1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\AVAST Software\Avast	utweb_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	utweb_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	utweb_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\AVG\AV\Dir	utweb_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	utweb_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	utweb_installer.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6232	powershell.exe
1428	powershell.exe
5616	powershell.exe
2992	powershell.exe
2232	powershell.exe
6528	powershell.exe
6972	powershell.exe
408	powershell.exe
3804	powershell.exe
2404	powershell.exe
3460	powershell.exe
1092	powershell.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
93	camo.githubusercontent.com
196	discord.com
210	discord.com
211	discord.com
437	drive.google.com
583	discord.com
905	discord.com
75	camo.githubusercontent.com
442	drive.google.com
519	discord.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_gui.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_dwm.exe	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\WebView2Loader.dll	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_setup.exe	ep_setup.exe
File opened for modification	C:\Program Files\ExplorerPatcher\ep_setup.exe	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_setup.exe\:Zone.Identifier:$DATA	ep_setup.exe
File created	C:\Program Files\ExplorerPatcher\ep_weather_host.dll	ep_setup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\aero_ew_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ew.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_busy_l.ani	rundll32.exe
File created	C:\Windows\Installer\e68e750.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF65106AEA425C807E.TMP	msiexec.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll	ep_setup.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib_orig.dll	ep_setup.exe
File created	C:\Windows\Installer\e68e752.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6918.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6918.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI706C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\SystemTemp\~DF5E28D9636A5DFCBA.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e68e750.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF27E.tmp	msiexec.exe
File opened for modification	C:\Windows\Cursors\aero_busy.ani	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2A174FBB2D865AB8.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF27E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\SystemTemp\~DF777EAA46286F5B1F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI317B.tmp-\GameInstallerAdditions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6918.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll	ep_setup.exe
File opened for modification	C:\Windows\Installer\MSI706C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI706C.tmp-\GameInstallerAdditions.dll	rundll32.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\MSIEB3A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB3A.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF27E.tmp-\GameInstallerAdditions.dll	rundll32.exe
File created	C:\Windows\SystemTemp\~DF0CA3BF247AB06418.TMP	msiexec.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll	ep_setup.exe
File created	C:\Windows\INF\netsstpa.PNF	explorer.exe
File opened for modification	C:\Windows\SystemTemp\temCCA.tmp	Clipup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F0072197-FCF6-41BF-9D38-832B145922DC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA5E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6742.tmp	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Cursors\aero_link.cur	rundll32.exe
File created	C:\Windows\SystemTemp\~DF6CA28541AFBDDFDF.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e68e7af.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8A37D62368B0DCAC.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ew_l.cur	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI687B.tmp	msiexec.exe
File created	C:\Windows\dxgi.dll	ep_setup.exe
File opened for modification	C:\Windows\Cursors\aero_arrow_xl.cur	rundll32.exe
File created	C:\Windows\SystemTemp\~DF37D44F2B398C3395.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI706C.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEB3A.tmp-\GameInstallerAdditions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEB3A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\SystemTemp\~DFA83C874E93C2C5AB.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF6A23C309B5AE2BE.TMP	msiexec.exe
File created	C:\Windows\Installer\e68e7b3.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCC163551ED03A39A.TMP	msiexec.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_busy_xl.ani	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF27E.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI30AF.tmp	msiexec.exe
File created	C:\Windows\Installer\e68e7af.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6918.tmp-\GameInstallerAdditions.dll	rundll32.exe

Executes dropped EXE 27 IoCs

pid	Process
6108	ep_setup.exe
6372	utweb_installer.exe
1672	utweb_installer.tmp
4028	Setup.exe
1884	Setup.tmp
3536	Setup.exe
2016	Setup.tmp
2016	hoi4.exe
6572	dowser.exe
6400	bootstrapper-v2.exe
6684	Paradox Launcher.exe
4256	Paradox Launcher.exe
6076	cpatch.exe
2596	Paradox Launcher.exe
5716	hoi4.exe
6680	hoi4.exe
6916	hoi4.exe
7164	dowser.exe
6848	bootstrapper-v2.exe
4676	Paradox Launcher.exe
3368	Paradox Launcher.exe
5336	cpatch.exe
4240	Paradox Launcher.exe
5128	JavaSetup8u431.exe
7044	JavaSetup8u431.exe
4704	JavaSetup8u431.exe
6456	JavaSetup8u431.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2888	sc.exe
7148	sc.exe
7008	sc.exe
6232	sc.exe
5940	sc.exe
1584	sc.exe
3516	sc.exe
3620	sc.exe
6796	sc.exe
4848	sc.exe
5460	sc.exe
4812	sc.exe
6272	sc.exe
3420	sc.exe
5856	sc.exe
3468	sc.exe
3708	sc.exe
3984	sc.exe
5900	sc.exe
5144	sc.exe
4264	sc.exe
4492	sc.exe
5640	sc.exe
5532	sc.exe
6264	sc.exe
3604	sc.exe
7016	sc.exe
7020	sc.exe
3108	sc.exe
5860	sc.exe
6060	sc.exe
6428	sc.exe
5612	sc.exe
1176	sc.exe
6104	sc.exe
3712	sc.exe
2232	sc.exe
6964	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
3780	regsvr32.exe
3780	regsvr32.exe
2156	regsvr32.exe
5556	explorer.exe
4164	StartMenuExperienceHost.exe
4164	StartMenuExperienceHost.exe
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	Setup.tmp
2016	hoi4.exe
2016	hoi4.exe
2016	hoi4.exe
5868	MsiExec.exe
4328	MsiExec.exe
896	MsiExec.exe
72	rundll32.exe
72	rundll32.exe
72	rundll32.exe
896	MsiExec.exe
6860	rundll32.exe
6860	rundll32.exe
6860	rundll32.exe
6684	Paradox Launcher.exe
6684	Paradox Launcher.exe
6684	Paradox Launcher.exe
4256	Paradox Launcher.exe
4256	Paradox Launcher.exe
4256	Paradox Launcher.exe
4256	Paradox Launcher.exe
2596	Paradox Launcher.exe
6684	Paradox Launcher.exe
6684	Paradox Launcher.exe
6684	Paradox Launcher.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ep_setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\utweb_installer.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\OBS-Studio-30.2.3-Windows-Installer.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\JavaSetup8u431.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4504	1672	WerFault.exe	480
6388	1672	WerFault.exe	480

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utweb_installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaSetup8u431.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaSetup8u431.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utweb_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaSetup8u431.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaSetup8u431.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6656	PING.EXE
6516	PING.EXE
6512	cmd.exe
6616	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b4c6b626f29820b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b4c6b620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000b4c6b62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0b4c6b62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b4c6b6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	utweb_installer.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	utweb_installer.tmp

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5640	taskkill.exe

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Arrow = "%SystemRoot%\\cursors\\aero_arrow.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Crosshair	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\NWPen = "%SystemRoot%\\cursors\\aero_pen.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeNESW = "%SystemRoot%\\cursors\\aero_nesw.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\UpArrow = "%SystemRoot%\\cursors\\aero_up.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Wait = "%SystemRoot%\\cursors\\aero_busy_l.ani"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Scheme Source = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Hand	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Pin = "%SystemRoot%\\cursors\\pin_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Pin = "%SystemRoot%\\cursors\\aero_pin.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Arrow	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeWE = "%SystemRoot%\\cursors\\size3_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Hand = "%SystemRoot%\\cursors\\aero_link.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\DoubleClickSpeed = "200"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\No = "%SystemRoot%\\cursors\\aero_unavail.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeAll = "%SystemRoot%\\cursors\\aero_move_l.cur"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Scheme Source = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\No = "%SystemRoot%\\cursors\\aero_unavail_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\ = "Windows Default (large)"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeNESW = "%SystemRoot%\\cursors\\aero_nesw_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Person = "%SystemRoot%\\cursors\\aero_person_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseThreshold1 = "6"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Help = "%SystemRoot%\\cursors\\aero_helpsel_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\UpArrow = "%SystemRoot%\\cursors\\up_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\AppStarting = "%SystemRoot%\\cursors\\aero_working.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\ = "Windows Black"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\AppStarting = "%SystemRoot%\\cursors\\wait_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Help = "%SystemRoot%\\cursors\\aero_helpsel.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\IBeam	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeNWSE = "%SystemRoot%\\cursors\\aero_nwse_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Pin = "%SystemRoot%\\cursors\\aero_pin_l.cur"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Scheme Source = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeWE = "%SystemRoot%\\cursors\\aero_ew.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Help = "%SystemRoot%\\cursors\\help_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\No = "%SystemRoot%\\cursors\\no_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Person = "%SystemRoot%\\cursors\\aero_person.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\NWPen = "%SystemRoot%\\cursors\\aero_pen_l.cur"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Arrow = "%SystemRoot%\\cursors\\arrow_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Wait = "%SystemRoot%\\cursors\\aero_busy.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeAll = "%SystemRoot%\\cursors\\aero_move.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeNS = "%SystemRoot%\\cursors\\aero_ns_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\UpArrow = "%SystemRoot%\\cursors\\aero_up_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Crosshair = "%SystemRoot%\\cursors\\cross_r.cur"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeNWSE = "%SystemRoot%\\cursors\\aero_nwse.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\NWPen = "%SystemRoot%\\cursors\\pen_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeNWSE = "%SystemRoot%\\cursors\\size2_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeNESW = "%SystemRoot%\\cursors\\size1_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseTrails = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\IBeam = "%SystemRoot%\\cursors\\beam_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Wait = "%SystemRoot%\\cursors\\busy_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Hand = "%SystemRoot%\\cursors\\aero_link_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\ = "Windows Default"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeWE = "%SystemRoot%\\cursors\\aero_ew_l.cur"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Person = "%SystemRoot%\\cursors\\person_r.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\SizeNS = "%SystemRoot%\\cursors\\aero_ns.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\Arrow = "%SystemRoot%\\cursors\\aero_arrow_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\AppStarting = "%SystemRoot%\\cursors\\aero_working_l.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseSpeed = "1"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133737770023614799"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7120"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 = 4a003100000000005359f81010004d415300380009000400efbe5359f8105359f9102e00000043ac02000000010000000000000000000000000000006198bd004d0041005300000012000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "18203"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\AppID = "{A6EA9C2D-4982-4827-9204-0AC532959F6D}"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1636"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1920x1080x96(1).x = "4294935296"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).right = "1539"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1022"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14418"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "IEPWeather"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1042"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "3"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\1 = 54003100000000006d4fc388100055706461746500003e0009000400efbe53590212535902122e000000e0ae0200000001000000000000000000000000000000d693aa00550070006400610074006500000016000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "18203"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1920x1080x96(1).x = "4294967295"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}	regsvr32.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
3896	reg.exe
7056	reg.exe
7136	reg.exe
6784	reg.exe
4060	reg.exe
5384	reg.exe
3004	reg.exe
2992	reg.exe
7072	reg.exe
6408	reg.exe
3324	reg.exe
400	reg.exe
5024	reg.exe
7076	reg.exe
6260	reg.exe
7052	reg.exe
7128	reg.exe
3924	reg.exe
2404	reg.exe
3672	reg.exe
7112	reg.exe
7040	reg.exe
6360	reg.exe
5712	reg.exe
6212	reg.exe
7012	reg.exe
7132	reg.exe
1220	reg.exe
2748	reg.exe
3868	reg.exe
840	reg.exe
248	reg.exe
6164	reg.exe
3184	reg.exe
2180	reg.exe
4316	reg.exe
4976	reg.exe
1840	reg.exe
5480	reg.exe
6336	reg.exe
6800	reg.exe
7140	reg.exe
2672	reg.exe
3980	reg.exe
7120	reg.exe
5616	reg.exe
2196	reg.exe
6312	reg.exe
6704	reg.exe
5764	reg.exe
5928	reg.exe
836	reg.exe
7092	reg.exe
7072	reg.exe
3684	reg.exe
2708	reg.exe
4280	reg.exe
664	reg.exe
7116	reg.exe
5448	reg.exe
6928	reg.exe
4860	reg.exe
3760	reg.exe
2120	reg.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cpatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cpatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cpatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cpatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	cpatch.exe

NTFS ADS 23 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Check_Activation_Status.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Troubleshoot.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\_ReadMe.html:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\HWID_Activation.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\Ohook_Activation_AIO.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\Online_KMS_Activation.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master (1).zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\JavaSetup8u431.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\LICENSE:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\README.md:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX.rar:Zone.Identifier	chrome.exe
File created	C:\Program Files\ExplorerPatcher\ep_setup.exe\:Zone.Identifier:$DATA	ep_setup.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Change_Office_Edition.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Extract_OEM_Folder.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\KMS38_Activation.cmd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\utweb_installer.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\client.jar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\ep_setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\ReadMe.txt:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\OBS-Studio-30.2.3-Windows-Installer.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Change_Windows_Edition.cmd:Zone.Identifier	explorer.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
6516	PING.EXE
6656	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	360	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2092	AnyDesk.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	AnyDesk.exe
1248	AnyDesk.exe
1248	AnyDesk.exe
1248	AnyDesk.exe
584	chrome.exe
584	chrome.exe
5556	explorer.exe
5556	explorer.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
5616	powershell.exe
5616	powershell.exe
5616	powershell.exe
2992	powershell.exe
2992	powershell.exe
2992	powershell.exe
408	powershell.exe
408	powershell.exe
408	powershell.exe
6232	powershell.exe
6232	powershell.exe
6232	powershell.exe
3804	powershell.exe
3804	powershell.exe
3804	powershell.exe
4988	powershell.exe
4988	powershell.exe
4988	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
6528	powershell.exe
6528	powershell.exe
6528	powershell.exe
6860	powershell.exe
6860	powershell.exe
6860	powershell.exe
6952	powershell.exe
6952	powershell.exe
6952	powershell.exe
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
336	AnyDesk.exe
5556	explorer.exe
4660	rundll32.exe
4620	msinfo32.exe
584	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 44 IoCs

pid	Process
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	AnyDesk.exe
Token: 33	2000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2000	AUDIODG.EXE
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe
Token: SeCreatePagefilePrivilege	584	chrome.exe
Token: SeShutdownPrivilege	584	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
6108	ep_setup.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
6108	ep_setup.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
584	chrome.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
336	AnyDesk.exe
336	AnyDesk.exe
4836	MiniSearchHost.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
792	SearchHost.exe
4164	StartMenuExperienceHost.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
4660	rundll32.exe
4660	rundll32.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
1884	Setup.tmp
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
5556	explorer.exe
2016	Setup.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1248	1996	AnyDesk.exe	79
PID 1996 wrote to memory of 1248	1996	AnyDesk.exe	79
PID 1996 wrote to memory of 1248	1996	AnyDesk.exe	79
PID 1996 wrote to memory of 2092	1996	AnyDesk.exe	80
PID 1996 wrote to memory of 2092	1996	AnyDesk.exe	80
PID 1996 wrote to memory of 2092	1996	AnyDesk.exe	80
PID 584 wrote to memory of 1684	584	chrome.exe	103
PID 584 wrote to memory of 1684	584	chrome.exe	103
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 4560	584	chrome.exe	104
PID 584 wrote to memory of 944	584	chrome.exe	105
PID 584 wrote to memory of 944	584	chrome.exe	105
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106
PID 584 wrote to memory of 2160	584	chrome.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:336
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1608

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4100

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff98797cc40,0x7ff98797cc4c,0x7ff98797cc58
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2004 /prefetch:3
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4548,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:5192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5364,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5376 /prefetch:2
  2⤵
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5240,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5244,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5632,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5212,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5860,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=3620,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6088,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=4856,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5664,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5672,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5160,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4840
- C:\Users\Admin\Downloads\ep_setup.exe
  "C:\Users\Admin\Downloads\ep_setup.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:6108
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5640
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
    3⤵
    - Launches sc.exe
    PID:2232
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
    3⤵
    - Launches sc.exe
    PID:2888
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3780
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2156
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Enumerates connected drives
    - Drops file in Windows directory
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Modifies Internet Explorer settings
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
      4⤵
      PID:3756
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:6428
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:6420
    - - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_AIO.cmd"
        5⤵
        
        PID:4948
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        5⤵
        
        PID:3368
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:4020
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        5⤵
        
        PID:4696
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:5448
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:4716
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
        5⤵
        
        PID:3108
    - - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:5928
    - - C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
        5⤵
        
        PID:840
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5616
    - - C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        5⤵
        
        PID:3672
    - - C:\Windows\System32\fltMC.exe
        
        fltmc
        5⤵
        
        PID:5284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
    - - C:\Windows\System32\find.exe
        
        find /i "True"
        5⤵
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd""" -el -qedit'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:408
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" -el -qedit"
        6⤵
        
        PID:1664
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        Launches sc.exe
        
        PID:5612
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:5496
        
        C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_AIO.cmd"
        7⤵
        
        PID:4264
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        7⤵
        
        PID:3468
        
        C:\Windows\System32\find.exe
        
        find /i "/"
        7⤵
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        7⤵
        
        PID:3348
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        7⤵
        
        PID:3956
        
        C:\Windows\System32\find.exe
        
        find /i "0x0"
        7⤵
        
        PID:3272
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        7⤵
        
        PID:4976
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        8⤵
        
        PID:6220
        
        C:\Windows\System32\cmd.exe
        
        cmd
        8⤵
        
        PID:5672
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
        7⤵
        
        PID:4388
        
        C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        7⤵
        
        PID:688
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
        7⤵
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6232
        
        C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        7⤵
        
        PID:6264
        
        C:\Windows\System32\fltMC.exe
        
        fltmc
        7⤵
        
        PID:5344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
        
        C:\Windows\System32\find.exe
        
        find /i "True"
        7⤵
        
        PID:5592
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6512
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6516
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
        7⤵
        
        PID:5892
        
        C:\Windows\System32\find.exe
        
        find "127.69"
        7⤵
        
        PID:6668
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
        7⤵
        
        PID:6672
        
        C:\Windows\System32\find.exe
        
        find "127.69.2.7"
        7⤵
        
        PID:6008
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        7⤵
        
        PID:6740
        
        C:\Windows\System32\find.exe
        
        find /i "/S"
        7⤵
        
        PID:6748
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        7⤵
        
        PID:6880
        
        C:\Windows\System32\find.exe
        
        find /i "/"
        7⤵
        
        PID:6824
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        7⤵
        
        PID:6852
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        8⤵
        
        PID:6892
        
        C:\Windows\System32\mode.com
        
        mode 76, 33
        7⤵
        
        PID:6916
        
        C:\Windows\System32\choice.exe
        
        choice /C:123456789H0 /N
        7⤵
        
        PID:6932
        
        C:\Windows\System32\mode.com
        
        mode 110, 34
        7⤵
        
        PID:664
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:6532
        
        C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        7⤵
        
        PID:5768
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:6720
        
        C:\Windows\System32\find.exe
        
        find /i "R@1n"
        7⤵
        
        PID:6504
        
        C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6952
        
        C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6968
        
        C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6988
        
        C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:7004
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
        7⤵
        Modifies registry key
        
        PID:7040
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
        7⤵
        Modifies registry key
        
        PID:7012
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
        7⤵
        Modifies registry key
        
        PID:4060
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:7072
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
        7⤵
        Modifies registry key
        
        PID:7052
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
        7⤵
        Modifies registry key
        
        PID:7112
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
        7⤵
        Modifies registry key
        
        PID:4280
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
        7⤵
        Modifies registry key
        
        PID:7132
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:7148
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        7⤵
        
        PID:6796
        
        C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        7⤵
        
        PID:4492
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
        7⤵
        
        PID:5764
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        8⤵
        
        PID:7092
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:3924
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
        7⤵
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
        7⤵
        
        PID:2712
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        8⤵
        
        PID:5596
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
        7⤵
        
        PID:2448
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        8⤵
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
        
        C:\Windows\System32\find.exe
        
        find /i "Subscription_is_activated"
        7⤵
        
        PID:5544
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        7⤵
        
        PID:4732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        7⤵
        
        PID:5612
        
        C:\Windows\System32\find.exe
        
        find /i "Windows"
        7⤵
        
        PID:4812
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        7⤵
        
        PID:6464
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        7⤵
        
        PID:6588
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        7⤵
        
        PID:4616
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        8⤵
        
        PID:5592
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        7⤵
        
        PID:5864
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6616
        
        C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6656
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:6732
        
        C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        7⤵
        
        PID:4392
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:6752
        
        C:\Windows\System32\find.exe
        
        find /i "R@1n"
        7⤵
        
        PID:6496
        
        C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6844
        
        C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6880
        
        C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:2520
        
        C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:2340
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
        7⤵
        Modifies registry key
        
        PID:6928
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
        7⤵
        Modifies registry key
        
        PID:1840
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
        7⤵
        Modifies registry key
        
        PID:3896
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:6408
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
        7⤵
        Modifies registry key
        
        PID:6704
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
        7⤵
        Modifies registry key
        
        PID:664
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
        7⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
        7⤵
        Modifies registry key
        
        PID:1220
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:6964
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        7⤵
        
        PID:6972
        
        C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        7⤵
        
        PID:7000
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        Launches sc.exe
        
        PID:7008
        
        C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        7⤵
        Launches sc.exe
        
        PID:7016
        
        C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        7⤵
        Launches sc.exe
        
        PID:7020
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
        7⤵
        Modifies registry key
        
        PID:7056
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
        7⤵
        Modifies registry key
        
        PID:7076
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
        7⤵
        Modifies registry key
        
        PID:7072
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:7116
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
        7⤵
        Modifies registry key
        
        PID:7128
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
        7⤵
        Modifies registry key
        
        PID:7136
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
        7⤵
        Modifies registry key
        
        PID:6800
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
        7⤵
        Modifies registry key
        
        PID:6784
        
        C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        7⤵
        Launches sc.exe
        
        PID:6796
        
        C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        7⤵
        Launches sc.exe
        
        PID:4492
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
        7⤵
        Modifies registry key
        
        PID:5384
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
        7⤵
        Modifies registry key
        
        PID:7140
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
        7⤵
        Modifies registry key
        
        PID:5764
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:3924
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
        7⤵
        Modifies registry key
        
        PID:4860
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
        7⤵
        Modifies registry key
        
        PID:5928
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
        7⤵
        Modifies registry key
        
        PID:6360
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
        7⤵
        Modifies registry key
        
        PID:5448
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:3108
        
        C:\Windows\System32\sc.exe
        
        sc query sppsvc
        7⤵
        Launches sc.exe
        
        PID:5860
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
        7⤵
        Modifies registry key
        
        PID:3980
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
        7⤵
        Modifies registry key
        
        PID:836
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
        7⤵
        Modifies registry key
        
        PID:2404
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:3760
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
        7⤵
        Modifies registry key
        
        PID:7092
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
        7⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
        7⤵
        Modifies registry key
        
        PID:400
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
        7⤵
        Modifies registry key
        
        PID:3868
        
        C:\Windows\System32\sc.exe
        
        sc start KeyIso
        7⤵
        Launches sc.exe
        
        PID:5532
        
        C:\Windows\System32\sc.exe
        
        sc query KeyIso
        7⤵
        Launches sc.exe
        
        PID:5640
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
        7⤵
        Modifies registry key
        
        PID:5024
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
        7⤵
        Modifies registry key
        
        PID:5616
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
        7⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:2672
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
        7⤵
        Modifies registry key
        
        PID:7120
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
        7⤵
        Modifies registry key
        
        PID:2196
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
        7⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
        7⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        7⤵
        Launches sc.exe
        
        PID:5856
        
        C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        7⤵
        Launches sc.exe
        
        PID:4848
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
        7⤵
        Modifies registry key
        
        PID:2992
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
        7⤵
        Modifies registry key
        
        PID:3684
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
        7⤵
        Modifies registry key
        
        PID:5480
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:5712
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
        7⤵
        Modifies registry key
        
        PID:2708
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
        7⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
        7⤵
        Modifies registry key
        
        PID:2120
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
        7⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:5460
        
        C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        7⤵
        Launches sc.exe
        
        PID:4812
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
        7⤵
        Modifies registry key
        
        PID:6312
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
        7⤵
        Modifies registry key
        
        PID:248
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
        7⤵
        Modifies registry key
        
        PID:6164
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:6212
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
        7⤵
        Modifies registry key
        
        PID:4976
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
        7⤵
        Modifies registry key
        
        PID:3184
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
        7⤵
        Modifies registry key
        
        PID:6336
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
        7⤵
        Modifies registry key
        
        PID:6260
        
        C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        7⤵
        Launches sc.exe
        
        PID:6272
        
        C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        7⤵
        Launches sc.exe
        
        PID:6232
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:1584
        
        C:\Windows\System32\sc.exe
        
        sc start KeyIso
        7⤵
        Launches sc.exe
        
        PID:6060
        
        C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        7⤵
        Launches sc.exe
        
        PID:3516
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:6264
        
        C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        7⤵
        Launches sc.exe
        
        PID:6104
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:1900
        
        C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        7⤵
        Launches sc.exe
        
        PID:3468
        
        C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        7⤵
        Launches sc.exe
        
        PID:3708
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:6100
        
        C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        7⤵
        Launches sc.exe
        
        PID:3604
        
        C:\Windows\System32\sc.exe
        
        sc query sppsvc
        7⤵
        Launches sc.exe
        
        PID:3620
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:232
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:3984
        
        C:\Windows\System32\sc.exe
        
        sc query KeyIso
        7⤵
        Launches sc.exe
        
        PID:1176
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:4780
        
        C:\Windows\System32\sc.exe
        
        sc start KeyIso
        7⤵
        Launches sc.exe
        
        PID:3420
        
        C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        7⤵
        Launches sc.exe
        
        PID:5940
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:72
        
        C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        7⤵
        Launches sc.exe
        
        PID:5900
        
        C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        7⤵
        Launches sc.exe
        
        PID:5144
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:4892
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:3712
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        7⤵
        
        PID:3492
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        8⤵
        
        PID:4260
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
        7⤵
        
        PID:6480
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
        7⤵
        
        PID:6580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6528
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "6" "
        7⤵
        
        PID:6616
        
        C:\Windows\System32\find.exe
        
        find /i "Error Found"
        7⤵
        
        PID:4184
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
        7⤵
        
        PID:4392
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        8⤵
        
        PID:6836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6860
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:2164
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        7⤵
        
        PID:6708
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:5768
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
        7⤵
        
        PID:2180
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "0x800410 0x800440"
        7⤵
        
        PID:6960
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
        7⤵
        
        PID:6964
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
        7⤵
        
        PID:6992
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        7⤵
        
        PID:7000
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
        7⤵
        
        PID:7044
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
        7⤵
        
        PID:5220
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
        7⤵
        
        PID:7064
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
        7⤵
        
        PID:7040
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        8⤵
        
        PID:7052
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
        7⤵
        
        PID:7112
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
        7⤵
        
        PID:1056
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        8⤵
        
        PID:1356
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
        7⤵
        
        PID:7144
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        8⤵
        
        PID:7160
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
        7⤵
        
        PID:6796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6952
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "
        7⤵
        
        PID:6324
        
        C:\Windows\System32\find.exe
        
        find /i "Ready"
        7⤵
        
        PID:3108
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
        7⤵
        
        PID:5860
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
        7⤵
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        
        PID:5716
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
        7⤵
        
        PID:3728
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        8⤵
        
        PID:6072
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
        7⤵
        
        PID:5424
        
        C:\Windows\System32\find.exe
        
        find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
        7⤵
        
        PID:1492
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
        7⤵
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:5908
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        7⤵
        
        PID:5496
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
        7⤵
        
        PID:3272
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        8⤵
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
        7⤵
        
        PID:5672
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        8⤵
        
        PID:4976
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        7⤵
        
        PID:3184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        8⤵
        
        PID:6336
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
        7⤵
        
        PID:6104
        
        C:\Windows\System32\find.exe
        
        find "AAAA"
        7⤵
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"
        7⤵
        
        PID:1196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1092
        
        C:\Windows\System32\ClipUp.exe
        
        clipup -v -o
        7⤵
        
        PID:6932
        
        C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temDB5.tmp
        8⤵
        Checks SCSI registry key(s)
        
        PID:6860
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        7⤵
        
        PID:6996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6972
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        7⤵
        
        PID:7040
        
        C:\Windows\System32\find.exe
        
        find /i "Windows"
        7⤵
        
        PID:5396
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
        7⤵
        
        PID:7124
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:5312
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        7⤵
        
        PID:4704
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        7⤵
        
        PID:3924
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
        7⤵
        
        PID:6424
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
        7⤵
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 10 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
        7⤵
        
        PID:5404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2404
  - - C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\" -ad -an -ai#7zMap13444:162:7zEvent1423
      4⤵
      PID:896
  - - C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\" -ad -an -ai#7zMap30301:162:7zEvent16519
      4⤵
      PID:1092
  - - C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Update\Setup.exe
      "C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Update\Setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4028
    - - C:\Users\Admin\AppData\Local\Temp\is-4E25S.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4E25S.tmp\Setup.tmp" /SL5="$F045A,7146615,168448,C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Update\Setup.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1884
  - - C:\Windows\system32\msinfo32.exe
      "C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\codex.nfo"
      4⤵
      Checks SCSI registry key(s)
      Enumerates system info in registry
      Suspicious behavior: GetForegroundWindowSpam
      PID:4620
  - - C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Update\Setup.exe
      "C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Update\Setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3536
    - - C:\Users\Admin\AppData\Local\Temp\is-NNT6H.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NNT6H.tmp\Setup.tmp" /SL5="$80490,7146615,168448,C:\Users\Admin\Downloads\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Hearts.of.Iron.IV.Man.the.Guns.Update.v1.8.0-CODEX\Update\Setup.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://guns/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:1428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff995133cb8,0x7ff995133cc8,0x7ff995133cd8
        5⤵
        
        PID:6784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,18382872537009427099,5462997450671872594,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2084 /prefetch:2
        5⤵
        
        PID:2396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,18382872537009427099,5462997450671872594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
        5⤵
        
        PID:4172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,18382872537009427099,5462997450671872594,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
        5⤵
        
        PID:7000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18382872537009427099,5462997450671872594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        5⤵
        
        PID:3156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18382872537009427099,5462997450671872594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        5⤵
        
        PID:3420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18382872537009427099,5462997450671872594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
        5⤵
        
        PID:4976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18382872537009427099,5462997450671872594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
        5⤵
        
        PID:5536
  - - F:\Games\Hearts of Iron IV Man the Guns\hoi4.exe
      "F:\Games\Hearts of Iron IV Man the Guns\hoi4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2016
  - - C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "F:\Games\Hearts of Iron IV Man the Guns\launcher-installer-windows.msi"
      4⤵
      Blocklisted process makes network request
      Enumerates connected drives
      PID:6464
  - - F:\Games\Hearts of Iron IV Man the Guns\dowser.exe
      "F:\Games\Hearts of Iron IV Man the Guns\dowser.exe"
      4⤵
      Executes dropped EXE
      PID:6572
    - - C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\bootstrapper-v2.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\bootstrapper-v2.exe" --gameDir "F:\Games\Hearts of Iron IV Man the Guns"
        5⤵
        Executes dropped EXE
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe" --gameDir "F:\Games\Hearts of Iron IV Man the Guns"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe" --type=gpu-process --enable-features=SharedArrayBuffer --no-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=12940815306770259082 --mojo-platform-channel-handle=1444 /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
        7⤵
        
        PID:5376
        
        C:\Windows\System32\reg.exe
        
        C:\Windows\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
        8⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\cpatch.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\cpatch.exe" -q -l "C:\Users\Admin\AppData\Local\Paradox Interactive\launcher-v2\cpatch.log" daemon -p 11000
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe" --type=renderer --no-sandbox --enable-features=SharedArrayBuffer --service-pipe-token=8518753250953133318 --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\resources\app.asar" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ParadoxLauncher/0.1.0 Chrome/69.0.3497.128 Electron/4.2.4 Safari/537.36" --node-integration=false --webview-tag=false --no-sandbox --preload="C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\resources\app.asar\renderers\primary\build\static\js\main.js" --context-isolation --background-color=#131724 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=8518753250953133318 --renderer-client-id=4 --mojo-platform-channel-handle=2272 /prefetch:1
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2596
  - - F:\Games\Hearts of Iron IV Man the Guns\hoi4.exe
      "F:\Games\Hearts of Iron IV Man the Guns\hoi4.exe"
      4⤵
      Executes dropped EXE
      PID:5716
  - - F:\Games\Hearts of Iron IV Man the Guns\hoi4.exe
      "F:\Games\Hearts of Iron IV Man the Guns\hoi4.exe"
      4⤵
      Executes dropped EXE
      PID:6680
  - - C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "F:\Games\Hearts of Iron IV Man the Guns\launcher-installer-windows.msi"
      4⤵
      Enumerates connected drives
      PID:6200
  - - F:\Games\Hearts of Iron IV Man the Guns\hoi4.exe
      "F:\Games\Hearts of Iron IV Man the Guns\hoi4.exe"
      4⤵
      Executes dropped EXE
      PID:6916
  - - F:\Games\Hearts of Iron IV Man the Guns\dowser.exe
      "F:\Games\Hearts of Iron IV Man the Guns\dowser.exe"
      4⤵
      Executes dropped EXE
      PID:7164
    - - C:\Windows\system32\msiexec.exe
        
        msiexec /i "F:\Games\Hearts of Iron IV Man the Guns\launcher-installer-windows.msi" /passive
        5⤵
        
        PID:5892
    - - C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\bootstrapper-v2.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\bootstrapper-v2.exe" --gameDir "F:\Games\Hearts of Iron IV Man the Guns"
        5⤵
        Executes dropped EXE
        
        PID:6848
      - C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe" --gameDir "F:\Games\Hearts of Iron IV Man the Guns"
        6⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe" --type=gpu-process --enable-features=SharedArrayBuffer --no-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=6173499205432430096 --mojo-platform-channel-handle=1448 /prefetch:2
        7⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
        7⤵
        
        PID:1576
        
        C:\Windows\System32\reg.exe
        
        C:\Windows\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
        8⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\cpatch.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\cpatch.exe" -q -l "C:\Users\Admin\AppData\Local\Paradox Interactive\launcher-v2\cpatch.log" daemon -p 11000
        7⤵
        Executes dropped EXE
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\Paradox Launcher.exe" --type=renderer --no-sandbox --enable-features=SharedArrayBuffer --service-pipe-token=10641332698128998353 --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\resources\app.asar" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ParadoxLauncher/0.1.0 Chrome/69.0.3497.128 Electron/4.2.4 Safari/537.36" --node-integration=false --webview-tag=false --no-sandbox --preload="C:\Users\Admin\AppData\Local\Programs\Paradox Interactive\launcher-v2.2019.10.3\resources\app.asar\renderers\primary\build\static\js\main.js" --context-isolation --background-color=#131724 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=10641332698128998353 --renderer-client-id=4 --mojo-platform-channel-handle=2260 /prefetch:1
        7⤵
        Executes dropped EXE
        
        PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5428,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3468,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3308,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=3264,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=3480,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=6188,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6352,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  - NTFS ADS
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6448,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  - NTFS ADS
  PID:6604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6176,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4456,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=6648,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6844,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:6708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=6948,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:6888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6840,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6984 /prefetch:8
  2⤵
  PID:7020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7232,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7096 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7116,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7264 /prefetch:8
  2⤵
  PID:7000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=6464,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=6500,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:6780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=8028,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7964 /prefetch:1
  2⤵
  PID:7068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=8060,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7980 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4476,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8080 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7992,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7400 /prefetch:8
  2⤵
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7264,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7136 /prefetch:8
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7424,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8328 /prefetch:8
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7376,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7976 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6696
- C:\Users\Admin\Downloads\utweb_installer.exe
  "C:\Users\Admin\Downloads\utweb_installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6372
- - C:\Users\Admin\AppData\Local\Temp\is-9MP0C.tmp\utweb_installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9MP0C.tmp\utweb_installer.tmp" /SL5="$160412,6124360,834560,C:\Users\Admin\Downloads\utweb_installer.exe"
    3⤵
    - Checks for any installed AV software in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1736
      4⤵
      Program crash
      PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1736
      4⤵
      Program crash
      PID:6388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=7648,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=8156,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7548 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=7824,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8224 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=8268,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:7016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=6784,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=6460,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7524 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8652,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7528 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=6600,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=7852,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8252 /prefetch:1
  2⤵
  PID:6520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=8164,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8004 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6964,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6944 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=8132,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4316 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=5644,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:6692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=5052,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=7020,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7880 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=3456,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=5188,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7868 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=6556,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6536,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7848,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6944 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1656
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\client.jar"
  2⤵
  PID:7052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=3292,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --field-trial-handle=5108,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7372 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=6812,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:6712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=5976,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8524 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7856,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7800,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7452,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4884
- C:\Users\Admin\Downloads\JavaSetup8u431.exe
  "C:\Users\Admin\Downloads\JavaSetup8u431.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5128
- - C:\Users\Admin\AppData\Local\Temp\jds242401171.tmp\JavaSetup8u431.exe
    "C:\Users\Admin\AppData\Local\Temp\jds242401171.tmp\JavaSetup8u431.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7044
- C:\Users\Admin\Downloads\JavaSetup8u431.exe
  "C:\Users\Admin\Downloads\JavaSetup8u431.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\jds242424453.tmp\JavaSetup8u431.exe
    "C:\Users\Admin\AppData\Local\Temp\jds242424453.tmp\JavaSetup8u431.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6456
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\client.jar"
  2⤵
  PID:6728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=8152,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=5068,i,8168946803012545032,7070305400613642907,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:2008

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:5392

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1416

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6752

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:6616
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4184
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\temCCA.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:6912

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;Trigger=TimerEvent
1⤵
PID:1428

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1584

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl
1⤵
- Modifies Control Panel
PID:6256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1672 -ip 1672
1⤵
PID:6248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1672 -ip 1672
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:3980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4C5F8687C81F0619E9F75A393310285E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5868
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1444
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0DA2B652E4F8BB9CF08B9A296D5375DA
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4328
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3B5599ADECEE9E5C14A9362A1E42A844
  2⤵
  - Loads dropped DLL
  PID:896
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIEB3A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241757015 12 GameInstallerAdditions!GameInstallerAdditions.CustomAction.installAdditions
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:72
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF27E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241758843 23 GameInstallerAdditions!GameInstallerAdditions.CustomAction.removeTempDirAfterInstall
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:6860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9C30DCACCEEC5912D2FBE5B39B76AC1B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:72
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 43479D8319F95AAE328EFB4F6B7B0562
  2⤵
  PID:3892
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI317B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242037140 66 GameInstallerAdditions!GameInstallerAdditions.CustomAction.cleanupOnUninstall
    3⤵
    - Drops file in Windows directory
    PID:1200
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1500AD29440DB574AF5E064F94B2F85
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7144
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BE979C65A30B57E691D5A35B644C3408
  2⤵
  PID:472
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI6918.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242051375 93 GameInstallerAdditions!GameInstallerAdditions.CustomAction.installAdditions
    3⤵
    - Drops file in Windows directory
    PID:3660
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI706C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242053218 104 GameInstallerAdditions!GameInstallerAdditions.CustomAction.removeTempDirAfterInstall
    3⤵
    - Drops file in Windows directory
    PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2120

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:3872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5628

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\fa1971eee13547699bf14a187450d32f /t 5764 /p 7044
1⤵
PID:228

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\afc7ee13ad9548768da7b7617e267406 /t 6776 /p 6456
1⤵
PID:6856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery