plugx | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2937.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2937.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Vedoshaetivy.exe

Loads dropped DLL 58 IoCs

pid	Process
984	Install2.tmp
4272	installer.exe
4272	installer.exe
4272	installer.exe
5088	MsiExec.exe
5088	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
6084	MsiExec.exe
4272	installer.exe
6084	MsiExec.exe
6084	MsiExec.exe
4204	MsiExec.exe
4204	MsiExec.exe
4204	MsiExec.exe
4204	MsiExec.exe
4204	MsiExec.exe
4204	MsiExec.exe
4204	MsiExec.exe
6084	MsiExec.exe
5860	cmd.exe
5948	toolspab1.exe
1984	installer.exe
1984	installer.exe
1984	installer.exe
936	MsiExec.exe
936	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
5436	MsiExec.exe
1984	installer.exe
5436	MsiExec.exe
5436	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5436	MsiExec.exe
6008	uuhgtwr
744	uuhgtwr
5460	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerSupporter = "C:\\ProgramData\\HandlerSupport\\HdcpHelper.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2937.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	ip-api.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\HandlerSupporter	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent FD6E830F2F98194B	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\WindowsAppPool\AppPool	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4476	2937.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3224 set thread context of 5940	3224	svchost.exe	120
PID 5148 set thread context of 5948	5148	toolspab1.exe	145
PID 412 set thread context of 6008	412	uuhgtwr	173
PID 580 set thread context of 744	580	uuhgtwr	183
PID 5392 set thread context of 5460	5392	Process not Found	3045

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\MSBuild\Ludyshaeroju.exe.config	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-L8JEU.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\BEJHTEHDPG\ultramediaburner.exe	Ultra.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-NJ61L.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\MSBuild\Ludyshaeroju.exe	Ultra.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\BEJHTEHDPG\ultramediaburner.exe.config	Ultra.exe

Drops file in Windows directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA62A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6F6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA691.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6D1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA43.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7AE.tmp	msiexec.exe
File created	C:\Windows\Installer\f74a0ca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74a0ca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA680.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB037.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB451.tmp	msiexec.exe
File created	C:\Windows\Installer\f74a0cd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA86F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA595.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB02.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB52E.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA985.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB52.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB64A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA33D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA13.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA63.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB346.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA94B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB017.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB56D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA496.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA556.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA74F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA78E.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4748	5692	WerFault.exe	177

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuhgtwr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuhgtwr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuhgtwr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuhgtwr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuhgtwr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uuhgtwr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Process not Found
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5448	Process not Found
820	Process not Found
4028	schtasks.exe
4136	Process not Found
3948	schtasks.exe
3000	schtasks.exe
2184	Process not Found
3620	Process not Found
4788	Process not Found
704	Process not Found
4796	schtasks.exe
2408	schtasks.exe
4132	Process not Found
4976	Process not Found
5188	schtasks.exe
956	Process not Found
2080	Process not Found
804	Process not Found
4244	Process not Found
2800	Process not Found
3852	schtasks.exe
1248	schtasks.exe
4136	Process not Found
5460	Process not Found
3924	Process not Found
2764	Process not Found
1328	Process not Found
4264	Process not Found
5972	Process not Found
3240	Process not Found
5436	schtasks.exe
284	Process not Found
1260	Process not Found
3328	Process not Found
4232	schtasks.exe
3512	schtasks.exe
824	Process not Found
3144	Process not Found
2996	Process not Found
3192	Process not Found
196	Process not Found
5444	Process not Found
2260	schtasks.exe
2736	schtasks.exe
1892	Process not Found
3988	Process not Found
3068	Process not Found
6024	schtasks.exe
2648	schtasks.exe
3508	Process not Found
4908	schtasks.exe
5136	Process not Found
2008	schtasks.exe
2788	schtasks.exe
3200	Process not Found
6080	Process not Found
316	schtasks.exe
5604	Process not Found
4232	Process not Found
5188	schtasks.exe
3940	Process not Found
4220	Process not Found
5192	Process not Found
1496	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4448	taskkill.exe
3828	taskkill.exe
5832	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000128f0bc08cb93a7f04e666486f5c652e7205d17660e68831a1afe07be70f0b4a1abbe641775573b56ab2de82af4f53c29523b3a0beef31bb5bb6	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5cfb0624434ad701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}\1 = "5300"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000cbada3486381c6a919235741ecea29c9fb8dd387c4b0604470244bf43e35468608bee5b35cefa7e6b6f878aa7109c66014531ab70a013b86ee5273a2154ad77b2ca0e9ca14ea46d62c274fe63a1c2f896239b5a4e7ee4f8c70aa931242e409c881f212943f92bbdc144f9e68c4448c1477e00f5b5e9906b8a9cae5a8c8224cb26b56f5df8207788e3d10dea00ca28ab99fe8b104e620d8957854a992f7265836126b0c3bc469abdc5e0afb2e6254d580f4f190a82ba50baf4ae6e4561c0f5b508cd0cbf0bfd8fb0a3addc19efa7b0481ae9b63f4b046222ccc21f0f211fd9daa5227f31ed8744e78b728b86ba1377beb5687af147e25d24249a6178ae80ff38c0b0f41d5a25d0639dd8d028558a958674f5367a33c61ec769e13c3a4c7672f229d27da4bc3b3cc7ea2abdbd617ef5bc00aa0519dfd191eab780a5bfd1b24cd0d64113e228f969dcdde22f59add2ac1e1ec0ef372426f8503f32924df3366a94d256cd4b4f5267b0bd8921f417f7b1f23d23df11bfb8198929b11ca167a4dac72d8d79e7bb783e9501e9bfce831001ee6ddcdc446287124dc16257605bab6f666258533a7f9a9	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7efac33e434ad701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "327961287"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 00d64889754ad701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
1436	reg.exe
5816	reg.exe
4264	reg.exe
96	Process not Found
5748	Process not Found
5392	Process not Found
5776	reg.exe
64	Process not Found
3520	Process not Found
2756	Process not Found
2996	Process not Found
4752	Process not Found
3108	Process not Found
5968	Process not Found
5808	Process not Found
5604	Process not Found
4088	Process not Found
4964	Process not Found
2368	Process not Found
4400	reg.exe
5112	Process not Found
2748	Process not Found
4336	Process not Found
296	Process not Found
4616	Process not Found
6084	Process not Found
3520	reg.exe
2060	reg.exe
1248	reg.exe
4516	Process not Found
2140	Process not Found
4320	Process not Found
5448	reg.exe
904	Process not Found
1988	Process not Found
5240	reg.exe
3804	Process not Found
4264	Process not Found
6004	Process not Found
5564	Process not Found
5952	Process not Found
5232	Process not Found
704	reg.exe
4336	reg.exe
4428	reg.exe
4452	reg.exe
6024	Process not Found
4152	Process not Found
876	Process not Found
4780	reg.exe
6052	reg.exe
4316	Process not Found
6052	Process not Found
2352	Process not Found
5224	Process not Found
1332	reg.exe
3524	reg.exe
1144	Process not Found
3960	Process not Found
3656	reg.exe
4332	reg.exe
3432	reg.exe
5136	reg.exe
1528	Process not Found

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5324	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3492	ultramediaburner.tmp
3492	ultramediaburner.tmp
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe
1852	Jagupiwely.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3036	Process not Found
412	HdcpHelper.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4344	MicrosoftEdgeCP.exe
4344	MicrosoftEdgeCP.exe
5948	toolspab1.exe
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
5964	explorer.exe
5964	explorer.exe
5964	explorer.exe
5964	explorer.exe
5964	explorer.exe
5964	explorer.exe
5964	explorer.exe
5964	explorer.exe
5964	explorer.exe
5964	explorer.exe
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
640	explorer.exe
3036	Process not Found
3036	Process not Found
6008	uuhgtwr
4952	explorer.exe
4952	explorer.exe
640	explorer.exe
640	explorer.exe
5964	explorer.exe
5964	explorer.exe
4344	MicrosoftEdgeCP.exe
4344	MicrosoftEdgeCP.exe
5964	explorer.exe
5964	explorer.exe
4952	explorer.exe
4952	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	Ultra.exe
Token: SeDebugPrivilege	1164	Vedoshaetivy.exe
Token: SeDebugPrivilege	1852	Jagupiwely.exe
Token: SeDebugPrivilege	4060	MicrosoftEdge.exe
Token: SeDebugPrivilege	4060	MicrosoftEdge.exe
Token: SeDebugPrivilege	4060	MicrosoftEdge.exe
Token: SeDebugPrivilege	4060	MicrosoftEdge.exe
Token: SeSecurityPrivilege	4776	msiexec.exe
Token: SeDebugPrivilege	4540	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4540	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4540	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4540	MicrosoftEdgeCP.exe
Token: SeCreateTokenPrivilege	4272	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4272	installer.exe
Token: SeLockMemoryPrivilege	4272	installer.exe
Token: SeIncreaseQuotaPrivilege	4272	installer.exe
Token: SeMachineAccountPrivilege	4272	installer.exe
Token: SeTcbPrivilege	4272	installer.exe
Token: SeSecurityPrivilege	4272	installer.exe
Token: SeTakeOwnershipPrivilege	4272	installer.exe
Token: SeLoadDriverPrivilege	4272	installer.exe
Token: SeSystemProfilePrivilege	4272	installer.exe
Token: SeSystemtimePrivilege	4272	installer.exe
Token: SeProfSingleProcessPrivilege	4272	installer.exe
Token: SeIncBasePriorityPrivilege	4272	installer.exe
Token: SeCreatePagefilePrivilege	4272	installer.exe
Token: SeCreatePermanentPrivilege	4272	installer.exe
Token: SeBackupPrivilege	4272	installer.exe
Token: SeRestorePrivilege	4272	installer.exe
Token: SeShutdownPrivilege	4272	installer.exe
Token: SeDebugPrivilege	4272	installer.exe
Token: SeAuditPrivilege	4272	installer.exe
Token: SeSystemEnvironmentPrivilege	4272	installer.exe
Token: SeChangeNotifyPrivilege	4272	installer.exe
Token: SeRemoteShutdownPrivilege	4272	installer.exe
Token: SeUndockPrivilege	4272	installer.exe
Token: SeSyncAgentPrivilege	4272	installer.exe
Token: SeEnableDelegationPrivilege	4272	installer.exe
Token: SeManageVolumePrivilege	4272	installer.exe
Token: SeImpersonatePrivilege	4272	installer.exe
Token: SeCreateGlobalPrivilege	4272	installer.exe
Token: SeCreateTokenPrivilege	4272	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4272	installer.exe
Token: SeLockMemoryPrivilege	4272	installer.exe
Token: SeIncreaseQuotaPrivilege	4272	installer.exe
Token: SeMachineAccountPrivilege	4272	installer.exe
Token: SeTcbPrivilege	4272	installer.exe
Token: SeSecurityPrivilege	4272	installer.exe
Token: SeTakeOwnershipPrivilege	4272	installer.exe
Token: SeLoadDriverPrivilege	4272	installer.exe
Token: SeSystemProfilePrivilege	4272	installer.exe
Token: SeSystemtimePrivilege	4272	installer.exe
Token: SeProfSingleProcessPrivilege	4272	installer.exe
Token: SeIncBasePriorityPrivilege	4272	installer.exe
Token: SeCreatePagefilePrivilege	4272	installer.exe
Token: SeCreatePermanentPrivilege	4272	installer.exe
Token: SeBackupPrivilege	4272	installer.exe
Token: SeRestorePrivilege	4272	installer.exe
Token: SeShutdownPrivilege	4272	installer.exe
Token: SeDebugPrivilege	4272	installer.exe
Token: SeAuditPrivilege	4272	installer.exe
Token: SeSystemEnvironmentPrivilege	4272	installer.exe
Token: SeChangeNotifyPrivilege	4272	installer.exe
Token: SeRemoteShutdownPrivilege	4272	installer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3492	ultramediaburner.tmp
4272	installer.exe
1984	installer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4060	MicrosoftEdge.exe
4344	MicrosoftEdgeCP.exe
4344	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3036	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 984	2016	Install2.exe	72
PID 2016 wrote to memory of 984	2016	Install2.exe	72
PID 2016 wrote to memory of 984	2016	Install2.exe	72
PID 984 wrote to memory of 3472	984	Install2.tmp	77
PID 984 wrote to memory of 3472	984	Install2.tmp	77
PID 3472 wrote to memory of 3296	3472	Ultra.exe	81
PID 3472 wrote to memory of 3296	3472	Ultra.exe	81
PID 3472 wrote to memory of 3296	3472	Ultra.exe	81
PID 3296 wrote to memory of 3492	3296	ultramediaburner.exe	82
PID 3296 wrote to memory of 3492	3296	ultramediaburner.exe	82
PID 3296 wrote to memory of 3492	3296	ultramediaburner.exe	82
PID 3472 wrote to memory of 1164	3472	Ultra.exe	83
PID 3472 wrote to memory of 1164	3472	Ultra.exe	83
PID 3492 wrote to memory of 2656	3492	ultramediaburner.tmp	84
PID 3492 wrote to memory of 2656	3492	ultramediaburner.tmp	84
PID 3472 wrote to memory of 1852	3472	Ultra.exe	85
PID 3472 wrote to memory of 1852	3472	Ultra.exe	85
PID 1852 wrote to memory of 5520	1852	Jagupiwely.exe	90
PID 1852 wrote to memory of 5520	1852	Jagupiwely.exe	90
PID 5520 wrote to memory of 5724	5520	cmd.exe	92
PID 5520 wrote to memory of 5724	5520	cmd.exe	92
PID 5520 wrote to memory of 5724	5520	cmd.exe	92
PID 1852 wrote to memory of 4016	1852	Jagupiwely.exe	93
PID 1852 wrote to memory of 4016	1852	Jagupiwely.exe	93
PID 4016 wrote to memory of 4272	4016	cmd.exe	95
PID 4016 wrote to memory of 4272	4016	cmd.exe	95
PID 4016 wrote to memory of 4272	4016	cmd.exe	95
PID 4776 wrote to memory of 5088	4776	msiexec.exe	100
PID 4776 wrote to memory of 5088	4776	msiexec.exe	100
PID 4776 wrote to memory of 5088	4776	msiexec.exe	100
PID 4344 wrote to memory of 4540	4344	MicrosoftEdgeCP.exe	97
PID 4344 wrote to memory of 4540	4344	MicrosoftEdgeCP.exe	97
PID 4344 wrote to memory of 4540	4344	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 5704	4272	installer.exe	102
PID 4272 wrote to memory of 5704	4272	installer.exe	102
PID 4272 wrote to memory of 5704	4272	installer.exe	102
PID 4344 wrote to memory of 4540	4344	MicrosoftEdgeCP.exe	97
PID 4344 wrote to memory of 4540	4344	MicrosoftEdgeCP.exe	97
PID 4344 wrote to memory of 4540	4344	MicrosoftEdgeCP.exe	97
PID 4776 wrote to memory of 6084	4776	msiexec.exe	103
PID 4776 wrote to memory of 6084	4776	msiexec.exe	103
PID 4776 wrote to memory of 6084	4776	msiexec.exe	103
PID 6084 wrote to memory of 4448	6084	MsiExec.exe	104
PID 6084 wrote to memory of 4448	6084	MsiExec.exe	104
PID 6084 wrote to memory of 4448	6084	MsiExec.exe	104
PID 4776 wrote to memory of 4204	4776	msiexec.exe	106
PID 4776 wrote to memory of 4204	4776	msiexec.exe	106
PID 4776 wrote to memory of 4204	4776	msiexec.exe	106
PID 1852 wrote to memory of 4052	1852	Jagupiwely.exe	110
PID 1852 wrote to memory of 4052	1852	Jagupiwely.exe	110
PID 4052 wrote to memory of 4764	4052	cmd.exe	112
PID 4052 wrote to memory of 4764	4052	cmd.exe	112
PID 4052 wrote to memory of 4764	4052	cmd.exe	112
PID 4764 wrote to memory of 4920	4764	hbggg.exe	113
PID 4764 wrote to memory of 4920	4764	hbggg.exe	113
PID 4764 wrote to memory of 4920	4764	hbggg.exe	113
PID 1852 wrote to memory of 5356	1852	Jagupiwely.exe	114
PID 1852 wrote to memory of 5356	1852	Jagupiwely.exe	114
PID 5356 wrote to memory of 5872	5356	cmd.exe	116
PID 5356 wrote to memory of 5872	5356	cmd.exe	116
PID 5356 wrote to memory of 5872	5356	cmd.exe	116
PID 5872 wrote to memory of 5860	5872	google-game.exe	136
PID 5872 wrote to memory of 5860	5872	google-game.exe	136
PID 5872 wrote to memory of 5860	5872	google-game.exe	136

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4572	attrib.exe
4340	attrib.exe
1356	attrib.exe
1080	attrib.exe
1168	attrib.exe
5004	attrib.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Modifies registry class
PID:2724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:676
- C:\Users\Admin\AppData\Roaming\uuhgtwr
  C:\Users\Admin\AppData\Roaming\uuhgtwr
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:412
- - C:\Users\Admin\AppData\Roaming\uuhgtwr
    C:\Users\Admin\AppData\Roaming\uuhgtwr
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:6008
- C:\Users\Admin\AppData\Roaming\uuhgtwr
  C:\Users\Admin\AppData\Roaming\uuhgtwr
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:580
- - C:\Users\Admin\AppData\Roaming\uuhgtwr
    C:\Users\Admin\AppData\Roaming\uuhgtwr
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:744
- C:\Users\Admin\AppData\Local\Temp\EdjaAfel.exe
  C:\Users\Admin\AppData\Local\Temp\EdjaAfel.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\ProgramData\HandlerSupport\HdcpHelper.exe
  C:\ProgramData\HandlerSupport\HdcpHelper.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:60
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:1776
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2800
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3380
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4264
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5840
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4916
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:3520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:4780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:5456
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5636
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:6100
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4124
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2352
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5356
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:196
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4424
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5476
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5468
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:3656
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:768
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1248
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:2060
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3404
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5368
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4272
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5148
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3504
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4252
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:496
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2160
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5396
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5300
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5832
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4588
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5356
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5444
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4340
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1388
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1096
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1428
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:3020
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3272
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4272
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5240
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:5972
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5224
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5480
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4724
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4860
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5284
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4756
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:4332
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:6124
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:5188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1304
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2188
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:64
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1008
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1284
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3200
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3136
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:992
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4908
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3508
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5048
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2212
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4236
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4824
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4880
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4864
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4292
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4332
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:5496
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4424
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6024
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4340
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5468
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5280
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:1248
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3988
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3404
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4152
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3432
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5652
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5368
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3804
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4452
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3508
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3280
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5632
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5584
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4000
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5792
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5420
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5644
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4292
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5184
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:5776
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:704
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:196
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3604
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4212
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2188
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2236
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:848
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:964
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:308
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:1436
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3240
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:800
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:5136
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4116
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:4560
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5088
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5436
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6128
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5144
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:304
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4860
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4756
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5432
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5184
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5376
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5356
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1316
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4768
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5808
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5784
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5168
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3852
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:68
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5652
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5216
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:5816
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5580
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:5240
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5212
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5196
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5788
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4172
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4588
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:4336
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5488
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5344
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5280
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5308
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5180
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3656
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:1332
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:5448
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1488
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:1284
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3192
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4844
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3272
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5056
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4236
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4748
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:936
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5920
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4592
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5416
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5184
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5704
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5376
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4512
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4964
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3604
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4316
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:6072
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4428
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5364
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1792
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1244
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5652
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:284
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4788
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:4264
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5164
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1156
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5928
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5748
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:744
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4208
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5584
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4860
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5896
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2352
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5732
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3720
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:6072
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4316
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4884
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:4428
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5424
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3336
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3432
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3204
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:3000
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5164
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5976
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4252
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4224
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3288
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4208
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3524
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:5436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5908
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5968
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:96
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5356
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4808
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4704
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4892
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4868
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3656
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4152
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5192
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5976
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4452
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1208
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3948
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5492
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5316
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5908
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4004
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5716
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:4988
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5284
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4292
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4568
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4704
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4212
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1076
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:672
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:1816
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1080
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1292
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5368
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1336
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1764
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5408
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4132
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5224
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3504
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3496
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:644
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:788
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4200
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5144
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5704
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4588
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:704
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4928
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4012
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4388
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6108
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:848
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4572
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:492
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:192
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:352
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:200
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:3304
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5176
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4452
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4252
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4560
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5240
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5480
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4880
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5196
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4864
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:96
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5284
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4588
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3700
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5904
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:6052
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1316
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4964
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:5188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:672
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:500
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4400
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:388
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5192
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4396
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:992
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4904
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5224
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Modifies registry key
      PID:3524
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4236
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:6128
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:5892
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:32
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:96
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4332
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4784
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1388
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3148
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:208
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:2132
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4672
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4428
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:672
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4400
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      Adds Run key to start application
      PID:5504
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1428
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5460
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:3804
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4904
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5224
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5056
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:6100
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:4880
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5396
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5284
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5856
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5444
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:5432
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:5788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\Install2.exe
"C:\Users\Admin\AppData\Local\Temp\Install2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\is-J4E86.tmp\Install2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J4E86.tmp\Install2.tmp" /SL5="$20110,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\is-J41G8.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-J41G8.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Program Files\Windows Defender Advanced Threat Protection\BEJHTEHDPG\ultramediaburner.exe
      "C:\Program Files\Windows Defender Advanced Threat Protection\BEJHTEHDPG\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Users\Admin\AppData\Local\Temp\is-AKKH8.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AKKH8.tmp\ultramediaburner.tmp" /SL5="$C0062,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\BEJHTEHDPG\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\7b-47ec6-b76-974ba-c64a68fa352a6\Vedoshaetivy.exe
      "C:\Users\Admin\AppData\Local\Temp\7b-47ec6-b76-974ba-c64a68fa352a6\Vedoshaetivy.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\85-d020e-790-b9ea6-22aae2ad76bf9\Jagupiwely.exe
      "C:\Users\Admin\AppData\Local\Temp\85-d020e-790-b9ea6-22aae2ad76bf9\Jagupiwely.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cbz5c31s.qcd\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5520
      - C:\Users\Admin\AppData\Local\Temp\cbz5c31s.qcd\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbz5c31s.qcd\001.exe
        6⤵
        Executes dropped EXE
        
        PID:5724
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\erhesi4u.vio\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Users\Admin\AppData\Local\Temp\erhesi4u.vio\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\erhesi4u.vio\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\erhesi4u.vio\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\erhesi4u.vio\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1620903729 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:5704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qxfyiym5.yug\hbggg.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Users\Admin\AppData\Local\Temp\qxfyiym5.yug\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\qxfyiym5.yug\hbggg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ie2a1xlq.bbw\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5356
      - C:\Users\Admin\AppData\Local\Temp\ie2a1xlq.bbw\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\ie2a1xlq.bbw\google-game.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5872
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        
        PID:5860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czwx0pnn.3gd\huesaa.exe & exit
        5⤵
        
        PID:5956
      - C:\Users\Admin\AppData\Local\Temp\czwx0pnn.3gd\huesaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\czwx0pnn.3gd\huesaa.exe
        6⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:6104
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\egruhic4.1hg\setup.exe & exit
        5⤵
        
        PID:5364
      - C:\Users\Admin\AppData\Local\Temp\egruhic4.1hg\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\egruhic4.1hg\setup.exe
        6⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\egruhic4.1hg\setup.exe"
        7⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:5324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kyj34w1d.s5y\askinstall39.exe & exit
        5⤵
        
        PID:4660
      - C:\Users\Admin\AppData\Local\Temp\kyj34w1d.s5y\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\kyj34w1d.s5y\askinstall39.exe
        6⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:3828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\db3ufoqq.mxo\customer1.exe & exit
        5⤵
        Loads dropped DLL
        
        PID:5860
      - C:\Users\Admin\AppData\Local\Temp\db3ufoqq.mxo\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\db3ufoqq.mxo\customer1.exe
        6⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\knifzllf.tqu\toolspab1.exe & exit
        5⤵
        
        PID:4724
      - C:\Users\Admin\AppData\Local\Temp\knifzllf.tqu\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\knifzllf.tqu\toolspab1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\knifzllf.tqu\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\knifzllf.tqu\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z3w2q0b2.3yc\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:4272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4lilw1x2.14h\005.exe & exit
        5⤵
        
        PID:4232
      - C:\Users\Admin\AppData\Local\Temp\4lilw1x2.14h\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\4lilw1x2.14h\005.exe
        6⤵
        Executes dropped EXE
        
        PID:5108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m3lj1adf.kf5\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:5520
      - C:\Users\Admin\AppData\Local\Temp\m3lj1adf.kf5\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\m3lj1adf.kf5\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:1984
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\m3lj1adf.kf5\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\m3lj1adf.kf5\ EXE_CMD_LINE="/forcecleanup /wintime 1620903729 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:3172

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:3224
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 68B96D71E7731CF95240B8F49790C036 C
  2⤵
  - Loads dropped DLL
  PID:5088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D11FFE9AAEEAFE3E01CB3418AD5E7ED3
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:6084
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4448
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FD6C6CA8C7D8D03A37FEE9EEECC94067 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4204
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3B2E27509A9FDEBA9EDA52B6F89C990D C
  2⤵
  - Loads dropped DLL
  PID:936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8195F2E1953C44BAA634604D43DBFECD
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5436
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0826552D4F329A189CDB8F414BD988BB E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5576

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5672

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5172

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4100

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5312

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:640

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5692 -s 3080
  2⤵
  - Program crash
  PID:4748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5992

C:\Users\Admin\AppData\Local\Temp\2937.exe
C:\Users\Admin\AppData\Local\Temp\2937.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4476
- C:\Users\Admin\AppData\Local\Temp\EdjaAfel.exe
  "C:\Users\Admin\AppData\Local\Temp\EdjaAfel.exe"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\EdjaAfel.exe"
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\EdjaAfel.exe"
    3⤵
    PID:5732
- C:\Users\Admin\AppData\Local\Temp\IcljGliE.exe
  "C:\Users\Admin\AppData\Local\Temp\IcljGliE.exe"
  2⤵
  - Executes dropped EXE
  PID:5340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c DEL /Q /F C:\ProgramData\HandlerSupport\1.rar
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c DEL /Q /F C:\ProgramData\HandlerSupport\2.rar
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c DEL /Q /F C:\ProgramData\HandlerSupport\Rar.exe
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\HandlerSupport
    3⤵
    PID:4488
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +h +s C:\ProgramData\HandlerSupport
      4⤵
      Views/modifies file attributes
      PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\HandlerSupport\HandlerUpdater.exe
    3⤵
    PID:4288
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +h +s C:\ProgramData\HandlerSupport\HandlerUpdater.exe
      4⤵
      Views/modifies file attributes
      PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\HandlerSupport\HdcpHelper.exe
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +h +s C:\ProgramData\HandlerSupport\HdcpHelper.exe
      4⤵
      Views/modifies file attributes
      PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\HandlerSupport\nvrtc64_102_0.dll
    3⤵
    PID:392
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +h +s C:\ProgramData\HandlerSupport\nvrtc64_102_0.dll
      4⤵
      Views/modifies file attributes
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\HandlerSupport\nvrtc-builtins64_102.dll
    3⤵
    PID:3416
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +h +s C:\ProgramData\HandlerSupport\nvrtc-builtins64_102.dll
      4⤵
      Views/modifies file attributes
      PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\HandlerSupport\xmrig-cuda.dll
    3⤵
    PID:5468
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +h +s C:\ProgramData\HandlerSupport\xmrig-cuda.dll
      4⤵
      Views/modifies file attributes
      PID:4340
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "HandlerSupporter" /tr "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
    3⤵
    PID:1292
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "HandlerSupporter" /d "C:\ProgramData\HandlerSupport\HdcpHelper.exe" /f
      4⤵
      PID:2132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery