23f5ba8c7ec73c45f074138b8c09da7003d1d3c4bea3b2546755d52d583f8775

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	TuberankJeetMAUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	TuberankJeetMAUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	VisualCppRedist_AIO_x86_x64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 21 IoCs

pid	Process
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
396	Business.exe
3704	Business.tmp
3480	mbae-uninstaller.exe
4684	mbae-svc.exe
4628	mbae-svc.exe
3592	mbae64.exe
3484	VisualCppRedist_AIO_x86_x64.exe
5192	TuberankJeetMAUI.exe
536	TuberankJeetMAUI.exe
4384	MicrosoftEdgeWebview2Setup.exe
4996	MicrosoftEdgeUpdate.exe
2824	MicrosoftEdgeUpdate.exe
2936	MicrosoftEdgeUpdate.exe
4776	MicrosoftEdgeUpdateComRegisterShell64.exe
4872	MicrosoftEdgeUpdateComRegisterShell64.exe
3548	MicrosoftEdgeUpdateComRegisterShell64.exe
5236	MicrosoftEdgeUpdate.exe
5032	MicrosoftEdgeUpdate.exe
5472	MicrosoftEdgeUpdate.exe
4820	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3704	Business.tmp
4684	mbae-svc.exe
4628	mbae-svc.exe
5684	vcredist_x86.exe
1720	vcredist_x64.exe
220	vcredist_x86.exe
5056	vcredist_x64.exe
6056	VC_redist.x86.exe
2128	VC_redist.x64.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
5632	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
244	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
5400	MsiExec.exe
3408	MsiExec.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Malwarebytes Anti-Exploit = "C:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae.exe"	mbae-svc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240813155941.log\" /uninstall /quiet /norestart ignored /burn.runonce"	vcredist_x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20240813155953.log\" /uninstall /quiet /norestart ignored /burn.runonce"	vcredist_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{61087a79-ac85-455c-934d-1fa22cc64f36} = "\"C:\\ProgramData\\Package Cache\\{61087a79-ac85-455c-934d-1fa22cc64f36}\\vcredist_x86.exe\" /burn.runonce"	vcredist_x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ef6b00ec-13e1-4c25-9064-b2f383cb8412} = "\"C:\\ProgramData\\Package Cache\\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\\vcredist_x64.exe\" /burn.runonce"	vcredist_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4d8dcf8c-a72a-43e1-9833-c12724db736e} = "\"C:\\ProgramData\\Package Cache\\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13} = "\"C:\\ProgramData\\Package Cache\\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm120u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc110esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc110u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp110.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp120.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\atl110.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr120.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcamp110.dll	msiexec.exe
File created	C:\Windows\SysWOW64\atl110.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc110ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc70kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mswinsck.ocx	msiexec.exe
File created	C:\Windows\SysWOW64\msdatrep.ocx	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc100.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dbadapt.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\atl70.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc70jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc110chs.dll	msiexec.exe
File created	C:\Windows\system32\vcomp120.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp120.dll	msiexec.exe
File created	C:\Windows\SysWOW64\comct232.ocx	msiexec.exe
File created	C:\Windows\SysWOW64\mfc71deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\comctl32.ocx	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc120cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc71esp.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib120.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc70.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfcm100u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc110.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc110jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc120.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc100kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mscomctl.ocx	msiexec.exe
File created	C:\Windows\system32\mfc100esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc120esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc100chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_ms.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\psuser_arm64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_bg.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_ur.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_sr-Latn-RS.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	msiexec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll	msiexec.exe
File created	C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\is-KHSSI.tmp	Business.tmp
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_fa.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_ro.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_uk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_cy.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_bn.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_en-GB.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\mscdrun.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_af.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_or.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\is-JG8BU.tmp	Business.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store	addinutil.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\EdgeUpdate.dat	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_fr-CA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-1R9H6.tmp	Business.tmp
File created	C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-8DPD8.tmp	Business.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	msiexec.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\MicrosoftEdgeUpdate.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\is-UJ3BP.tmp	Business.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\mshtmpgr.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_hi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_id.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_kk.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\psmachine.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_nl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll	msiexec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-PIAT4.tmp	Business.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\msedgeupdateres_nb.dll	MicrosoftEdgeWebview2Setup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160046609.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.7523_x-ww_7e578468.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB24F.tmp	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\1X98USX0KF\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\EQ86USMHFN\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Installer\MSIA521.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160043853.1\8.0.50727.6229.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\e585701.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160043853.0\8.0.50727.6229.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240813160022231.0	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160046607.0\mfc90kor.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB33E.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160020356.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_d7470ca6.cat	msiexec.exe
File created	C:\Windows\assembly\tmp\ML5LUJX0\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Installer\MSI8B0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA60E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Installer\SourceHash{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55BC.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI11CF.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160020356.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_d7470ca6.manifest	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160043806.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_1583ac57.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160046605.0\mfc90.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\EVM9OQZXJC\Microsoft.VisualStudio.Tools.Office.Runtime.Internal.dll	msiexec.exe
File created	C:\Windows\assembly\tmp\YGXN2IQJ\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160043806.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_1583ac57.cat	msiexec.exe
File created	C:\Windows\Installer\e585708.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160022216.0\amd64_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.7523_x-ww_f4ca2f60.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160020435.1\8.0.50727.6229.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240813160020435.0	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160043853.1\8.0.50727.6229.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB074.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240813160046478.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.7523_x-ww_c2c04980.manifest	msiexec.exe
File created	C:\Windows\assembly\tmp\RZ5SJU3M\Microsoft.Office.Tools.Excel.Implementation.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240813160020435.1	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbae-svc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Business.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VisualCppRedist_AIO_x86_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5236	MicrosoftEdgeUpdate.exe
4820	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	TuberankJeetMAUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	TuberankJeetMAUI.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	TuberankJeetMAUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	TuberankJeetMAUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Colors	TuberankJeetMAUI.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Colors	TuberankJeetMAUI.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00028C00-0000-0000-0000-000000000046}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0ECD9B64-23AA-11D0-B351-00A0C9055D8E}\AlternateCLSID = "{D8C1B55B-12DC-457F-97EC-4B84305FAA13}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\AlternateCLSID = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FAEEE760-117E-101B-8933-08002B2F4F5A}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{026371C0-1B7C-11CF-9D53-00AA003C9CB6}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{02A69B00-081B-101B-8933-08002B2F4F5A}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0ECD9B64-23AA-11D0-B351-00A0C9055D8E}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1906F94F-8256-480A-8CDF-60821592CB4B}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{E44F7BD4-3AB1-4D55-9190-FC53343AD2D2}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{21D93913-CB0F-11D0-84AC-00A0C90DC8A9}\AlternateCLSID = "{018BCA43-2122-4211-9589-458B6A6E2A63}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8C344712-5FEC-11CF-A0BF-00AA0062BE57}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{648A5600-2C6E-101B-82B6-000000000014}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6A227305-5C14-4EFD-AC52-516FE226F947}\AlternateCLSID = "{D8C1B55B-12DC-457F-97EC-4B84305FAA13}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FAEEE760-117E-101B-8933-08002B2F4F5A}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8C344712-5FEC-11CF-A0BF-00AA0062BE57}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BFCA30D5-DDE3-11D1-B6D9-0000F87557F8}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1E216240-1B7D-11CF-9D53-00AA003C9CB6}\AlternateCLSID = "{261399BF-4DBC-4731-B79F-EF8871D7CB36}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0ECD9B64-23AA-11D0-B351-00A0C9055D8E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{20C62CAB-15DA-101B-B9A8-444553540000}\AlternateCLSID = "{1B6413C2-C55E-4BA7-B4DF-1A71DBC6ACC2}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27395F85-0C0C-101B-A3C9-08002B2F49FB}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F6DB041E-66D0-48BC-8797-57C24F5C801C}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{648A5600-2C6E-101B-82B6-000000000014}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6A227305-5C14-4EFD-AC52-516FE226F947}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{601EB760-8909-11D0-9483-00A0C91110ED}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{67397AA3-7FB1-11D0-B148-00A0C922E820}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\AlternateCLSID = "{4D588145-A84B-4100-85D7-FD2EA1D19831}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAB97084-FC6C-11D0-805D-00C04FB6C701}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D646316D-0915-421A-84C1-6A21C2495791}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BFCA30D5-DDE3-11D1-B6D9-0000F87557F8}\AlternateCLSID = "{1E9B270D-5829-490E-84F5-1C25D74BF01D}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{02A69B00-081B-101B-8933-08002B2F4F5A}\AlternateCLSID = "{E304B70C-0FCE-4E1B-9C81-CDAAD9F7DA55}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{21D93913-CB0F-11D0-84AC-00A0C90DC8A9}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3A2B370C-BA0A-11D1-B137-0000F8753F5D}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\Compatibility Flags = "1024"	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\49	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3A	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\40	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\44	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\33	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\35	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\40	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\48	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\36\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\49	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\39	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\43	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\45	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\42	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\43	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\45	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\46	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\38	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\46	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\37	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\44	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\36	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\47	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\39	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\37	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\38	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3B	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\47	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4a\52C64B7E	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A227305-5C14-4EFD-AC52-516FE226F947}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1\ = "172433"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{942085FD-8AEE-465F-ADD7-5E7AA28F8C14}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D96A3E5C193D6A548ABF000BE1B210D0\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V11\DEPENDENTS\{33D1FD90-4274-48A1-9BC1-97E33D9C2D6F}	vcredist_x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AB297010A1550CA37AFEF0BA14653C28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6565773-FA54-45E9-941C-2505E54D5710}\MiscStatus\1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9012A7B8-F56E-11D0-8043-00C04FB6C701}\MiscStatus\1\ = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E404CD92-E7B8-4037-918D-5A18CFD09ED3}\MiscStatus\1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9A8831F1-A263-11D1-8DCF-00A0C90FFFC2}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAEEE760-117E-101B-8933-08002B2F4F5A}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\dblist32.ocx, 2"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\MiscStatus	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}\ = "IStatusBarEvents"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Version\ = "2.2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0ECD9B62-23AA-11D0-B351-00A0C9055D8E}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Programmable	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6229",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E0750C-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ImageListCtrl\ = "Microsoft ImageList Control, version 5.0 (SP2)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E304B70C-0FCE-4E1B-9C81-CDAAD9F7DA55}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{FA6A55FB-458A-11D1-9C71-00C04FB987DF}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29D5EC7E-6245-4DC9-9E53-A9A945AD4ABB}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFB66F3E-7A33-41E9-A4F7-FE87B64F5555}\TypeLib\ = "{27395F88-0C0C-101B-A3C9-08002B2F49FB}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\2013\\x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0D2F219-CCB0-11D0-A316-00AA00688B10}\MiscStatus\1\ = "131473"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\ProgID\ = "COMCTL.SBarCtrl.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Slider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TreeCtrl	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0713E8B1-850A-101B-AFC0-4210102A8DA7}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{642AC760-AAB4-11D0-8494-00A0C90DC8A9}\1.0\ = "Microsoft Data Report Designer 6.0 (SP4)"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AFB66F3E-7A33-41E9-A4F7-FE87B64F5555}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A948063-66C3-4F63-AB46-582EDAA35047}\Implemented Categories	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\CurVer\ = "MSComctlLib.ImageListCtrl.2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\MiscStatus\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27395F85-0C0C-101B-A3C9-08002B2F49FB}\MiscStatus	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20C62CAB-15DA-101B-B9A8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4D83602-895E-11D0-B0A6-000000000000}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{1B6413C2-C55E-4BA7-B4DF-1A71DBC6ACC2}\MiscStatus	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
3112	reg.exe
5696	reg.exe
908	reg.exe
3772	reg.exe
5288	reg.exe
3172	reg.exe
4768	reg.exe
5848	reg.exe
4800	reg.exe
1544	reg.exe
1948	reg.exe
1660	reg.exe
6128	reg.exe
5460	reg.exe
3616	reg.exe
5596	reg.exe
2148	reg.exe
1500	reg.exe
5116	reg.exe
3696	reg.exe
5744	reg.exe
4088	reg.exe
5668	reg.exe
740	reg.exe
5748	reg.exe
5860	reg.exe
3076	reg.exe
2940	reg.exe
3116	reg.exe
5248	reg.exe
6096	reg.exe
5304	reg.exe
5168	reg.exe
5548	reg.exe
3832	reg.exe
6024	reg.exe
220	reg.exe
5808	reg.exe
5892	reg.exe
5228	reg.exe
5164	reg.exe
5512	reg.exe
5164	reg.exe
5904	reg.exe
5584	reg.exe
3616	reg.exe
4940	reg.exe
3016	reg.exe
4500	reg.exe
4956	reg.exe
3304	reg.exe
1048	reg.exe
864	reg.exe
5552	reg.exe
5984	reg.exe
5256	reg.exe
2128	reg.exe
5720	reg.exe
6076	reg.exe
5828	reg.exe
5824	reg.exe
6012	reg.exe
3604	reg.exe
5472	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 528709.crdownload:SmartScreen	msedge.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\MicrosoftEdgeUpdateSetup.exe\:SmartScreen:$DATA	MicrosoftEdgeWebview2Setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
4880	msedge.exe
4880	msedge.exe
5080	msedge.exe
5080	msedge.exe
5476	identity_helper.exe
5476	identity_helper.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe
2980	msiexec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
4200	msedge.exe
4200	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4628	mbae-svc.exe
Token: SeIncreaseQuotaPrivilege	4628	mbae-svc.exe
Token: SeSecurityPrivilege	4628	mbae-svc.exe
Token: SeLoadDriverPrivilege	4628	mbae-svc.exe
Token: SeSystemtimePrivilege	4628	mbae-svc.exe
Token: SeShutdownPrivilege	4628	mbae-svc.exe
Token: SeSystemEnvironmentPrivilege	4628	mbae-svc.exe
Token: SeUndockPrivilege	4628	mbae-svc.exe
Token: SeManageVolumePrivilege	4628	mbae-svc.exe
Token: SeAssignPrimaryTokenPrivilege	3592	mbae64.exe
Token: SeIncreaseQuotaPrivilege	3592	mbae64.exe
Token: SeSecurityPrivilege	3592	mbae64.exe
Token: SeLoadDriverPrivilege	3592	mbae64.exe
Token: SeSystemtimePrivilege	3592	mbae64.exe
Token: SeShutdownPrivilege	3592	mbae64.exe
Token: SeSystemEnvironmentPrivilege	3592	mbae64.exe
Token: SeUndockPrivilege	3592	mbae64.exe
Token: SeManageVolumePrivilege	3592	mbae64.exe
Token: SeIncreaseQuotaPrivilege	5596	WMIC.exe
Token: SeSecurityPrivilege	5596	WMIC.exe
Token: SeTakeOwnershipPrivilege	5596	WMIC.exe
Token: SeLoadDriverPrivilege	5596	WMIC.exe
Token: SeSystemProfilePrivilege	5596	WMIC.exe
Token: SeSystemtimePrivilege	5596	WMIC.exe
Token: SeProfSingleProcessPrivilege	5596	WMIC.exe
Token: SeIncBasePriorityPrivilege	5596	WMIC.exe
Token: SeCreatePagefilePrivilege	5596	WMIC.exe
Token: SeBackupPrivilege	5596	WMIC.exe
Token: SeRestorePrivilege	5596	WMIC.exe
Token: SeShutdownPrivilege	5596	WMIC.exe
Token: SeDebugPrivilege	5596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5596	WMIC.exe
Token: SeRemoteShutdownPrivilege	5596	WMIC.exe
Token: SeUndockPrivilege	5596	WMIC.exe
Token: SeManageVolumePrivilege	5596	WMIC.exe
Token: 33	5596	WMIC.exe
Token: 34	5596	WMIC.exe
Token: 35	5596	WMIC.exe
Token: 36	5596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5596	WMIC.exe
Token: SeSecurityPrivilege	5596	WMIC.exe
Token: SeTakeOwnershipPrivilege	5596	WMIC.exe
Token: SeLoadDriverPrivilege	5596	WMIC.exe
Token: SeSystemProfilePrivilege	5596	WMIC.exe
Token: SeSystemtimePrivilege	5596	WMIC.exe
Token: SeProfSingleProcessPrivilege	5596	WMIC.exe
Token: SeIncBasePriorityPrivilege	5596	WMIC.exe
Token: SeCreatePagefilePrivilege	5596	WMIC.exe
Token: SeBackupPrivilege	5596	WMIC.exe
Token: SeRestorePrivilege	5596	WMIC.exe
Token: SeShutdownPrivilege	5596	WMIC.exe
Token: SeDebugPrivilege	5596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5596	WMIC.exe
Token: SeRemoteShutdownPrivilege	5596	WMIC.exe
Token: SeUndockPrivilege	5596	WMIC.exe
Token: SeManageVolumePrivilege	5596	WMIC.exe
Token: 33	5596	WMIC.exe
Token: 34	5596	WMIC.exe
Token: 35	5596	WMIC.exe
Token: 36	5596	WMIC.exe
Token: SeBackupPrivilege	2324	vssvc.exe
Token: SeRestorePrivilege	2324	vssvc.exe
Token: SeAuditPrivilege	2324	vssvc.exe
Token: SeShutdownPrivilege	540	vcredist_x86.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3704	Business.tmp
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
5192	TuberankJeetMAUI.exe
536	TuberankJeetMAUI.exe
4384	MicrosoftEdgeWebview2Setup.exe
4996	MicrosoftEdgeUpdate.exe
2824	MicrosoftEdgeUpdate.exe
2936	MicrosoftEdgeUpdate.exe
5236	MicrosoftEdgeUpdate.exe
5032	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 3676	3848	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.exe	88
PID 3848 wrote to memory of 3676	3848	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.exe	88
PID 3848 wrote to memory of 3676	3848	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.exe	88
PID 3676 wrote to memory of 5080	3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp	98
PID 3676 wrote to memory of 5080	3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp	98
PID 5080 wrote to memory of 3140	5080	msedge.exe	100
PID 5080 wrote to memory of 3140	5080	msedge.exe	100
PID 3676 wrote to memory of 396	3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp	99
PID 3676 wrote to memory of 396	3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp	99
PID 3676 wrote to memory of 396	3676	TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp	99
PID 396 wrote to memory of 3704	396	Business.exe	101
PID 396 wrote to memory of 3704	396	Business.exe	101
PID 396 wrote to memory of 3704	396	Business.exe	101
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 1560	5080	msedge.exe	103
PID 5080 wrote to memory of 4880	5080	msedge.exe	104
PID 5080 wrote to memory of 4880	5080	msedge.exe	104
PID 5080 wrote to memory of 1468	5080	msedge.exe	105
PID 5080 wrote to memory of 1468	5080	msedge.exe	105
PID 5080 wrote to memory of 1468	5080	msedge.exe	105
PID 5080 wrote to memory of 1468	5080	msedge.exe	105
PID 5080 wrote to memory of 1468	5080	msedge.exe	105
PID 5080 wrote to memory of 1468	5080	msedge.exe	105
PID 5080 wrote to memory of 1468	5080	msedge.exe	105
PID 5080 wrote to memory of 1468	5080	msedge.exe	105
PID 5080 wrote to memory of 1468	5080	msedge.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.exe
"C:\Users\Admin\AppData\Local\Temp\TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\is-UUGVE.tmp\TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UUGVE.tmp\TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.tmp" /SL5="$9004A,91222162,1040896,C:\Users\Admin\AppData\Local\Temp\TubeRank Jeet Ai Pro ChatGPT Plus Full Activated.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dr-farfar.com/softpopup
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99d3246f8,0x7ff99d324708,0x7ff99d324718
      4⤵
      PID:3140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,6824407854189514310,15989249032613777167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 /prefetch:2
      4⤵
      PID:1560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,6824407854189514310,15989249032613777167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,6824407854189514310,15989249032613777167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,6824407854189514310,15989249032613777167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,6824407854189514310,15989249032613777167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:1660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,6824407854189514310,15989249032613777167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
      4⤵
      PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,6824407854189514310,15989249032613777167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
      4⤵
      PID:5744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,6824407854189514310,15989249032613777167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5476
- - C:\redist\Business.exe
    "C:\redist\Business.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\is-V33N4.tmp\Business.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-V33N4.tmp\Business.tmp" /SL5="$C01E0,2535896,56832,C:\redist\Business.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:3704
    - - C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-uninstaller.exe
        
        "C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-uninstaller.exe" /installopen
        5⤵
        Executes dropped EXE
        
        PID:3480
      - C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
        
        "C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe" -installopen
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:4684
- - C:\redist\VisualCppRedist_AIO_x86_x64.exe
    "C:\redist\VisualCppRedist_AIO_x86_x64.exe" /ai /gm2
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Installer.cmd" /quiet"
      4⤵
      Checks computer location settings
      PID:5392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
      - C:\Windows\system32\reg.exe
        
        reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        6⤵
        
        PID:5436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:" 5."
        5⤵
        
        PID:5460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:5496
    - - C:\Windows\system32\reg.exe
        
        reg query "HKU\S-1-5-19"
        5⤵
        
        PID:5668
    - - C:\Windows\system32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
    - - C:\Windows\system32\find.exe
        
        find /i "ComputerSystem"
        5⤵
        
        PID:5524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query "hklm\software\microsoft\Windows NT\currentversion" /v productname" 2>nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5692
      - C:\Windows\system32\reg.exe
        
        reg query "hklm\software\microsoft\Windows NT\currentversion" /v productname
        6⤵
        
        PID:5656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query "hklm\software\microsoft\Windows NT\currentversion" /v UBR" 2>nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
      - C:\Windows\system32\reg.exe
        
        reg query "hklm\software\microsoft\Windows NT\currentversion" /v UBR
        6⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "hklm\software\microsoft\Windows NT\currentversion" /v buildlabex
        5⤵
        
        PID:5652
      - C:\Windows\system32\reg.exe
        
        reg query "hklm\software\microsoft\Windows NT\currentversion" /v buildlabex
        6⤵
        
        PID:5608
    - - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
        5⤵
        
        PID:3704
    - - C:\Windows\system32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:1360
    - - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
        5⤵
        
        PID:1424
    - - C:\Windows\system32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:5104
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5248
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5908
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5136
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 Preview Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5904
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5944
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 RC Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:6096
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5088
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:6104
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5892
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:1952
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:6124
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 CTP Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:3112
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:1828
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:4684
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 Preview Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:4500
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:3536
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5220
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 CTP Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5228
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5180
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5184
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 RC Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5828
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5848
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5212
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5860
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:6008
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5984
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 RC Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5256
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5268
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:6020
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5288
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5296
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:6012
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5304
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5420
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5368
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5744
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5472
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5404
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015-2019 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5584
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5668
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5132
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015-2022 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5596
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5524
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5508
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "HKEY_LOCAL_MACHINE" "C:\Users\Admin\AppData\Local\Temp\wix.txt"
        5⤵
        
        PID:4068
    - - C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
        
        "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /uninstall /quiet /norestart
        5⤵
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
      - C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
        
        "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /uninstall /quiet /norestart -burn.unelevated BurnPipe.{550DBB9E-2AC0-4CFC-ADD5-B1D6A0ABC3F4} {6EB772D4-7F98-4F88-860B-7C0ACE1F516C} 540
        6⤵
        Loads dropped DLL
        
        PID:5684
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} /f
        5⤵
        Modifies registry key
        
        PID:5472
    - - C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        
        "C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe" /uninstall /quiet /norestart
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5404
      - C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        
        "C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe" /uninstall /quiet /norestart -burn.unelevated BurnPipe.{05892CA7-AB1C-4A36-8DCE-B95EBD461A12} {5502B91F-AEE1-4B2E-B4DA-A362E6010533} 5404
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1720
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} /f
        5⤵
        Modifies registry key
        
        PID:2128
    - - C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
        
        "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" /uninstall /quiet /norestart
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1028
      - C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
        
        "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" /uninstall /quiet /norestart -burn.unelevated BurnPipe.{B4FFCB36-C847-4284-82F3-3DBD000F086E} {86593DC0-13C7-4A98-B259-0F180293F113} 1028
        6⤵
        Loads dropped DLL
        
        PID:220
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{61087a79-ac85-455c-934d-1fa22cc64f36} /f
        5⤵
        Modifies registry key
        
        PID:4956
    - - C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
        
        "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" /uninstall /quiet /norestart
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4812
      - C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
        
        "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" /uninstall /quiet /norestart -burn.unelevated BurnPipe.{F0E15C8B-E8DF-44D2-A904-88CF92EFE0EA} {13C7F93C-84BF-4C0E-9FED-C6178599A1DE} 4812
        6⤵
        Loads dropped DLL
        
        PID:5056
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412} /f
        5⤵
        Modifies registry key
        
        PID:5696
    - - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\vc_redist.x86.exe" /uninstall /quiet /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /uninstall /quiet /norestart
        6⤵
        Loads dropped DLL
        
        PID:6056
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{601DF75A-64D0-40D5-9812-33D034972CDF} {7E55D64D-CD7A-4E24-B7C9-156387F8AE33} 6056
        7⤵
        Adds Run key to start application
        
        PID:540
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{4d8dcf8c-a72a-43e1-9833-c12724db736e} /f
        5⤵
        Modifies registry key
        
        PID:5552
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\vc_redist.x64.exe" /uninstall /quiet /norestart
        5⤵
        
        PID:5544
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /uninstall /quiet /norestart
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{F8A85036-7E0B-4FDE-9054-E0EEE611C9E3} {76CF55A0-EEBF-415D-B712-B94B351B2D97} 2128
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4356
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13} /f
        5⤵
        Modifies registry key
        
        PID:5164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp100.dll"
        5⤵
        
        PID:5724
      - C:\Windows\system32\cscript.exe
        
        cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp100.dll"
        6⤵
        
        PID:3316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo 0.40219.473
        5⤵
        
        PID:4316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp110.dll"
        5⤵
        
        PID:2152
      - C:\Windows\system32\cscript.exe
        
        cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp110.dll"
        6⤵
        
        PID:5688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo 0.61135.400
        5⤵
        
        PID:5388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp120.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
      - C:\Windows\system32\cscript.exe
        
        cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp120.dll"
        6⤵
        
        PID:5296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo 0.40664.0
        5⤵
        
        PID:5372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp140.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
      - C:\Windows\system32\cscript.exe
        
        cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp140.dll"
        6⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo 40.33810.0
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2005 Redistributable" /s
        5⤵
        
        PID:5368
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5736
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5572
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {710f4c1c-cc18-4c49-8cbf-51240c89a1a2}
        5⤵
        
        PID:2156
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2005 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:3616
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:3380
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:3208
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2008 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5668
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5524
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5644
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {9BE518E6-ECC6-35A9-88E4-87755C07200F}
        5⤵
        
        PID:5692
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2008 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:4088
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:3936
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:2752
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2010 x86 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5548
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4296
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
        5⤵
        
        PID:2612
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2010 x86 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:908
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5556
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:4740
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 x86 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:3304
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:3028
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {B175520C-86A2-35A7-8619-86DC379688B9}
        5⤵
        
        PID:5676
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 x86 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:4800
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:1804
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
        5⤵
        
        PID:3192
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 x86 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:1544
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5132
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {D401961D-3A20-3AC7-943B-6139D5BD490A}
        5⤵
        
        PID:5552
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 x86 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:5824
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:848
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {8122DAB1-ED4D-3676-BB0A-CA368196543E}
        5⤵
        
        PID:1912
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 x86 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:2148
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}
        5⤵
        
        PID:2364
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 x86 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:3076
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {0C3457A0-3DCE-4A33-BEF0-9B528C557771}
        5⤵
        
        PID:4044
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 x86 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:740
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4872
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 x86 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:1948
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:2348
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 x86 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:1500
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4980
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 x86 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:3772
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4580
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 x86 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:3172
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4612
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 x86 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:1048
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:552
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 x86 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:2940
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4356
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 x86 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:3832
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "HKEY_LOCAL_MACHINE" "C:\Users\Admin\AppData\Local\Temp\msi.txt"
        5⤵
        
        PID:1560
    - - C:\Windows\system32\msiexec.exe
        
        MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F} /quiet /norestart
        5⤵
        
        PID:4856
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} /f
        5⤵
        Modifies registry key
        
        PID:5720
    - - C:\Windows\system32\msiexec.exe
        
        MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} /quiet /norestart
        5⤵
        
        PID:5704
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} /f
        5⤵
        Modifies registry key
        
        PID:6012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll"
        5⤵
        
        PID:4688
      - C:\Windows\system32\cscript.exe
        
        cscript.exe //nologo filever.vbs "C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll"
        6⤵
        
        PID:5496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo 0.60917.0
        5⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\System32\msvcp100.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
      - C:\Windows\system32\cscript.exe
        
        cscript.exe //nologo filever.vbs "C:\Windows\System32\msvcp100.dll"
        6⤵
        
        PID:3716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo 0.40219.473
        5⤵
        
        PID:1800
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2005 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:4940
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4532
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:2484
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}
        5⤵
        
        PID:2300
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2005 Redistributable" /s
        5⤵
        
        PID:4468
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:3240
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:5864
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2008 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:5116
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:3620
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:2304
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
        5⤵
        
        PID:1152
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2008 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:3696
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4956
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:3452
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2010 x64 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:3604
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:4880
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {1D8E6291-B0D5-35EC-8441-6616F567A0F7}
        5⤵
        
        PID:5096
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2010 x64 Redistributable" /s
        5⤵
        Modifies registry key
        
        PID:3116
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:768
    - - C:\Windows\system32\findstr.exe
        
        findstr /r "{.*-.*-.*-.*-.*}"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 x64 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:4768
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4892
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {37B8F9C7-03FB-3253-8781-2517C99D7C00}
        5⤵
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 x64 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:5512
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:3524
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
        5⤵
        
        PID:2284
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 x64 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:5164
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4056
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {010792BA-551A-3AC0-A7EF-0FAB4156C382}
        5⤵
        
        PID:5836
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 x64 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:864
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:2440
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {53CF6934-A98D-3D84-9146-FC4EDF3D5641}
        5⤵
        
        PID:5480
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 x64 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:220
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {59CED48F-EBFE-480C-8A38-FC079C2BEC0F}
        5⤵
        
        PID:1768
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 x64 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:3016
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4272
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /v {B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}
        5⤵
        
        PID:5140
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 x64 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:6128
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5188
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 x64 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:5848
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:6032
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 x64 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:6076
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 x64 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:5460
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:3504
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 x64 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:5168
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5308
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 x64 Minimum Runtime" /s
        5⤵
        Modifies registry key
        
        PID:6024
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5828
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 x64 Additional Runtime" /s
        5⤵
        Modifies registry key
        
        PID:1660
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:4108
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 x64 Minimum Runtime" /s
        5⤵
        
        PID:3160
    - - C:\Windows\system32\find.exe
        
        find /i "HKEY_LOCAL_MACHINE"
        5⤵
        
        PID:5680
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "HKEY_LOCAL_MACHINE" "C:\Users\Admin\AppData\Local\Temp\msi.txt"
        5⤵
        
        PID:5720
    - - C:\Windows\system32\msiexec.exe
        
        MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} /quiet /norestart
        5⤵
        
        PID:4240
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} /f
        5⤵
        Modifies registry key
        
        PID:3616
    - - C:\Windows\system32\msiexec.exe
        
        MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7} /quiet /norestart
        5⤵
        
        PID:3456
    - - C:\Windows\system32\reg.exe
        
        reg delete hklm\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} /f
        5⤵
        Modifies registry key
        
        PID:5984
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2005\x64\vcredist.msi" /qn /norestart
        5⤵
        
        PID:4488
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2008\x64\vc_red.msi" /qn /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2010\x64\vc_red.msi" /qn /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2012\x64\vc_runtimeMinimum_x64.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        
        PID:5776
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2012\x64\vc_runtimeAdditional_x64.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4408
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2013\x64\vc_runtimeMinimum_x64.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:1804
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2013\x64\vc_runtimeAdditional_x64.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:2672
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2022\x64\vc_runtimeMinimum_x64.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        
        PID:5820
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2022\x64\vc_runtimeAdditional_x64.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5696
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\vstor40_x64.msi" /qn /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2005\x86\vcredist.msi" /qn /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2008\x86\vc_red.msi" /qn /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2010\x86\vc_red.msi" /qn /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2012\x86\vc_runtimeMinimum_x86.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        
        PID:2364
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2012\x86\vc_runtimeAdditional_x86.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4108
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2013\x86\vc_runtimeMinimum_x86.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3620
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2013\x86\vc_runtimeAdditional_x86.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4888
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2022\x86\vc_runtimeMinimum_x86.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        
        PID:1268
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2022\x86\vc_runtimeAdditional_x86.msi" /qn /norestart
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:2288
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{C5E3A69D-D391-45A6-A8FB-00B01E2B010D} /v UninstallString
        5⤵
        Modifies registry key
        
        PID:5748
    - - C:\Windows\system32\reg.exe
        
        reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{C5E3A69D-D392-45A6-A8FB-00B01E2B010D} /v UninstallString
        5⤵
        Modifies registry key
        
        PID:5808
    - - C:\Windows\system32\msiexec.exe
        
        MsiExec.exe /X{C5E3A69D-D392-45A6-A8FB-00B01E2B010D} /quiet /norestart
        5⤵
        
        PID:5584
    - - C:\Windows\system32\msiexec.exe
        
        MsiExec.exe /X{C5E3A69D-D393-45A6-A8FB-00B01E2B010D} /quiet /norestart
        5⤵
        
        PID:5372
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vbc\vbcrun.msi" /qn /norestart
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
"C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4628
- C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
  "C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe" /mbt
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2980
- \??\c:\Windows\syswow64\MsiExec.exe
  c:\Windows\syswow64\MsiExec.exe -Embedding 1F874FAC5729F5117FBAA54D16F34407
  2⤵
  - Loads dropped DLL
  PID:536
- \??\c:\Windows\syswow64\MsiExec.exe
  c:\Windows\syswow64\MsiExec.exe -Embedding 2E587136AC4DA0CE75F55494ABD61D88
  2⤵
  - Loads dropped DLL
  PID:5632
- \??\c:\Windows\System32\MsiExec.exe
  c:\Windows\System32\MsiExec.exe -Embedding F19664DBC4147D4527997367D4EBDF54
  2⤵
  - Loads dropped DLL
  PID:244
- \??\c:\Windows\System32\MsiExec.exe
  c:\Windows\System32\MsiExec.exe -Embedding 7122593B77299ECC5C7DD829C3516BCB
  2⤵
  - Loads dropped DLL
  PID:5400
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CE8EBB9EFD335116E4CF495656553D8B
  2⤵
  - Loads dropped DLL
  PID:3408
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 438F96A51B70E76C6676173E56650A3C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4792
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 193CDF89CF2903BE7F9E91D984324ECD
  2⤵
  PID:5664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9CED59487817E680444C5F62E485AC15 M Global\MSI0000
  2⤵
  PID:1804
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 5E5B57A04E2084DE877A3FB783ADCBEA E Global\MSI0000
  2⤵
  PID:5736
- - C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe
    "C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
    3⤵
    - Drops file in Program Files directory
    PID:2484
- - C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe
    "C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
    3⤵
    PID:5368
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7C04C4BCAFD11C40567290EF37DE2AAE E Global\MSI0000
  2⤵
  PID:4680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3884
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:3304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:2944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:5580
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:1068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:1052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5508
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:1544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:3172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:5484
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:3612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:5544
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:3908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:4316
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:4112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3672
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:5872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5480
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:2144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:2668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:3208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5524
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5184
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4300
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:3424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:4068
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:5648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2484
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:3240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:1800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:5572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:1588
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:1412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:4720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5404
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:3316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4768
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:4316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:6132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:3832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:3740
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:4856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:5536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
    3⤵
    PID:3816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:6136
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:3356
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3708
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:3304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4068
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:4240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:2516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:5800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:4184
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:1544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:1984
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:6056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5892
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:3312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4056
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:3948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5248
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5252
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:3112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5472
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:3936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5464
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:4296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5452
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:5672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1116
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:3380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.Internal, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1236
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.Internal, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies
    3⤵
    PID:1720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
    3⤵
    PID:2780
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
    3⤵
    PID:5732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F7C773D513343999616672C1E0608A7D
  2⤵
  PID:5224

C:\TubeRank Jeet Ai Pro ChatGPT Plus\TuberankJeetMAUI.exe
"C:\TubeRank Jeet Ai Pro ChatGPT Plus\TuberankJeetMAUI.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:5192
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c start https://www.Dr-FarFar.com
  2⤵
  PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dr-farfar.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff99d3246f8,0x7ff99d324708,0x7ff99d324718
      4⤵
      PID:376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,17276324530625401015,5479949742779952729,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
      4⤵
      PID:6124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,17276324530625401015,5479949742779952729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
      4⤵
      PID:5136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,17276324530625401015,5479949742779952729,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
      4⤵
      PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17276324530625401015,5479949742779952729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
      4⤵
      PID:4316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17276324530625401015,5479949742779952729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
      4⤵
      PID:4508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17276324530625401015,5479949742779952729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
      4⤵
      PID:5784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5772

C:\TubeRank Jeet Ai Pro ChatGPT Plus\TuberankJeetMAUI.exe
"C:\TubeRank Jeet Ai Pro ChatGPT Plus\TuberankJeetMAUI.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:536
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c start https://www.Dr-FarFar.com
  2⤵
  PID:5188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dr-farfar.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff99d3246f8,0x7ff99d324708,0x7ff99d324718
      4⤵
      PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,13941056387015071563,13694703104799490975,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
      4⤵
      PID:1412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,13941056387015071563,13694703104799490975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,13941056387015071563,13694703104799490975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
      4⤵
      PID:5864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13941056387015071563,13694703104799490975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:1080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,13941056387015071563,13694703104799490975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/winui3/webview2download/
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:1172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff99d3246f8,0x7ff99d324708,0x7ff99d324718
    3⤵
    PID:5456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    PID:180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
    3⤵
    PID:5772
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    PID:5608
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    PID:5224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4940 /prefetch:8
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
    3⤵
    PID:1580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
    3⤵
    PID:5332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6008 /prefetch:8
    3⤵
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,12154239213054883147,14082236489319446281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
    3⤵
    PID:696
- - C:\Users\Admin\Downloads\MicrosoftEdgeWebview2Setup.exe
    "C:\Users\Admin\Downloads\MicrosoftEdgeWebview2Setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    PID:4384
  - - C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EU1B78.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Checks computer location settings
      Executes dropped EXE
      Checks system information in the registry
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4996
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2824
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2936
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEJENEExODEtMjU1MS00QzM2LTlCQzQtQUI2NTZENTE3MUMyfSIgdXNlcmlkPSJ7MjdCRTMyQjgtOUZCMC00NzI3LUJERjQtOUM4QjY0N0RCM0MwfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezA0MEREMEU0LTlCMjQtNEM0RC04OTE2LTE4QjRBRDc0NTdDNH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjE1IiBuZXh0dmVyc2lvbj0iMS4zLjE5NS4xNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjQxODk2NTQ2NCIgaW5zdGFsbF90aW1lX21zPSI1MjgiLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Executes dropped EXE
        Checks system information in the registry
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5236
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{0BD4A181-2551-4C36-9BC4-AB656D5171C2}"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
PID:5472
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEJENEExODEtMjU1MS00QzM2LTlCQzQtQUI2NTZENTE3MUMyfSIgdXNlcmlkPSJ7MjdCRTMyQjgtOUZCMC00NzI3LUJERjQtOUM4QjY0N0RCM0MwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7REQ1NjBDRUUtQTNFMi00RUY5LTlBREQtMDJDMENDRkU2QzQxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2hWZkRqTWRGRzZGZ0tzME56NmVtcllDU2c2VFF2RFBvbW9sUmF5UVhCSzQ9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzIyNjAyNzEzIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjcwNzUyNzAwMTQ5Mzc0Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjQyNTAxMTk0MiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery