036128ca60c543609bf2c6c362e2f909c85f1760d4a8d6b07c55b73d36d9df0b

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 32 IoCs

pid	Process
5572	SteamSetup.exe
5488	steamservice.exe
5896	steam.exe
8520	steam.exe
8308	steamwebhelper.exe
8264	steamwebhelper.exe
8084	steamwebhelper.exe
7992	steamwebhelper.exe
7676	gldriverquery64.exe
7616	steamwebhelper.exe
7560	steamwebhelper.exe
7264	gldriverquery.exe
7244	vulkandriverquery64.exe
7156	vulkandriverquery.exe
18608	dismhost.exe
19872	Steam.exe
19988	steamwebhelper.exe
10656	steamwebhelper.exe
11344	steamwebhelper.exe
11132	steamwebhelper.exe
5832	gldriverquery64.exe
12016	steamwebhelper.exe
11928	steamwebhelper.exe
2120	gldriverquery.exe
6156	vulkandriverquery64.exe
6448	vulkandriverquery.exe
17924	steamwebhelper.exe
15428	steamwebhelper.exe
5660	steamerrorreporter.exe
20036	SteamtoolsSetup.exe
21844	steamerrorreporter.exe
22708	steamerrorreporter.exe

Loads dropped DLL 64 IoCs

pid	Process
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8264	steamwebhelper.exe
8264	steamwebhelper.exe
8264	steamwebhelper.exe
8520	steam.exe
8084	steamwebhelper.exe
8084	steamwebhelper.exe
8084	steamwebhelper.exe
8084	steamwebhelper.exe
8084	steamwebhelper.exe
8084	steamwebhelper.exe
8084	steamwebhelper.exe
8520	steam.exe
7992	steamwebhelper.exe
7992	steamwebhelper.exe
7992	steamwebhelper.exe
8520	steam.exe
7616	steamwebhelper.exe
7616	steamwebhelper.exe
7616	steamwebhelper.exe
7560	steamwebhelper.exe
7560	steamwebhelper.exe
7560	steamwebhelper.exe
7560	steamwebhelper.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe
18608	dismhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
17636	powershell.exe
23452	powershell.exe

Detected potential entity reuse from brand steam.
phishing steam

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0070.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_buttons_s_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_gyro_pitch.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_l_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_polish.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_outlined_button_circle_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steampops_koreana-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_latam.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_100_target_0170.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steamui_french-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_r_down_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_rstick_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\DeleteCache.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_back_down.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_dpad_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_dpad_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\joyconpair_left_sr.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_button_options_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_button_circle_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_swipe.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\win32_win_min.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_rg_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\dualshock_4_hungarian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_r2_soft_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\SteamOverlayVulkanLayer.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\Receipt_CDKey_Success.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_100_target_0080.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_dpad_left.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_lt_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\bump_paper_w.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_rb_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\DialogCheckForUpdates_Expanded.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\icon_speaker_ringing.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_lb_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\sounds\deck_ui_tab_transition_01.wav_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_rtrackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_button_plus_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_p3_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\desktop_neptune.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_r2_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_vr_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_ring_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_button_logo_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\LocalizedAudioChoiceDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_button_steam_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox360_button_select_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_p2.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_lstick_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0325.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\SharedLibraryNotification.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\libx264-142.dll.md5_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_rt_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_outlined_button_a_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_buttons_w_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_left_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\sounds\deck_ui_misc_10.wav_	steam.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping19988_354887355\manifest.fingerprint	steamwebhelper.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0341.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\libraries\libraries~00299a408.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_l2_half_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_ltrackpad_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_button_menu_sm.png_	steam.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
17884	sc.exe
20232	sc.exe
20440	sc.exe
20312	sc.exe
20500	sc.exe
4928	sc.exe
11408	sc.exe
11356	sc.exe
17868	sc.exe
17880	sc.exe
20472	sc.exe
20520	sc.exe
17452	sc.exe
23276	sc.exe
17724	sc.exe
20328	sc.exe
17912	sc.exe
20212	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\SteamtoolsSetup.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe

Checks processor information in registry 2 TTPs 54 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
10616	taskkill.exe
20316	taskkill.exe
2588	taskkill.exe
14452	taskkill.exe
16592	taskkill.exe
23112	taskkill.exe
6824	taskkill.exe
2044	taskkill.exe
16908	taskkill.exe
17284	taskkill.exe
17644	taskkill.exe
18532	taskkill.exe
22800	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133681147924342922"	msedge.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{A528B85F-BDFE-4994-A2B2-8E699A63B4C6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{EF393919-6757-4679-98B0-5E4E9478C4DF}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	taskmgr.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

pid	Process
17908	reg.exe
1004	reg.exe
20128	reg.exe
17892	reg.exe
20424	reg.exe
20512	reg.exe
5032	reg.exe
20144	reg.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MAS_AIO.cmd:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\SteamtoolsSetup.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
19256	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
5572	SteamSetup.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe
8520	steam.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
8520	steam.exe
19872	Steam.exe
13904	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	5572	SteamSetup.exe
Token: SeDebugPrivilege	5572	SteamSetup.exe
Token: SeDebugPrivilege	5572	SteamSetup.exe
Token: SeDebugPrivilege	5572	SteamSetup.exe
Token: SeDebugPrivilege	5572	SteamSetup.exe
Token: SeSecurityPrivilege	5488	steamservice.exe
Token: SeSecurityPrivilege	5488	steamservice.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeShutdownPrivilege	8308	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	8308	steamwebhelper.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	16592	taskkill.exe
Token: SeDebugPrivilege	16908	taskkill.exe
Token: SeDebugPrivilege	17284	taskkill.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	17644	taskkill.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	20316	taskkill.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	2588	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
11760	msdt.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
8308	steamwebhelper.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe
19988	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
5572	SteamSetup.exe
5488	steamservice.exe
8520	steam.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
18820	firefox.exe
19872	Steam.exe
12764	OpenWith.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 2432 wrote to memory of 1968	2432	firefox.exe	108
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 996	1968	firefox.exe	109
PID 1968 wrote to memory of 5036	1968	firefox.exe	110
PID 1968 wrote to memory of 5036	1968	firefox.exe	110
PID 1968 wrote to memory of 5036	1968	firefox.exe	110
PID 1968 wrote to memory of 5036	1968	firefox.exe	110
PID 1968 wrote to memory of 5036	1968	firefox.exe	110
PID 1968 wrote to memory of 5036	1968	firefox.exe	110
PID 1968 wrote to memory of 5036	1968	firefox.exe	110
PID 1968 wrote to memory of 5036	1968	firefox.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:1140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d090f0d4-6f8f-456e-b7b8-9c389a8dd3ff} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" gpu
    3⤵
    PID:996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2396 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {846e832b-b348-437a-aaf3-e447dede100e} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" socket
    3⤵
    - Checks processor information in registry
    PID:5036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2736 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ed2112-9c48-40bd-8d43-81b87c250326} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:4072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4004 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 3992 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab432060-983f-4d99-9408-b338f73c07ab} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:4224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20b4cb92-e126-4ff6-ae70-21800a92b863} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" utility
    3⤵
    - Checks processor information in registry
    PID:5796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 3 -isForBrowser -prefsHandle 5200 -prefMapHandle 5196 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13081acd-9816-456a-b0bf-60232161564b} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:5816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 4 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e8f0307-74ba-48c6-a10d-807e963de1c5} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:5884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a033237-db53-4867-aeab-d3f0ead94f08} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:3492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 6 -isForBrowser -prefsHandle 5932 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e93b4363-55f3-43e6-9ac5-aabe800e8b4f} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:5792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6128 -parentBuildID 20240401114208 -prefsHandle 6180 -prefMapHandle 6204 -prefsLen 29525 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6455a442-113c-41ab-960f-d6e2c7e87c98} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" rdd
    3⤵
    PID:4724
- - C:\Users\Admin\Downloads\SteamSetup.exe
    "C:\Users\Admin\Downloads\SteamSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5572
  - - C:\Program Files (x86)\Steam\bin\steamservice.exe
      "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5488

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:5896
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:8520
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=8520" "-buildid=1721173382" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:8308
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1721173382 --initial-client-data=0x368,0x36c,0x370,0x344,0x374,0x7ffac415ee38,0x7ffac415ee48,0x7ffac415ee58
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:8264
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1584 --field-trial-handle=1724,i,13596908687595403617,14364461437413461934,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:8084
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2220 --field-trial-handle=1724,i,13596908687595403617,14364461437413461934,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7992
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2516 --field-trial-handle=1724,i,13596908687595403617,14364461437413461934,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7616
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --first-renderer-process --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1724,i,13596908687595403617,14364461437413461934,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:7560
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:7676
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7264
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:7244
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x51c
1⤵
PID:7788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:9336

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:16524
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:16592

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:16848
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:16908

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:17232
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:17284

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:17600
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:17644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4776,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:8
1⤵
PID:17756

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:20236
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:20316

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:5504
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:18588
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  PID:18532

C:\Users\Admin\Desktop\SteamtoolsSetup.exe
"C:\Users\Admin\Desktop\SteamtoolsSetup.exe"
1⤵
PID:22760
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  PID:22800

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:20824

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\activator.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:19256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:10764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:18820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 24856 -prefMapSize 245030 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f08b087-4faa-4d9c-a592-44a356332259} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" gpu
    3⤵
    PID:19064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20240401114208 -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 24856 -prefMapSize 245030 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7cf333a-7539-40e3-ae9d-07693bee58fa} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" socket
    3⤵
    - Checks processor information in registry
    PID:19180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 25355 -prefMapSize 245030 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {159deaaf-99a9-4913-8f6c-bdc3e024c978} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" tab
    3⤵
    PID:19612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 3928 -prefsLen 30588 -prefMapSize 245030 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4696338-566c-4b9d-a39d-1cc17d3b0e39} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" tab
    3⤵
    PID:19864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4752 -prefsLen 30588 -prefMapSize 245030 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71a620bb-4150-40c8-bb25-703f08493f22} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" utility
    3⤵
    - Checks processor information in registry
    PID:10976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 28027 -prefMapSize 245030 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ad0a58-7f7c-480c-a892-86a0fe53afe1} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" tab
    3⤵
    PID:6204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5364 -prefsLen 28027 -prefMapSize 245030 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ef3a274-de3f-43fd-a5a9-f171c838bfcb} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" tab
    3⤵
    PID:6212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5700 -prefsLen 28027 -prefMapSize 245030 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6829a32c-e9d8-4591-b977-02eeccff2807} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" tab
    3⤵
    PID:6224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6008 -parentBuildID 20240401114208 -prefsHandle 6012 -prefMapHandle 6000 -prefsLen 30695 -prefMapSize 245030 -appDir "C:\Program Files\Mozilla Firefox\browser" - {911fa676-6703-4a87-9163-97bfbe7006d0} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" rdd
    3⤵
    PID:6768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6048 -childID 6 -isForBrowser -prefsHandle 6040 -prefMapHandle 6024 -prefsLen 28027 -prefMapSize 245030 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a24661-b6c5-4022-8241-d75747be33af} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" tab
    3⤵
    PID:6756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3596 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 3440 -prefMapHandle 3952 -prefsLen 30774 -prefMapSize 245030 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51b8ef20-f40c-4105-b022-ac0396ed2475} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" utility
    3⤵
    - Checks processor information in registry
    PID:16088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6320 -childID 7 -isForBrowser -prefsHandle 6304 -prefMapHandle 6300 -prefsLen 28106 -prefMapSize 245030 -jsInitHandle 1440 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f435d98d-44ac-42e0-8071-236edf236a82} 18820 "\\.\pipe\gecko-crash-server-pipe.18820" tab
    3⤵
    PID:15788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\MAS_AIO.cmd" "
1⤵
PID:16700
- C:\Windows\System32\findstr.exe
  findstr /rxc:".*" "MAS_AIO.cmd"
  2⤵
  PID:16460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:17340
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:17020
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:17476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:17500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:17504
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\MAS_AIO.cmd" "
  2⤵
  PID:17264
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:17220
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:17280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  PID:17560
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:17240
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:9260
- C:\Windows\System32\choice.exe
  choice /C:12345670 /N
  2⤵
  PID:17612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3644
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:16748
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:16784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:17688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:17676
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:10024
- C:\Windows\System32\mode.com
  mode 76, 25
  2⤵
  PID:17820
- C:\Windows\System32\choice.exe
  choice /C:120 /N
  2⤵
  PID:17616
- C:\Windows\System32\mode.com
  mode 102, 33
  2⤵
  PID:17704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
  2⤵
  PID:17832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:17636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
  2⤵
  PID:17396
- C:\Windows\System32\find.exe
  find /i "Windows"
  2⤵
  PID:2500
- C:\Windows\System32\wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  PID:17384
- C:\Windows\System32\find.exe
  find /i "computersystem"
  2⤵
  PID:17188
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:17724
- C:\Windows\System32\wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
  2⤵
  PID:16668
- C:\Windows\System32\findstr.exe
  findstr /i "Windows"
  2⤵
  PID:17344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
  2⤵
  PID:17552
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
    3⤵
    PID:17540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
  2⤵
  PID:5608
- - C:\Windows\System32\wbem\WMIC.exe
    wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
    3⤵
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
  2⤵
  PID:9500
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
    3⤵
    PID:3668
- C:\Windows\System32\reg.exe
  reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:17796
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:17720
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:20176
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:20184
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
  2⤵
  - Modifies registry key
  PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start 2>nul
  2⤵
  PID:20052
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
    3⤵
    - Modifies registry key
    PID:20144
- C:\Windows\System32\sc.exe
  sc start ClipSVC
  2⤵
  - Launches sc.exe
  PID:17884
- C:\Windows\System32\sc.exe
  sc query ClipSVC
  2⤵
  - Launches sc.exe
  PID:20312
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
  2⤵
  - Modifies registry key
  PID:17908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul
  2⤵
  PID:17848
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
    3⤵
    - Modifies registry key
    PID:1004
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:17868
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:20500
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
  2⤵
  - Modifies registry key
  PID:17892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start 2>nul
  2⤵
  PID:20392
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
    3⤵
    - Modifies registry key
    PID:20128
- C:\Windows\System32\sc.exe
  sc start KeyIso
  2⤵
  - Launches sc.exe
  PID:17880
- C:\Windows\System32\sc.exe
  sc query KeyIso
  2⤵
  - Launches sc.exe
  PID:20328
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
  2⤵
  - Modifies registry key
  PID:20424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start 2>nul
  2⤵
  PID:13040
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
    3⤵
    - Modifies registry key
    PID:20512
- C:\Windows\System32\sc.exe
  sc start Winmgmt
  2⤵
  - Launches sc.exe
  PID:20472
- C:\Windows\System32\sc.exe
  sc query Winmgmt
  2⤵
  - Launches sc.exe
  PID:20232
- C:\Windows\System32\net.exe
  net start ClipSVC /y
  2⤵
  PID:17372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start ClipSVC /y
    3⤵
    PID:20208
- C:\Windows\System32\sc.exe
  sc query ClipSVC
  2⤵
  - Launches sc.exe
  PID:20520
- C:\Windows\System32\find.exe
  find /i "4 RUNNING"
  2⤵
  PID:20220
- C:\Windows\System32\sc.exe
  sc start ClipSVC
  2⤵
  - Launches sc.exe
  PID:4928
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  PID:216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:20080
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:20440
- C:\Windows\System32\find.exe
  find /i "4 RUNNING"
  2⤵
  PID:20420
- C:\Windows\System32\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:17452
- C:\Windows\System32\net.exe
  net start KeyIso /y
  2⤵
  PID:16696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start KeyIso /y
    3⤵
    PID:20524
- C:\Windows\System32\sc.exe
  sc query KeyIso
  2⤵
  - Launches sc.exe
  PID:17912
- C:\Windows\System32\find.exe
  find /i "4 RUNNING"
  2⤵
  PID:11472
- C:\Windows\System32\sc.exe
  sc start KeyIso
  2⤵
  - Launches sc.exe
  PID:11408
- C:\Windows\System32\net.exe
  net start Winmgmt /y
  2⤵
  PID:11384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Winmgmt /y
    3⤵
    PID:11368
- C:\Windows\System32\sc.exe
  sc query Winmgmt
  2⤵
  - Launches sc.exe
  PID:11356
- C:\Windows\System32\find.exe
  find /i "4 RUNNING"
  2⤵
  PID:20224
- C:\Windows\System32\sc.exe
  sc start Winmgmt
  2⤵
  - Launches sc.exe
  PID:20212
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State"
  2⤵
  PID:5128
- C:\Windows\System32\find.exe
  find /i "IMAGE_STATE_COMPLETE"
  2⤵
  PID:6108
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
  2⤵
  PID:7060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe $ExecutionContext.SessionState.LanguageMode
  2⤵
  PID:4396
- C:\Windows\System32\find.exe
  find /i "Full"
  2⤵
  PID:3956
- C:\Windows\System32\wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  PID:11452
- C:\Windows\System32\find.exe
  find /i "computersystem"
  2⤵
  PID:11400
- C:\Windows\System32\Dism.exe
  DISM /English /Online /Get-CurrentEdition
  2⤵
  - Drops file in Windows directory
  PID:20484
- - C:\Users\Admin\AppData\Local\Temp\67F156CB-864F-468D-8C9E-A756D725DE87\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\67F156CB-864F-468D-8C9E-A756D725DE87\dismhost.exe {003CB82C-E100-444F-A58F-E9A530179488}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:18608
- C:\Windows\System32\cmd.exe
  cmd /c exit /b 0
  2⤵
  PID:22648
- C:\Windows\System32\cscript.exe
  cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
  2⤵
  PID:22628
- C:\Windows\System32\cmd.exe
  cmd /c exit /b 0
  2⤵
  PID:21816
- C:\Windows\System32\reg.exe
  reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
  2⤵
  PID:21496
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
  2⤵
  PID:22260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
  2⤵
  PID:4168
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
    3⤵
    PID:22008
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
  2⤵
  PID:22748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
  2⤵
  PID:22828
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
    3⤵
    PID:22832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
  2⤵
  PID:22696
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
    3⤵
    PID:22736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul
  2⤵
  PID:23016
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value
    3⤵
    PID:23028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "
  2⤵
  PID:21920
- C:\Windows\System32\find.exe
  find /i "2de67392-b7a7-462a-b1ca-108dd189f588"
  2⤵
  PID:21228
- C:\Windows\System32\wbem\WMIC.exe
  wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="W269N-WFGWX-YVC9B-4J6C9-T83GX"
  2⤵
  PID:22372
- C:\Windows\System32\cmd.exe
  cmd /c exit /b 0
  2⤵
  PID:21936
- C:\Windows\System32\wbem\WMIC.exe
  wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
  2⤵
  PID:21876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get ID /VALUE" 2>nul
  2⤵
  PID:22816
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get ID /VALUE
    3⤵
    PID:23108
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:23040
- C:\Windows\System32\reg.exe
  reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:23132
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"
  2⤵
  PID:22300
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f /v KeyManagementServiceName /t REG_SZ /d "127.0.0.2"
  2⤵
  PID:22356
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:22272
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:22944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:23080
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:23044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:23116
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:23312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:23304
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:23276
- C:\Windows\System32\find.exe
  find /i "1 STOPPED"
  2⤵
  PID:21912
- C:\Windows\System32\net.exe
  net stop ClipSVC /y
  2⤵
  PID:4600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ClipSVC /y
    3⤵
    PID:4344
- C:\Windows\System32\net.exe
  net start ClipSVC /y
  2⤵
  PID:23260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start ClipSVC /y
    3⤵
    PID:23300
- C:\Windows\System32\ClipUp.exe
  clipup -v -o
  2⤵
  PID:5784
- - C:\Windows\System32\clipup.exe
    clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem7138.tmp
    3⤵
    - Checks SCSI registry key(s)
    PID:21576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
  2⤵
  PID:5316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:23452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
  2⤵
  PID:5724
- C:\Windows\System32\find.exe
  find /i "Windows"
  2⤵
  PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /VALUE" 2>nul
  2⤵
  PID:23488
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /VALUE
    3⤵
    PID:5140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe "$([DateTime]::Now.addMinutes(7064054)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul
  2⤵
  PID:6008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$([DateTime]::Now.addMinutes(7064054)).ToString('yyyy-MM-dd HH:mm:ss')"
    3⤵
    PID:724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO.cmd') -split ':regdel\:.*';& ([ScriptBlock]::Create($f[1])) -protect;"
  2⤵
  PID:21520
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:5428
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"
  2⤵
  PID:5440
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:4860
- C:\Windows\System32\choice.exe
  choice /C:12345670 /N
  2⤵
  PID:5928

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:23480
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem6978.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:3264

C:\Users\Admin\Desktop\SteamtoolsSetup.exe
"C:\Users\Admin\Desktop\SteamtoolsSetup.exe"
1⤵
PID:22900
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  PID:23112

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\SteamtoolsSetup.exe" CompatTab
1⤵
PID:11656
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW7FE4.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:11760
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\SteamtoolsSetup.exe"
    3⤵
    - Checks computer location settings
    PID:19340
  - - C:\Users\Admin\Desktop\SteamtoolsSetup.exe
      "C:\Users\Admin\Desktop\SteamtoolsSetup.exe"
      4⤵
      PID:11892
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM Steamtools.exe /F
        5⤵
        Kills process with taskkill
        
        PID:10616

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:22548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0zls5za4\0zls5za4.cmdline"
  2⤵
  PID:20664
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8515.tmp" "c:\Users\Admin\AppData\Local\Temp\0zls5za4\CSC9E436AD21CC740E0A057F91A1D5A4E49.TMP"
    3⤵
    PID:22576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vsr0n51\4vsr0n51.cmdline"
  2⤵
  PID:11764
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85EF.tmp" "c:\Users\Admin\AppData\Local\Temp\4vsr0n51\CSC4701CD1D890245C2B68927468FBE72C.TMP"
    3⤵
    PID:10400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\efnqvtq0\efnqvtq0.cmdline"
  2⤵
  PID:22088
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C48.tmp" "c:\Users\Admin\AppData\Local\Temp\efnqvtq0\CSCCD64A39A239948329B4AA30C332DE56.TMP"
    3⤵
    PID:18368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:18916

C:\Program Files (x86)\Steam\Steam.exe
"C:\Program Files (x86)\Steam\Steam.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:19872
- C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
  "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=19872" "-buildid=1721173382" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\Steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:19988
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1721173382 --initial-client-data=0x35c,0x360,0x364,0x338,0x368,0x7ffac415ee38,0x7ffac415ee48,0x7ffac415ee58
    3⤵
    - Executes dropped EXE
    PID:10656
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1596 --field-trial-handle=1728,i,13873679682626179123,3067092522569664345,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:11344
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2200 --field-trial-handle=1728,i,13873679682626179123,3067092522569664345,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:11132
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2556 --field-trial-handle=1728,i,13873679682626179123,3067092522569664345,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:12016
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --first-renderer-process --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1728,i,13873679682626179123,3067092522569664345,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:11928
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=3588 --field-trial-handle=1728,i,13873679682626179123,3067092522569664345,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:17924
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=3604 --field-trial-handle=1728,i,13873679682626179123,3067092522569664345,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:15428
- C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
  .\bin\gldriverquery64.exe
  2⤵
  - Executes dropped EXE
  PID:5832
- C:\Program Files (x86)\Steam\bin\gldriverquery.exe
  .\bin\gldriverquery.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
  .\bin\vulkandriverquery64.exe
  2⤵
  - Executes dropped EXE
  PID:6156
- C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
  .\bin\vulkandriverquery.exe
  2⤵
  - Executes dropped EXE
  PID:6448
- C:\Program Files (x86)\Steam\steamerrorreporter.exe
  C:\Program Files (x86)\Steam\steam
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5660
- C:\Program Files (x86)\Steam\steamerrorreporter.exe
  C:\Program Files (x86)\Steam\steam
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:21844
- C:\Program Files (x86)\Steam\steamerrorreporter.exe
  C:\Program Files (x86)\Steam\steam
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:22708

C:\Users\Admin\Desktop\SteamtoolsSetup.exe
"C:\Users\Admin\Desktop\SteamtoolsSetup.exe"
1⤵
PID:6652
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  PID:6824

C:\Users\Admin\Desktop\SteamtoolsSetup.exe
"C:\Users\Admin\Desktop\SteamtoolsSetup.exe"
1⤵
PID:14532
- C:\Windows\system32\taskkill.exe
  "taskkill" /IM Steamtools.exe /F
  2⤵
  - Kills process with taskkill
  PID:14452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta45bb341h3affh4fa8h9570hffc8b61aa0c0
1⤵
PID:12716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:12764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:13904

C:\Windows\System32\3uu4gi.exe
"C:\Windows\System32\3uu4gi.exe"
1⤵
PID:8692

C:\Windows\System32\3uu4gi.exe
"C:\Windows\System32\3uu4gi.exe"
1⤵
PID:8600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=3uu4gi.exe 3uu4gi.exe"
1⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5036,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:1
1⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5048,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:1
1⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5292,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8
1⤵
PID:8476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5320,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5364 /prefetch:8
1⤵
PID:8480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5728,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:8
1⤵
PID:8220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5932,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:1
1⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6072,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:8
1⤵
PID:7556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=5056,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
1⤵
- Modifies registry class
PID:7600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5112,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:1
1⤵
PID:7320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:7020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x254,0x7ffac0a4d198,0x7ffac0a4d1a4,0x7ffac0a4d1b0
  2⤵
  PID:6988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2300,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:2
  2⤵
  PID:9984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1876,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  PID:9992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2440,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:7076
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4464,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:7396
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4464,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:8204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4496,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3464,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  PID:11184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4900,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:15972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --field-trial-handle=1308,i,462576115513697233,5860880801009541173,262144 --variations-seed-version --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:20496

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:7352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:9376
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:1368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 24856 -prefMapSize 245077 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58268176-eade-4de4-96c7-f8e89d07ab6a} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" gpu
    3⤵
    PID:2324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2316 -parentBuildID 20240401114208 -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 24856 -prefMapSize 245077 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bf0182e-6037-40dd-9432-0e04ea9c1a0a} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" socket
    3⤵
    - Checks processor information in registry
    PID:14876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3160 -prefsLen 25355 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6469c71c-d635-4c9b-b86a-b45eb24089b6} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:9324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3560 -childID 2 -isForBrowser -prefsHandle 3044 -prefMapHandle 2860 -prefsLen 30588 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {345a7bd4-f4fe-45ca-ae00-4415e1ffdcb1} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:6048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4452 -childID 3 -isForBrowser -prefsHandle 4444 -prefMapHandle 4440 -prefsLen 27920 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e685e065-e70a-489c-9327-126b4abbf1ea} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:16388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 5004 -prefsLen 30588 -prefMapSize 245077 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ea971ef-60a3-40ab-912e-40871fd617b4} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" utility
    3⤵
    - Checks processor information in registry
    PID:6720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 27920 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09b1ef24-54c2-4735-8c9f-627f189badb5} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:9504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5508 -prefsLen 27920 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c4dbe02-1b9e-49c0-aceb-c7eb05190a54} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:17124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 6 -isForBrowser -prefsHandle 5816 -prefMapHandle 5820 -prefsLen 27920 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb2759b2-6dd1-4b38-8bf3-74d6797a78fd} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:16844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4464 -childID 7 -isForBrowser -prefsHandle 4472 -prefMapHandle 4452 -prefsLen 27920 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06480d7d-55f4-4f22-a1f8-d539b9447320} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:17164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 8 -isForBrowser -prefsHandle 5504 -prefMapHandle 5584 -prefsLen 28027 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79171039-1c02-4057-8bf2-e1074f6d0452} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:19796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -parentBuildID 20240401114208 -prefsHandle 4764 -prefMapHandle 4772 -prefsLen 30695 -prefMapSize 245077 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82b363a4-6a45-4aee-bfd9-d484025fbe16} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" rdd
    3⤵
    PID:17524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2488 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 3964 -prefMapHandle 3956 -prefsLen 30695 -prefMapSize 245077 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd3a949b-54ca-48fd-96d2-a677fd19828d} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" utility
    3⤵
    - Checks processor information in registry
    PID:17224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6552 -childID 9 -isForBrowser -prefsHandle 6440 -prefMapHandle 6536 -prefsLen 28027 -prefMapSize 245077 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa6446d1-0826-4fc7-bc65-8cd73565e4db} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab
    3⤵
    PID:17004
- - C:\Users\Admin\Downloads\SteamtoolsSetup.exe
    "C:\Users\Admin\Downloads\SteamtoolsSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:20036
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM Steamtools.exe /F
      4⤵
      Kills process with taskkill
      PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte132c746h0557h4ad9h954fh3ec29c5365b5
1⤵
PID:21716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd227396dh907eh4da0ha70fh0ab163b45a0b
1⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultaae576c3hfbc0h4d44ha379hc25615be5382
1⤵
PID:5272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery