1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Lightshot = "C:\\Program Files (x86)\\Skillbrains\\lightshot\\Lightshot.exe"	setup-lightshot.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3828	powershell.exe
4900	powershell.exe
1308	powershell.exe
4836	powershell.exe
3288	powershell.exe
1068	powershell.exe
4900	powershell.exe
2932	powershell.exe
5788	powershell.exe
1448	powershell.exe
3904	powershell.exe
5516	powershell.exe
1096	powershell.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

flow	ioc
198	discord.com
1	discord.com
155	discord.com
197	discord.com
202	discord.com
365	discord.com
472	discord.com
4	camo.githubusercontent.com
81	camo.githubusercontent.com
82	camo.githubusercontent.com
562	discord.com
563	discord.com
80	camo.githubusercontent.com
97	discord.com
169	discord.com
364	discord.com
473	discord.com
83	camo.githubusercontent.com
84	camo.githubusercontent.com
98	discord.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-QGCLK.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-AS1C7.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-UUN6F.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-D92VJ.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-4GH1T.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-TLTJ7.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-EKI0N.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-SSJKI.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-1O8Q3.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-OULH4.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-NAPOF.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-SCDT0.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-NT4VQ.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\is-OE5CH.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-4B3D0.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-3J29H.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-TEGGH.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-5N1KT.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\uploader.dll	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-445GD.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-UO6MU.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.dll	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-JBRUJ.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-3M7VN.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\info.xml	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-M78PK.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-MN00S.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\unins000.dat	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-70TVH.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-9T1J7.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-LMKCJ.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-94UNH.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-J3BJ9.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-BEE98.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-VV9EB.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\unins000.dat	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-DOD0M.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-CV9L7.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-N5032.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\unins000.msg	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\info.xml	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-37BIT.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-4TUFU.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-LPG5Q.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-1H7UU.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\MachineProducts.xml	Updater.exe
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-I1AQG.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-F5VRT.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-7UM9C.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-4LRQC.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-PJN0A.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-O76EP.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\is-7M82B.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\Updater\MachineProducts.xml	Updater.exe
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\net.dll	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-H2LLB.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-1AC3I.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\is-C7I89.tmp	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-29EB1.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-8VDHO.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-6RFTD.tmp	setup-lightshot.tmp

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_busy_l.ani	rundll32.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1770979864\manifest.fingerprint	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1784065105\LICENSE	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1784065105\manifest.fingerprint	Discord.exe
File opened for modification	\??\c:\windows\cursors\aero_helpsel.cur	rundll32.exe
File opened for modification	\??\c:\windows\cursors\aero_ew_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ew_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ew.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_busy_xl.ani	rundll32.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_4020_368374454\neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3	Discord.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	\??\c:\windows\cursors\aero_helpsel_l.cur	rundll32.exe
File opened for modification	\??\c:\windows\cursors\aero_ew.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_busy.ani	rundll32.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1784065105\_platform_specific\win_x64\widevinecdm.dll.sig	Discord.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel_xl.cur	rundll32.exe
File opened for modification	\??\c:\windows\cursors\aero_arrow.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_arrow_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_link.cur	rundll32.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1784065105\manifest.json	Discord.exe
File created	C:\Windows\Tasks\update-sys.job	Updater.exe
File opened for modification	C:\Windows\Cursors\aero_arrow.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_arrow_xl.cur	rundll32.exe
File opened for modification	\??\c:\windows\cursors\aero_arrow_l.cur	rundll32.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_4020_72213083\oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1770979864\Google.Widevine.CDM.dll	Discord.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ew_xl.cur	rundll32.exe
File opened for modification	C:\Windows\SystemTemp\temC3E9.tmp	Clipup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1770979864\manifest.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1784065105\_platform_specific\win_x64\widevinecdm.dll	Discord.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	\??\c:\windows\cursors\aero_ew_l.cur	rundll32.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1770979864\_metadata\verified_contents.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4020_1784065105\_metadata\verified_contents.json	Discord.exe
File created	C:\Windows\Tasks\update-S-1-5-21-4018527317-446799424-2810249686-1000.job	updater.exe

Executes dropped EXE 64 IoCs

pid	Process
4516	DiscordSetup.exe
1736	Update.exe
2548	Discord.exe
5584	Discord.exe
1684	Update.exe
1552	Discord.exe
5096	Discord.exe
1476	VencordInstallerCli.exe
4020	Discord.exe
584	Discord.exe
2408	Discord.exe
4052	Discord.exe
3120	Discord.exe
196	Discord.exe
4976	Discord.exe
6992	Discord.exe
1092	Discord.exe
4888	Discord.exe
536	Discord.exe
2784	gpu_encoder_helper.exe
6224	gpu_encoder_helper.exe
196	gpu_encoder_helper.exe
6404	Update.exe
6484	Discord.exe
6752	Discord.exe
1152	Discord.exe
6440	Discord.exe
6264	Discord.exe
4976	Discord.exe
2876	Discord.exe
2712	Discord.exe
7052	Discord.exe
6988	gpu_encoder_helper.exe
852	gpu_encoder_helper.exe
3380	gpu_encoder_helper.exe
5956	gpu_encoder_helper.exe
3176	gpu_encoder_helper.exe
5832	gpu_encoder_helper.exe
884	Discord.exe
3112	Discord.exe
604	Discord.exe
5904	Discord.exe
3700	Discord.exe
6384	Discord.exe
4844	Discord.exe
6552	Discord.exe
5340	Discord.exe
3928	gpu_encoder_helper.exe
3176	gpu_encoder_helper.exe
4176	gpu_encoder_helper.exe
6208	setup-lightshot.exe
3288	setup-lightshot.tmp
5712	Lightshot.exe
1432	Lightshot.exe
1176	setupupdater.exe
2336	setupupdater.tmp
7092	Updater.exe
1388	Updater.exe
3456	Updater.exe
5372	Updater.exe
6564	Updater.exe
6464	updater.exe
2236	updater.exe
1980	updater.exe

Launches sc.exe 36 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4772	sc.exe
5392	sc.exe
2880	sc.exe
4632	sc.exe
5332	sc.exe
3040	sc.exe
1744	sc.exe
5884	sc.exe
2156	sc.exe
480	sc.exe
5088	sc.exe
4580	sc.exe
1164	sc.exe
2880	sc.exe
5344	sc.exe
5788	sc.exe
1412	sc.exe
2792	sc.exe
1788	sc.exe
3908	sc.exe
3480	sc.exe
4296	sc.exe
2388	sc.exe
5028	sc.exe
2788	sc.exe
1572	sc.exe
5432	sc.exe
4712	sc.exe
5432	sc.exe
468	sc.exe
4836	sc.exe
5488	sc.exe
3016	sc.exe
460	sc.exe
400	sc.exe
2872	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
2548	Discord.exe
5584	Discord.exe
1552	Discord.exe
5096	Discord.exe
1552	Discord.exe
1552	Discord.exe
1552	Discord.exe
1552	Discord.exe
1164	taskmgr.exe
4020	Discord.exe
584	Discord.exe
4020	Discord.exe
2408	Discord.exe
4052	Discord.exe
2408	Discord.exe
2408	Discord.exe
2408	Discord.exe
2408	Discord.exe
3120	Discord.exe
196	Discord.exe
4976	Discord.exe
6992	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
4888	Discord.exe
536	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
1092	Discord.exe
6484	Discord.exe
6752	Discord.exe
6484	Discord.exe
1152	Discord.exe
6440	Discord.exe
6264	Discord.exe
1152	Discord.exe
1152	Discord.exe
1152	Discord.exe
1152	Discord.exe
4976	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2712	Discord.exe
7052	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe
2876	Discord.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VencordInstallerCli.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\setup-lightshot.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-lightshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-lightshot.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setupupdater.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VencordInstallerCli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setupupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4444	cmd.exe
5600	PING.EXE
716	cmd.exe
5044	PING.EXE
5372	Updater.exe
6564	Updater.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5032	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1372	taskkill.exe
2944	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\ = "Windows Default"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Scheme Source = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Arrow = "%USERPROFILE%\\Downloads\\Red1.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Mouse\DoubleClickSpeed = "200"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors	rundll32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765850751050098"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Discord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	Discord.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{B2B5F636-AA39-4277-A72A-BABAC63A6F93}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000030000000200000001000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Discord.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	Discord.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Discord.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord\DefaultIcon	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Discord.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Discord.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupCollapseState = 00000000000000000000000000000000000000000000000000000000000000000100000006000000000000000600000054006f006400610079000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord\shell	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Discord.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "7"	Discord.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{8650773E-3CF5-4C22-AF4D-C135A7E47339}	Discord.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9170\\Discord.exe\",-1"	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	Discord.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Discord.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0 = 560031000000000047599463100057696e646f777300400009000400efbec5522d60745954702e000000a6050000000001000000000000000000000000000000d2bafa00570069006e0064006f0077007300000016000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord\shell\open\command	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9170\\Discord.exe\" --url -- \"%1\""	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Discord.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Discord.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Discord.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	rundll32.exe

Modifies registry key 1 TTPs 61 IoCs

Modify Registry

pid	Process
3160	reg.exe
4832	reg.exe
4312	reg.exe
2348	reg.exe
5888	reg.exe
1952	reg.exe
6516	reg.exe
1736	reg.exe
2420	reg.exe
824	reg.exe
3828	reg.exe
228	reg.exe
5744	reg.exe
4176	reg.exe
2000	reg.exe
2236	reg.exe
4288	reg.exe
4016	reg.exe
3028	reg.exe
2196	reg.exe
844	reg.exe
940	reg.exe
5024	reg.exe
460	reg.exe
1224	reg.exe
4712	reg.exe
2796	reg.exe
5032	reg.exe
236	reg.exe
4400	reg.exe
1220	reg.exe
2076	reg.exe
2204	reg.exe
5156	reg.exe
4180	reg.exe
4856	reg.exe
536	reg.exe
5516	reg.exe
1148	reg.exe
5232	reg.exe
4000	reg.exe
2056	reg.exe
5360	reg.exe
2956	reg.exe
5116	reg.exe
5292	reg.exe
3044	reg.exe
5064	reg.exe
3632	reg.exe
3404	reg.exe
4008	reg.exe
536	reg.exe
220	reg.exe
2012	reg.exe
5644	reg.exe
2276	reg.exe
2320	reg.exe
2464	reg.exe
356	reg.exe
1412	reg.exe
5108	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VencordInstallerCli.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VencordInstallerCli.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VencordInstallerCli.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\VencordInstallerCli.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\tenor.png:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\setup-lightshot.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Red15.cur:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Red1.cur:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier	chrome.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5044	PING.EXE
5600	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5640	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	AnyDesk.exe
1424	AnyDesk.exe
1424	AnyDesk.exe
1424	AnyDesk.exe
1424	AnyDesk.exe
1424	AnyDesk.exe
5844	AnyDesk.exe
5844	AnyDesk.exe
5268	chrome.exe
5268	chrome.exe
3288	powershell.exe
3288	powershell.exe
3288	powershell.exe
5516	powershell.exe
5516	powershell.exe
5516	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
2932	powershell.exe
2932	powershell.exe
2932	powershell.exe
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
5788	powershell.exe
5788	powershell.exe
5788	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
568	powershell.exe
568	powershell.exe
568	powershell.exe
4836	powershell.exe
4836	powershell.exe
4836	powershell.exe
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3568	AnyDesk.exe
2876	Discord.exe
6484	Discord.exe
5880	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
6668	msedge.exe
6668	msedge.exe
6668	msedge.exe
5156	msedge.exe
5156	msedge.exe
5156	msedge.exe
5156	msedge.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5268	chrome.exe
5268	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	AnyDesk.exe
Token: 33	900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	900	AUDIODG.EXE
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe
Token: SeCreatePagefilePrivilege	5268	chrome.exe
Token: SeShutdownPrivilege	5268	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5640	AnyDesk.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
5268	chrome.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe
1164	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3568	AnyDesk.exe
3568	AnyDesk.exe
6876	chrome.exe
6484	Discord.exe
6484	Discord.exe
5880	rundll32.exe
5880	rundll32.exe
5880	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5844 wrote to memory of 1424	5844	AnyDesk.exe	77
PID 5844 wrote to memory of 1424	5844	AnyDesk.exe	77
PID 5844 wrote to memory of 1424	5844	AnyDesk.exe	77
PID 5844 wrote to memory of 5640	5844	AnyDesk.exe	78
PID 5844 wrote to memory of 5640	5844	AnyDesk.exe	78
PID 5844 wrote to memory of 5640	5844	AnyDesk.exe	78
PID 5268 wrote to memory of 1928	5268	chrome.exe	98
PID 5268 wrote to memory of 1928	5268	chrome.exe	98
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 3872	5268	chrome.exe	99
PID 5268 wrote to memory of 4860	5268	chrome.exe	100
PID 5268 wrote to memory of 4860	5268	chrome.exe	100
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101
PID 5268 wrote to memory of 1332	5268	chrome.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5844
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3568
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1151cc40,0x7ffb1151cc4c,0x7ffb1151cc58
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3568,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4336,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5000,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3376,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5396,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5428,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3204,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5468,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3404,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3244,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5052,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3324,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3212,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5988,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5776,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6224,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6220,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6576,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6748,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6164,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4568
- C:\Users\Admin\Downloads\DiscordSetup.exe
  "C:\Users\Admin\Downloads\DiscordSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4516
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1736
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --squirrel-install 1.0.9170
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2548
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9170 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.0.0 --initial-client-data=0x550,0x554,0x558,0x548,0x55c,0x7ff7fce3a538,0x7ff7fce3a544,0x7ff7fce3a550
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5584
    - - C:\Users\Admin\AppData\Local\Discord\Update.exe
        
        C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1684
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2236,i,16103229518861843854,9421789804117119174,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1552
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2752,i,16103229518861843854,9421789804117119174,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2748 /prefetch:11
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5096
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3160
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
        5⤵
        Modifies registry key
        
        PID:356
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:1952
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe\",-1" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:5292
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe\" --url -- \"%1\"" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:2236
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --squirrel-firstrun
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      PID:4020
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9170 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.0.0 --initial-client-data=0x544,0x548,0x54c,0x53c,0x550,0x7ff7fce3a538,0x7ff7fce3a544,0x7ff7fce3a550
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:584
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2320,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2408
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2608,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:11
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4052
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
        5⤵
        Modifies registry key
        
        PID:460
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2920,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2916 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3120
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:3044
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe\",-1" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:1412
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe\" --url -- \"%1\"" /f
        5⤵
        Modifies registry key
        
        PID:5064
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4180,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:14
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:196
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4292,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4220 /prefetch:14
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4976
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4284,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4304 --enable-node-leakage-in-renderers /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6992
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4244,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4232 --enable-node-leakage-in-renderers /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Checks processor information in registry
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" nvidia
        6⤵
        Executes dropped EXE
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" amd
        6⤵
        Executes dropped EXE
        
        PID:6224
      - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" intel
        6⤵
        Executes dropped EXE
        
        PID:196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c ""C:\Windows/System32/nvidia-smi.exe""
        6⤵
        
        PID:6684
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=3644,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:12
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4888
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4472,i,1286012830420216254,9745952461452652862,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4468 /prefetch:14
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discordapp.com/handoff?rpc=6463&key=38058371-06e7-428f-8ba5-c9f77e3007f2
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb0abf3cb8,0x7ffb0abf3cc8,0x7ffb0abf3cd8
        6⤵
        
        PID:1852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12170854146504635253,11391183596899375582,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
        6⤵
        
        PID:6748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,12170854146504635253,11391183596899375582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        6⤵
        
        PID:6928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,12170854146504635253,11391183596899375582,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
        6⤵
        
        PID:2288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12170854146504635253,11391183596899375582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        6⤵
        
        PID:7164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12170854146504635253,11391183596899375582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        6⤵
        
        PID:7128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12170854146504635253,11391183596899375582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
        6⤵
        
        PID:6152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,12170854146504635253,11391183596899375582,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4080 /prefetch:8
        6⤵
        
        PID:6440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1844,12170854146504635253,11391183596899375582,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3512 /prefetch:8
        6⤵
        
        PID:6408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6848,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5212,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5036,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7112 /prefetch:8
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4764,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6968,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5536,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6416,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7160 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4560
- C:\Users\Admin\Downloads\VencordInstallerCli.exe
  "C:\Users\Admin\Downloads\VencordInstallerCli.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6908,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:6840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6444,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6960 /prefetch:8
  2⤵
  PID:6288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=6948,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5528,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:6876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4332,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6268,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6960,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7060,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7244 /prefetch:8
  2⤵
  PID:6192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6256,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7180 /prefetch:8
  2⤵
  PID:6176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7320,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7368 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2804
- C:\Users\Admin\Downloads\setup-lightshot.exe
  "C:\Users\Admin\Downloads\setup-lightshot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6208
- - C:\Users\Admin\AppData\Local\Temp\is-LSV9M.tmp\setup-lightshot.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LSV9M.tmp\setup-lightshot.tmp" /SL5="$1B038C,2148280,486912,C:\Users\Admin\Downloads\setup-lightshot.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3288
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1372
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /F /IM lightshot.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2944
  - - C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe
      "C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5712
    - - C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe
        
        "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\is-C5H2H.tmp\setupupdater.exe
      "C:\Users\Admin\AppData\Local\Temp\is-C5H2H.tmp\setupupdater.exe" /verysilent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\is-O4H8O.tmp\setupupdater.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O4H8O.tmp\setupupdater.tmp" /SL5="$60516,490430,120832,C:\Users\Admin\AppData\Local\Temp\is-C5H2H.tmp\setupupdater.exe" /verysilent
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" START SCHEDULE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 START SCHEDULE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
      - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask
        6⤵
        Drops file in Windows directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7092
      - C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        7⤵
        Drops file in Program Files directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456
      - C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5372
        
        C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6564
  - - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
      "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6464
    - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
  - - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
      "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1980
    - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:5376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb0abf3cb8,0x7ffb0abf3cc8,0x7ffb0abf3cd8
        5⤵
        
        PID:248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,7684183997394729007,14487932670174003644,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
        5⤵
        
        PID:1284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,7684183997394729007,14487932670174003644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
        5⤵
        
        PID:3280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,7684183997394729007,14487932670174003644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
        5⤵
        
        PID:6060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7684183997394729007,14487932670174003644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        5⤵
        
        PID:1688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7684183997394729007,14487932670174003644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:6604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7684183997394729007,14487932670174003644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
        5⤵
        
        PID:6260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6752,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7296 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=7360,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7660,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7620 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7620,i,3779908844140752322,10759242977027262484,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7424 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3284

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
1⤵
PID:4948
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:5432
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:4696
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:3636
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:3064
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:3360
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:576
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
  2⤵
  PID:5812
- C:\Windows\System32\find.exe
  find /i "ARM64"
  2⤵
  PID:1740
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:5000
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:5996
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:4736
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
  2⤵
  PID:5148
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:3588
- C:\Windows\System32\cmd.exe
  cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
  2⤵
  PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3288
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:1372
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5516
- C:\Windows\System32\find.exe
  find /i "True"
  2⤵
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd""" -el -qedit'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" -el -qedit"
    3⤵
    PID:5464
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:2880
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:852
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_AIO.cmd"
      4⤵
      PID:5156
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:5004
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:4996
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:5024
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:884
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:4856
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
      4⤵
      PID:2420
  - - C:\Windows\System32\find.exe
      find /i "ARM64"
      4⤵
      PID:5096
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:2188
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:5248
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:5736
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
      4⤵
      PID:4392
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:4924
  - - C:\Windows\System32\cmd.exe
      cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
      4⤵
      PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
  - - C:\Windows\System32\find.exe
      find /i "FullLanguage"
      4⤵
      PID:5028
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:6004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2932
  - - C:\Windows\System32\find.exe
      find /i "True"
      4⤵
      PID:3748
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4444
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5600
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
      4⤵
      PID:3320
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:5244
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
      4⤵
      PID:4568
  - - C:\Windows\System32\find.exe
      find "127.69.2.8"
      4⤵
      PID:5356
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:3476
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:4652
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:5044
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:5764
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:1996
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:3040
  - - C:\Windows\System32\mode.com
      mode 76, 33
      4⤵
      PID:760
  - - C:\Windows\System32\choice.exe
      choice /C:123456789H0 /N
      4⤵
      PID:4964
  - - C:\Windows\System32\mode.com
      mode 110, 34
      4⤵
      PID:5416
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:3008
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:4580
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:1852
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5412
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4864
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5488
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:468
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:5148
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:4736
  - - C:\Windows\System32\cmd.exe
      cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
      4⤵
      PID:4176
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        
        PID:2804
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:3632
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:3276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2008
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:1736
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:1728
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:4908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        
        PID:5344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5788
  - - C:\Windows\System32\find.exe
      find /i "Subscription_is_activated"
      4⤵
      PID:6008
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
      4⤵
      PID:3524
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:4392
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:5376
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:2424
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:5872
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:3856
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:3476
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:716
    - - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5044
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:1188
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:5432
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:460
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:2728
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:3360
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5416
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:400
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:4580
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:4512
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:3480
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:4836
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:5488
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
      4⤵
      Modifies registry key
      PID:5744
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
      4⤵
      Modifies registry key
      PID:4832
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
      4⤵
      Modifies registry key
      PID:5360
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
      4⤵
      Modifies registry key
      PID:5108
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
      4⤵
      Modifies registry key
      PID:4312
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
      4⤵
      Modifies registry key
      PID:4176
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
      4⤵
      Modifies registry key
      PID:3632
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
      4⤵
      Modifies registry key
      PID:2000
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:1164
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:4296
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:2204
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
      4⤵
      Modifies registry key
      PID:940
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:4400
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:3028
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:4000
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:1736
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
      4⤵
      Modifies registry key
      PID:2056
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
      4⤵
      Modifies registry key
      PID:2196
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5344
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:2880
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:536
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      Modifies registry key
      PID:5156
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:3404
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:4180
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:1224
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:2348
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      Modifies registry key
      PID:5516
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      Modifies registry key
      PID:1220
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:2872
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:5788
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
      4⤵
      Modifies registry key
      PID:4008
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
      4⤵
      Modifies registry key
      PID:844
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
      4⤵
      Modifies registry key
      PID:2276
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
      4⤵
      Modifies registry key
      PID:2076
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
      4⤵
      Modifies registry key
      PID:2956
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
      4⤵
      Modifies registry key
      PID:2420
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
      4⤵
      Modifies registry key
      PID:2320
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
      4⤵
      Modifies registry key
      PID:5024
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:2388
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:2156
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
      4⤵
      Modifies registry key
      PID:2464
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
      4⤵
      Modifies registry key
      PID:4712
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
      4⤵
      Modifies registry key
      PID:5116
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
      4⤵
      Modifies registry key
      PID:220
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
      4⤵
      Modifies registry key
      PID:5032
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
      4⤵
      Modifies registry key
      PID:1148
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
      4⤵
      Modifies registry key
      PID:5644
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
      4⤵
      Modifies registry key
      PID:4016
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:4632
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:5028
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      Modifies registry key
      PID:236
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      Modifies registry key
      PID:5888
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      Modifies registry key
      PID:2012
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      Modifies registry key
      PID:2796
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      Modifies registry key
      PID:824
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      Modifies registry key
      PID:3828
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      Modifies registry key
      PID:228
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      Modifies registry key
      PID:5232
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:480
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:3016
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1744
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:5088
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:4772
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:2788
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:1412
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4444
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:1572
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:5392
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5356
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:5884
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:5332
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4696
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:2792
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:3040
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1308
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:5432
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:460
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4964
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:1788
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:3908
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5812
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:4580
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:4512
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:1640
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:4864
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
      4⤵
      PID:4624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3904
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "10" "
      4⤵
      PID:940
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:2192
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
      4⤵
      PID:3272
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
        5⤵
        
        PID:3340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2196
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:5052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:5096
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:4528
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:2276
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440 0x80131501"
      4⤵
      PID:3036
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:1548
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:2188
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:2320
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
      4⤵
      PID:2680
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
      4⤵
      PID:4392
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
      4⤵
      PID:2156
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:2944
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:5636
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:1448
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:1360
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:3316
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:6124
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        5⤵
        
        PID:5492
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
      4⤵
      PID:420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "
      4⤵
      PID:5088
  - - C:\Windows\System32\find.exe
      find /i "Ready"
      4⤵
      PID:4568
  - - C:\Windows\System32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
      4⤵
      PID:1688
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
      4⤵
      PID:4488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4836
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:5908
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
      4⤵
      PID:1592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2204
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:3272
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:1096
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
      4⤵
      PID:5344
  - - C:\Windows\System32\find.exe
      find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
      4⤵
      PID:4260
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
      4⤵
      PID:1180
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:4716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:2040
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
      4⤵
      PID:5096
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        5⤵
        
        PID:2076
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
      4⤵
      PID:3036
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        5⤵
        
        PID:4904
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      PID:5284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3548
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
      4⤵
      PID:4632
  - - C:\Windows\System32\find.exe
      find "AAAA"
      4⤵
      PID:1840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"
      4⤵
      PID:3928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4900
  - - C:\Windows\System32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:5032
  - - C:\Windows\System32\ClipUp.exe
      clipup -v -o
      4⤵
      PID:6000
    - - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temCDCC.tmp
        5⤵
        Checks SCSI registry key(s)
        
        PID:3416
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1096
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
      4⤵
      PID:2620
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:5832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
      4⤵
      PID:1976
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:1956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:3472
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:1360
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
      4⤵
      PID:4632
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
      4⤵
      PID:1840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
      4⤵
      PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1308

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:5024
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2188
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\temC3E9.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:2752
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2392

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:1164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6092

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6404
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6484
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9170 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.0.0 --initial-client-data=0x57c,0x580,0x584,0x574,0x588,0x7ff7fce3a538,0x7ff7fce3a544,0x7ff7fce3a550
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6752
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2168,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2060 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1152
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2308,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:11
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6440
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2720,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6264
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --no-sandbox --no-zygote --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3860,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3844 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4976
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --no-sandbox --no-zygote --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3928,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3932 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2876
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" nvidia
      4⤵
      Executes dropped EXE
      PID:852
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" amd
      4⤵
      Executes dropped EXE
      PID:3380
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" intel
      4⤵
      Executes dropped EXE
      PID:6988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c ""C:\Windows/System32/nvidia-smi.exe""
      4⤵
      PID:6512
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" nvidia
      4⤵
      Executes dropped EXE
      PID:5956
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" amd
      4⤵
      Executes dropped EXE
      PID:3176
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" intel
      4⤵
      Executes dropped EXE
      PID:5832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c ""C:\Windows/System32/nvidia-smi.exe""
      4⤵
      PID:6712
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" nvidia
      4⤵
      Executes dropped EXE
      PID:3928
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" amd
      4⤵
      Executes dropped EXE
      PID:3176
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
      "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" intel
      4⤵
      Executes dropped EXE
      PID:4176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c ""C:\Windows/System32/nvidia-smi.exe""
      4⤵
      PID:7160
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=3332,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3320 /prefetch:12
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2712
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=4076,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:14
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/handoff?rpc=6463&key=01ff3bd8-4ae4-44b7-b762-4c713383e12c
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:5156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb0abf3cb8,0x7ffb0abf3cc8,0x7ffb0abf3cd8
      4⤵
      PID:6684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
      4⤵
      PID:568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
      4⤵
      PID:252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      PID:5960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:2140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
      4⤵
      PID:3100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:5124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3504 /prefetch:8
      4⤵
      PID:5296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1928,16039185612197690342,919316605617750900,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3524 /prefetch:8
      4⤵
      Modifies registry class
      PID:5340
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --enable-sandbox --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4864,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4860 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:884
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord
    3⤵
    - Modifies registry key
    PID:4288
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4856
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4436,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:10
    3⤵
    - Executes dropped EXE
    PID:3112
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --enable-sandbox --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4840,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4844 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:604
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --enable-sandbox --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4952,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4480 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:5904
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --enable-sandbox --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4400,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4908 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:3700
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --enable-sandbox --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4936,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4948 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:6384
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --enable-sandbox --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3900,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3284 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:4844
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --enable-sandbox --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4260,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4288 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:6552
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9170\resources\_app.asar" --enable-sandbox --enable-blink-features=EnumerateDevices,AudioOutputDevices --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5164,i,13881005933961315393,11072274433151853351,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,AllowAggressiveThrottlingWithWebSocketWinRetrieveSuggestionsOnlyOnDemand,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5212 --enable-node-leakage-in-renderers /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:5340
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord
    3⤵
    - Modifies registry key
    PID:6516
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:6712

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:3032

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5784

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery