gurcu | 6924a46b113d08d047f3e26c349c025e5f575afd7b1a7719c0000d0c570cce6a

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FACEIT = "\"C:\\Users\\Admin\\AppData\\Local\\FACEIT\\update.exe\" --processStart \"FACEIT.exe\""	reg.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	_unins.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	FACEIT.exe

Suspicious use of NtCreateThreadExHideFromDebugger 64 IoCs

pid	Process
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe
3512	faceitclient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\FACEIT AC\unins000.dat	FACEITInstaller_64.tmp
File created	C:\Program Files\FACEIT AC\is-90QNH.tmp	FACEITInstaller_64.tmp
File created	C:\Program Files\FACEIT AC\is-C0CLA.tmp	FACEITInstaller_64.tmp
File created	C:\Program Files\FACEIT AC\unins000.msg	FACEITInstaller_64.tmp
File opened for modification	C:\Program Files\FACEIT AC\logs\service-2024-07-01-140436.log	faceitservice.exe
File opened for modification	C:\Program Files\FACEIT AC\preloader.dll	FACEITInstaller_64.tmp
File created	C:\Program Files\FACEIT AC\is-0C8PU.tmp	FACEITInstaller_64.tmp
File opened for modification	C:\Program Files\FACEIT AC\unins000.dat	FACEITInstaller_64.tmp
File opened for modification	C:\Program Files\FACEIT AC\tmp\FACEIT_1323.zip	faceitservice.exe
File opened for modification	C:\Program Files\FACEIT AC\runtime.dll	FACEITInstaller_64.tmp
File opened for modification	C:\Program Files\FACEIT AC\faceitservice.exe	FACEITInstaller_64.tmp
File created	C:\Program Files\FACEIT AC\is-5D224.tmp	FACEITInstaller_64.tmp
File opened for modification	C:\Program Files\FACEIT AC\faceitclient.exe	FACEITInstaller_64.tmp
File created	C:\Program Files\FACEIT AC\is-RJRUC.tmp	FACEITInstaller_64.tmp
File created	C:\Program Files\FACEIT AC\is-JFCSI.tmp	FACEITInstaller_64.tmp
File created	C:\Program Files\FACEIT AC\qt_temp.sQzcfm	faceitservice.exe
File opened for modification	C:\Program Files\FACEIT AC\faceit-ingame64.dll	faceitservice.exe
File opened for modification	C:\Program Files\FACEIT AC\FACEIT_1323.sys.tmp	faceitservice.exe
File opened for modification	C:\Program Files\FACEIT AC\unins000.dat	_unins.tmp
File opened for modification	C:\Program Files\FACEIT AC\faceit-ingame64.dll	_unins.tmp

Executes dropped EXE 42 IoCs

pid	Process
2992	FACEITInstaller_64.tmp
5028	faceitservice.exe
1116	FACEIT-setup-latest.exe
4316	Update.exe
2016	Squirrel.exe
2560	FACEIT.exe
2812	FACEIT.exe
1448	Update.exe
3296	FACEIT.exe
4100	FACEIT.exe
2432	FACEIT.exe
3992	FACEIT.exe
388	FACEIT.exe
1860	FACEIT.exe
3536	FACEIT.exe
4848	FACEIT.exe
4516	FACEIT.exe
5340	Update.exe
4300	FACEIT.exe
2508	FACEIT.exe
1144	FACEIT.exe
2968	FACEIT.exe
4084	FACEIT.exe
3428	FACEIT.exe
3620	FACEIT.exe
4376	FACEIT.exe
3756	FACEIT.exe
5392	FACEIT.exe
788	FACEIT.exe
3820	FACEIT.exe
4944	FACEIT.exe
1848	FACEIT.exe
5180	FACEIT.exe
2992	FACEIT.exe
5312	FACEIT.exe
3512	faceitclient.exe
2128	faceitservice.exe
5840	unins000.exe
1484	_unins.tmp
4452	FACEIT Anti-Cheat.exe
4400	FACEIT Anti-Cheat.tmp
4936	FACEIT Anti-Cheat.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3292	sc.exe
1476	sc.exe
5924	sc.exe
1652	sc.exe
5048	sc.exe
3412	sc.exe
3860	sc.exe
2828	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2812	FACEIT.exe
3296	FACEIT.exe
4100	FACEIT.exe
3296	FACEIT.exe
3296	FACEIT.exe
3296	FACEIT.exe
3296	FACEIT.exe
3296	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1124	powershell.exe
2848	powershell.exe
5036	powershell.exe
6132	powershell.exe
212	powershell.exe
2064	powershell.exe
4040	powershell.exe
4384	powershell.exe
920	powershell.exe
4524	powershell.exe
3672	powershell.exe
3756	powershell.exe
2080	powershell.exe
5372	powershell.exe
184	powershell.exe
5008	powershell.exe
4816	powershell.exe
3960	powershell.exe
2884	powershell.exe
1044	powershell.exe
232	powershell.exe
992	powershell.exe
1640	powershell.exe
5640	powershell.exe
4352	powershell.exe
4936	powershell.exe
1848	powershell.exe
5420	powershell.exe
3004	powershell.exe
4492	powershell.exe
2452	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	FACEIT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FACEIT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FACEIT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FACEIT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	FACEIT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	FACEIT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	FACEIT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	FACEIT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FACEIT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FACEIT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FACEIT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	FACEIT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FACEIT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FACEIT.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5416	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	faceitservice.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643162051663543"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	faceitservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	faceitservice.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac\Shell	faceitclient.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FACEITAnti-CheatFile.myp\shell\open	FACEIT Anti-Cheat.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Applications\FACEIT Anti-Cheat.exe	FACEIT Anti-Cheat.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\URL Protocol	FACEITInstaller_64.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac	faceitclient.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac\Shell\Open\Command	_unins.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\shell\open\command	FACEITInstaller_64.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FACEITAnti-CheatFile.myp	FACEIT Anti-Cheat.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	FACEIT.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\shell\open\command	_unins.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_unins.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.myp\OpenWithProgids	FACEIT Anti-Cheat.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.myp	FACEIT Anti-Cheat.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.myp\OpenWithProgids\FACEITAnti-CheatFile.myp	FACEIT Anti-Cheat.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Applications\FACEIT Anti-Cheat.exe\SupportedTypes	FACEIT Anti-Cheat.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac\Shell\Open\Command\ = "\"C:\\Program Files\\FACEIT AC\\faceitclient.exe\" -- \"%1\""	faceitclient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FACEITAnti-CheatFile.myp\shell	FACEIT Anti-Cheat.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac\ = "URL:faceitac Protocol"	faceitclient.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac	FACEITInstaller_64.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac\Shell\Open	_unins.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\shell\open	_unins.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e007180000000000000000000006abe817b2bce7646a29eeb907a5126c50000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\ = "URL:faceitac Protocol"	FACEITInstaller_64.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac\URL Protocol	faceitclient.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac\Shell\Open\Command	faceitclient.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\shell	_unins.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\shell	FACEITInstaller_64.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Applications	FACEIT Anti-Cheat.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\faceitac\Shell\Open	faceitclient.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\FFlags = "18874449"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FACEITAnti-CheatFile.myp\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\FACEIT Anti-Cheat\\FACEIT Anti-Cheat.exe,0"	FACEIT Anti-Cheat.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\shell\open	FACEITInstaller_64.tmp
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FACEITAnti-CheatFile.myp\DefaultIcon	FACEIT Anti-Cheat.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\faceitac\shell\open\command\ = "\"C:\\Program Files\\FACEIT AC\\faceitclient.exe\" -- \"%1\""	FACEITInstaller_64.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39080000000000	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
2648	reg.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	faceitclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	faceitclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	faceitservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	faceitservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	faceitclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	faceitclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	faceitclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	faceitclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	faceitclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	faceitclient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	faceitservice.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3512	faceitclient.exe
3908	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	FACEITInstaller_64.tmp
2992	FACEITInstaller_64.tmp
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
2560	FACEIT.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
2884	powershell.exe
2884	powershell.exe
3672	powershell.exe
3672	powershell.exe
2064	powershell.exe
2064	powershell.exe
2884	powershell.exe
3672	powershell.exe
2064	powershell.exe
4936	powershell.exe
4936	powershell.exe
1044	powershell.exe
1044	powershell.exe
4352	powershell.exe
4352	powershell.exe
1044	powershell.exe
4936	powershell.exe
4352	powershell.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
6132	powershell.exe
6132	powershell.exe
1848	powershell.exe
1848	powershell.exe
5420	powershell.exe
5420	powershell.exe
1848	powershell.exe
6132	powershell.exe
992	powershell.exe
992	powershell.exe
5420	powershell.exe
3004	powershell.exe
3004	powershell.exe
4040	powershell.exe
4040	powershell.exe
3004	powershell.exe
992	powershell.exe
4040	powershell.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
5008	powershell.exe
5008	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3512	faceitclient.exe
3908	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1208	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1208	AUDIODG.EXE
Token: SeShutdownPrivilege	2560	FACEIT.exe
Token: SeCreatePagefilePrivilege	2560	FACEIT.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeShutdownPrivilege	2560	FACEIT.exe
Token: SeCreatePagefilePrivilege	2560	FACEIT.exe
Token: SeIncreaseQuotaPrivilege	5036	powershell.exe
Token: SeSecurityPrivilege	5036	powershell.exe
Token: SeTakeOwnershipPrivilege	5036	powershell.exe
Token: SeLoadDriverPrivilege	5036	powershell.exe
Token: SeSystemProfilePrivilege	5036	powershell.exe
Token: SeSystemtimePrivilege	5036	powershell.exe
Token: SeProfSingleProcessPrivilege	5036	powershell.exe
Token: SeIncBasePriorityPrivilege	5036	powershell.exe
Token: SeCreatePagefilePrivilege	5036	powershell.exe
Token: SeBackupPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	5036	powershell.exe
Token: SeRemoteShutdownPrivilege	5036	powershell.exe
Token: SeUndockPrivilege	5036	powershell.exe
Token: SeManageVolumePrivilege	5036	powershell.exe
Token: 33	5036	powershell.exe
Token: 34	5036	powershell.exe
Token: 35	5036	powershell.exe
Token: 36	5036	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeSystemEnvironmentPrivilege	2884	powershell.exe
Token: SeRemoteShutdownPrivilege	2884	powershell.exe
Token: SeUndockPrivilege	2884	powershell.exe
Token: SeManageVolumePrivilege	2884	powershell.exe
Token: 33	2884	powershell.exe
Token: 34	2884	powershell.exe
Token: 35	2884	powershell.exe
Token: 36	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2064	powershell.exe
Token: SeSecurityPrivilege	2064	powershell.exe
Token: SeTakeOwnershipPrivilege	2064	powershell.exe
Token: SeLoadDriverPrivilege	2064	powershell.exe
Token: SeSystemProfilePrivilege	2064	powershell.exe
Token: SeSystemtimePrivilege	2064	powershell.exe
Token: SeProfSingleProcessPrivilege	2064	powershell.exe
Token: SeIncBasePriorityPrivilege	2064	powershell.exe
Token: SeCreatePagefilePrivilege	2064	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2992	FACEITInstaller_64.tmp
4316	Update.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
5172	taskmgr.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
3992	FACEIT.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe
5928	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5840	unins000.exe
1484	_unins.tmp
4936	FACEIT Anti-Cheat.exe
4936	FACEIT Anti-Cheat.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3512	faceitclient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2992	3028	FACEITInstaller_64.exe	86
PID 3028 wrote to memory of 2992	3028	FACEITInstaller_64.exe	86
PID 3028 wrote to memory of 2992	3028	FACEITInstaller_64.exe	86
PID 2992 wrote to memory of 3412	2992	FACEITInstaller_64.tmp	96
PID 2992 wrote to memory of 3412	2992	FACEITInstaller_64.tmp	96
PID 2992 wrote to memory of 3860	2992	FACEITInstaller_64.tmp	98
PID 2992 wrote to memory of 3860	2992	FACEITInstaller_64.tmp	98
PID 2992 wrote to memory of 2828	2992	FACEITInstaller_64.tmp	101
PID 2992 wrote to memory of 2828	2992	FACEITInstaller_64.tmp	101
PID 2992 wrote to memory of 3292	2992	FACEITInstaller_64.tmp	103
PID 2992 wrote to memory of 3292	2992	FACEITInstaller_64.tmp	103
PID 2992 wrote to memory of 5028	2992	FACEITInstaller_64.tmp	105
PID 2992 wrote to memory of 5028	2992	FACEITInstaller_64.tmp	105
PID 2992 wrote to memory of 1116	2992	FACEITInstaller_64.tmp	106
PID 2992 wrote to memory of 1116	2992	FACEITInstaller_64.tmp	106
PID 2992 wrote to memory of 1116	2992	FACEITInstaller_64.tmp	106
PID 1116 wrote to memory of 4316	1116	FACEIT-setup-latest.exe	108
PID 1116 wrote to memory of 4316	1116	FACEIT-setup-latest.exe	108
PID 4316 wrote to memory of 2016	4316	Update.exe	110
PID 4316 wrote to memory of 2016	4316	Update.exe	110
PID 4316 wrote to memory of 2560	4316	Update.exe	111
PID 4316 wrote to memory of 2560	4316	Update.exe	111
PID 2560 wrote to memory of 5024	2560	FACEIT.exe	112
PID 2560 wrote to memory of 5024	2560	FACEIT.exe	112
PID 5024 wrote to memory of 4176	5024	cmd.exe	114
PID 5024 wrote to memory of 4176	5024	cmd.exe	114
PID 2560 wrote to memory of 2812	2560	FACEIT.exe	116
PID 2560 wrote to memory of 2812	2560	FACEIT.exe	116
PID 2560 wrote to memory of 1448	2560	FACEIT.exe	117
PID 2560 wrote to memory of 1448	2560	FACEIT.exe	117
PID 2560 wrote to memory of 5036	2560	FACEIT.exe	118
PID 2560 wrote to memory of 5036	2560	FACEIT.exe	118
PID 2560 wrote to memory of 4068	2560	FACEIT.exe	119
PID 2560 wrote to memory of 4068	2560	FACEIT.exe	119
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122
PID 2560 wrote to memory of 3296	2560	FACEIT.exe	122

C:\Users\Admin\AppData\Local\Temp\FACEITInstaller_64.exe
"C:\Users\Admin\AppData\Local\Temp\FACEITInstaller_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\is-6K8M4.tmp\FACEITInstaller_64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6K8M4.tmp\FACEITInstaller_64.tmp" /SL5="$501C0,102382602,1075200,C:\Users\Admin\AppData\Local\Temp\FACEITInstaller_64.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" stop FACEITService
    3⤵
    - Launches sc.exe
    PID:3412
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" delete FACEITService
    3⤵
    - Launches sc.exe
    PID:3860
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" stop FACEIT
    3⤵
    - Launches sc.exe
    PID:2828
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" delete FACEIT
    3⤵
    - Launches sc.exe
    PID:3292
- - C:\Program Files\FACEIT AC\faceitservice.exe
    "C:\Program Files\FACEIT AC\faceitservice.exe" -i
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Users\Admin\AppData\Local\Temp\is-5C8JC.tmp\FACEIT-setup-latest.exe
    "C:\Users\Admin\AppData\Local\Temp\is-5C8JC.tmp\FACEIT-setup-latest.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\Squirrel.exe
        
        "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        5⤵
        Executes dropped EXE
        
        PID:2016
    - - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
        
        "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --squirrel-install 2.0.13
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "chcp"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:4176
      - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
        
        C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\FACEIT /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\FACEIT\Crashpad --url=https://f.a.k/e --annotation=_productName=FACEIT --annotation=_version=2.0.13 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.0.6 --initial-client-data=0x6e0,0x6e4,0x6e8,0x6d8,0x6ec,0x7ff6ea241e58,0x7ff6ea241e64,0x7ff6ea241e70
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2812
      - C:\Users\Admin\AppData\Local\FACEIT\Update.exe
        
        C:\Users\Admin\AppData\Local\FACEIT\Update.exe --createShortcut FACEIT.exe
        6⤵
        Executes dropped EXE
        
        PID:1448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
        6⤵
        
        PID:4068
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
        7⤵
        Checks processor information in registry
        
        PID:4648
      - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
        
        "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2356,i,15781997275899962446,4065215246578513801,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2348 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3296
      - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
        
        "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2552,i,15781997275899962446,4065215246578513801,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2548 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
        6⤵
        
        PID:2000
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
        7⤵
        Checks processor information in registry
        
        PID:788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5172

C:\Users\Admin\AppData\Local\FACEIT\FACEIT.exe
"C:\Users\Admin\AppData\Local\FACEIT\FACEIT.exe"
1⤵
- Executes dropped EXE
PID:2432
- C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
  "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:2328
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:6128
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\FACEIT /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\FACEIT\Crashpad --url=https://f.a.k/e --annotation=_productName=FACEIT --annotation=_version=2.0.13 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.0.6 --initial-client-data=0x6e8,0x6ec,0x6f0,0x6e0,0x6f4,0x7ff6ea241e58,0x7ff6ea241e64,0x7ff6ea241e70
    3⤵
    - Executes dropped EXE
    PID:388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
    3⤵
    PID:5160
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
      4⤵
      Checks processor information in registry
      PID:3440
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2320,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:3536
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=3040,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3036 /prefetch:3
    3⤵
    - Executes dropped EXE
    PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
    3⤵
    PID:1784
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
      4⤵
      Checks processor information in registry
      PID:5140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c "$OutputEncoding = [System.Console]::OutputEncoding = [System.Console]::InputEncoding = [System.Text.Encoding]::UTF8 ; Get-PnpDevice -PresentOnly -Status OK | where { $_.FriendlyName -like 'Bluetooth*' -or $_.Class -like 'Bluetooth*' } | Format-Table FriendlyName"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1640
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v FACEIT /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\FACEIT\update.exe\" --processStart \"FACEIT.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2648
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=3564,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=4108,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4516
- - C:\Users\Admin\AppData\Local\FACEIT\Update.exe
    C:\Users\Admin\AppData\Local\FACEIT\Update.exe --checkForUpdate https://faceit-client.faceit-cdn.net/release
    3⤵
    - Executes dropped EXE
    PID:5340
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4216,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4300
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4380,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2508
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4576,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1144
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4516,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2968
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=4248,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:4084
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4732,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3428
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4888,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3620
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4900,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4376
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4972,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3756
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5276,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5392
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5348,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:788
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5192,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5204 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3820
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5644,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4944
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5820,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5836 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1848
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6020,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=6016 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5180
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6108,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2992
- - C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe
    "C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\FACEIT.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FACEIT" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.FACEIT.FACEIT --app-path="C:\Users\Admin\AppData\Local\FACEIT\app-2.0.13\resources\app" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5404,i,13844894513042110387,3564278835896669199,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:5312
- - C:\Program Files\FACEIT AC\faceitclient.exe
    "C:\Program Files\FACEIT AC\faceitclient.exe" -- "faceitac://login/aad4e8dc-9b28-4635-8653-119f671f6281/e1e7d034-453d-4052-8dd8-eb094c5966f0"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Executes dropped EXE
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of UnmapMainImage
    PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb64bfab58,0x7ffb64bfab68,0x7ffb64bfab78
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:2
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2316 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3972 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5804
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff68580ae48,0x7ff68580ae58,0x7ff68580ae68
    3⤵
    PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4252 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1880,i,7746997446693240991,445281797305360242,131072 /prefetch:2
  2⤵
  PID:2228

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5536

C:\Program Files\FACEIT AC\faceitservice.exe
"C:\Program Files\FACEIT AC\faceitservice.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:2128

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:3908

C:\Program Files\FACEIT AC\unins000.exe
"C:\Program Files\FACEIT AC\unins000.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5840
- C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp
  "C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp" /SECONDPHASE="C:\Program Files\FACEIT AC\unins000.exe" /FIRSTPHASEWND=$70208
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1484
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" stop FACEITService
    3⤵
    - Launches sc.exe
    PID:1476
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" delete FACEITService
    3⤵
    - Launches sc.exe
    PID:5924
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" stop FACEIT
    3⤵
    - Launches sc.exe
    PID:1652
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" delete FACEIT
    3⤵
    - Launches sc.exe
    PID:5048
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "taskkill /im FACEITClient.exe /f /t
    3⤵
    PID:5272
  - - C:\Windows\system32\taskkill.exe
      taskkill /im FACEITClient.exe /f /t
      4⤵
      Kills process with taskkill
      PID:5416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64bfab58,0x7ffb64bfab68,0x7ffb64bfab78
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:2
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3576 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4236 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5000 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4248 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3052 --field-trial-handle=1936,i,13237488684457428327,9920457552028931938,131072 /prefetch:8
  2⤵
  PID:2356
- C:\Users\Admin\Downloads\FACEIT Anti-Cheat.exe
  "C:\Users\Admin\Downloads\FACEIT Anti-Cheat.exe"
  2⤵
  - Executes dropped EXE
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\is-6KVQ6.tmp\FACEIT Anti-Cheat.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6KVQ6.tmp\FACEIT Anti-Cheat.tmp" /SL5="$1601BC,46181546,928256,C:\Users\Admin\Downloads\FACEIT Anti-Cheat.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:508

C:\Users\Admin\AppData\Local\Programs\FACEIT Anti-Cheat\FACEIT Anti-Cheat.exe
"C:\Users\Admin\AppData\Local\Programs\FACEIT Anti-Cheat\FACEIT Anti-Cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery