340 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9952,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9752 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:7664
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6124,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10716 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:7916
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=10600,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10572 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:5836
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9772,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11980 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11908,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11768 /prefetch:14
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11420,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11252 /prefetch:14
  2⤵
  PID:7324
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11384,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11288 /prefetch:14
  2⤵
  PID:5196
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11944,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11332 /prefetch:14
  2⤵
  PID:8196
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11316,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11392 /prefetch:14
  2⤵
  PID:8216
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11668,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11052 /prefetch:14
  2⤵
  PID:8256
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11312,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10948 /prefetch:14
  2⤵
  PID:8296
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11068,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9784 /prefetch:14
  2⤵
  PID:8336
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8680,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8672 /prefetch:14
  2⤵
  PID:8376
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4016,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8592 /prefetch:14
  2⤵
  PID:8444
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9516,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9532 /prefetch:14
  2⤵
  PID:8456
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9552,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9400 /prefetch:14
  2⤵
  PID:8496
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10416,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10704 /prefetch:14
  2⤵
  PID:8536
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9284,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8504 /prefetch:14
  2⤵
  PID:8732
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8452,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9196 /prefetch:14
  2⤵
  PID:8752
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8456,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9280 /prefetch:14
  2⤵
  PID:8956
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9016,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9008 /prefetch:14
  2⤵
  PID:8988
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8364,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8904 /prefetch:14
  2⤵
  PID:9152
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8828,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8820 /prefetch:14
  2⤵
  PID:8608
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8832,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10404 /prefetch:14
  2⤵
  PID:7164
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=8824,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9916 /prefetch:14
  2⤵
  PID:8792
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9836,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9940 /prefetch:14
  2⤵
  PID:8212
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9968,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10040 /prefetch:14
  2⤵
  PID:8452
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10168,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12108 /prefetch:14
  2⤵
  PID:6292
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10160,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12248 /prefetch:14
  2⤵
  PID:8944
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=12372,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12384 /prefetch:14
  2⤵
  PID:9176
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=12524,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12536 /prefetch:14
  2⤵
  PID:8680
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=12364,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12684 /prefetch:14
  2⤵
  PID:8528
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=12844,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12856 /prefetch:14
  2⤵
  PID:9432
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=12996,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13020 /prefetch:14
  2⤵
  PID:9512
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=13004,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13012 /prefetch:14
  2⤵
  PID:9620
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10348,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13256 /prefetch:14
  2⤵
  PID:9640
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=13484,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13524 /prefetch:9
  2⤵
  PID:7196
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=12672,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13560 /prefetch:14
  2⤵
  PID:9056
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=13712,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13724 /prefetch:14
  2⤵
  PID:8756
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=13716,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13868 /prefetch:14
  2⤵
  PID:8204
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=13248,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14020 /prefetch:14
  2⤵
  PID:8880
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=14012,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14168 /prefetch:14
  2⤵
  PID:9144
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=14008,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14328 /prefetch:14
  2⤵
  PID:6112
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=14176,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14348 /prefetch:14
  2⤵
  PID:8432
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=14612,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14188 /prefetch:14
  2⤵
  PID:8508
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=14636,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14768 /prefetch:9
  2⤵
  PID:10028
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --field-trial-handle=14920,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14900 /prefetch:9
  2⤵
  PID:9968
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --field-trial-handle=15232,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15216 /prefetch:9
  2⤵
  PID:8852
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=15436,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15580 /prefetch:9
  2⤵
  PID:6672
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=15548,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15892 /prefetch:9
  2⤵
  PID:9548
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --field-trial-handle=15612,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15996 /prefetch:9
  2⤵
  PID:9692
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=15564,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=11744 /prefetch:14
  2⤵
  PID:9648
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --field-trial-handle=15508,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8728 /prefetch:9
  2⤵
  PID:9700
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --field-trial-handle=11680,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15088 /prefetch:9
  2⤵
  PID:9804
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --field-trial-handle=15708,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15644 /prefetch:9
  2⤵
  PID:9904
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --field-trial-handle=15844,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16388 /prefetch:9
  2⤵
  PID:10076
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --field-trial-handle=16136,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16284 /prefetch:1
  2⤵
  PID:8516
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --field-trial-handle=16740,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15620 /prefetch:9
  2⤵
  PID:4904
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --field-trial-handle=11776,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12516 /prefetch:1
  2⤵
  PID:9336
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11956,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=12492 /prefetch:14
  2⤵
  PID:3980
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=13884,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=13512 /prefetch:14
  2⤵
  PID:4576
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11864,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=9928 /prefetch:14
  2⤵
  PID:8112
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9876,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7192 /prefetch:14
  2⤵
  PID:6244
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=11320,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=244 /prefetch:14
  2⤵
  PID:8776
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=13456,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8432 /prefetch:14
  2⤵
  PID:8248
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=9148,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=14944 /prefetch:14
  2⤵
  PID:9536
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=1088,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10268 /prefetch:14
  2⤵
  PID:2012
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=16320,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16328 /prefetch:14
  2⤵
  PID:3536
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --field-trial-handle=16316,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15812 /prefetch:9
  2⤵
  PID:3900
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --field-trial-handle=4964,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=8008 /prefetch:9
  2⤵
  PID:8296
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4880,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5996 /prefetch:14
  2⤵
  PID:4700
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=15516,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16824 /prefetch:14
  2⤵
  PID:8576
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=10548,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16664 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5624
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=2288,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6340 /prefetch:14
  2⤵
  PID:8680
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --field-trial-handle=16328,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10360 /prefetch:9
  2⤵
  PID:4692
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10624,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10616 /prefetch:14
  2⤵
  PID:2540
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10988,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10556 /prefetch:14
  2⤵
  PID:2624
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4832,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=6576 /prefetch:14
  2⤵
  PID:7436
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=15444,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10560 /prefetch:14
  2⤵
  PID:9100
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --field-trial-handle=14928,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10268 /prefetch:9
  2⤵
  PID:7296
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=6032,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=520 /prefetch:14
  2⤵
  PID:4744
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=10360,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=1804 /prefetch:14
  2⤵
  PID:9296
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=136 --field-trial-handle=5168,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=15840 /prefetch:9
  2⤵
  PID:8152
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=137 --field-trial-handle=5280,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16752 /prefetch:9
  2⤵
  PID:7500
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5116,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5176 /prefetch:14
  2⤵
  PID:4956
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=139 --field-trial-handle=5188,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5988 /prefetch:9
  2⤵
  PID:3776
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5248,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=520 /prefetch:14
  2⤵
  PID:576
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=141 --field-trial-handle=10484,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=16452 /prefetch:9
  2⤵
  PID:9940
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5572,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5240 /prefetch:14
  2⤵
  PID:4764
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=143 --field-trial-handle=5136,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10608 /prefetch:9
  2⤵
  PID:5372
- C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
  "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5112,i,5757727322367912580,13843989999052048724,262144 --variations-seed-version=15 --mojo-platform-channel-handle=10364 /prefetch:14
  2⤵
  PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2284

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:8504
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:7148

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:9592

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /c
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:3800
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /cr
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:8024
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ua /installsource core
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:6248

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ua /installsource scheduler
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:7724
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /registermsihelper
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:6180

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" -Embedding
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6368

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\22b0882d3d5646648055ed0f3fb24231 /t 9140 /p 8372
1⤵
PID:9116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery