hxxps://drive[.]google[.]com/drive/folders/10giNQ3CzG2OWwqUogveWyzYYsj5zuqD4?usp=drive_link

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE

Possible privilege escalation attempt 17 IoCs

exploit

pid	Process
5208	icacls.exe
4116	icacls.exe
5032	icacls.exe
4152	icacls.exe
2744	takeown.exe
2548	icacls.exe
5280	takeown.exe
5036	icacls.exe
3176	takeown.exe
5684	takeown.exe
3404	takeown.exe
5844	icacls.exe
5756	takeown.exe
4756	icacls.exe
4568	takeown.exe
5112	takeown.exe
2796	takeown.exe

Executes dropped EXE 3 IoCs

pid	Process
2512	Explorer.EXE
132	Explorer.EXE
1404	Explorer.EXE

Modifies file permissions 1 TTPs 17 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5112	takeown.exe
5756	takeown.exe
5280	takeown.exe
5036	icacls.exe
5032	icacls.exe
3176	takeown.exe
5684	takeown.exe
3404	takeown.exe
2548	icacls.exe
4756	icacls.exe
4568	takeown.exe
2744	takeown.exe
2796	takeown.exe
4152	icacls.exe
5208	icacls.exe
4116	icacls.exe
5844	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1380	powershell.exe
1432	powershell.exe
1392	powershell.exe
2152	powershell.exe
5148	powershell.exe
3500	powershell.exe
2160	powershell.exe
3864	powershell.exe
2476	powershell.exe
5472	powershell.exe
932	powershell.exe
3360	powershell.exe
3092	powershell.exe
5600	powershell.exe
2824	powershell.exe
4716	powershell.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	Explorer.EXE
File opened (read-only)	\??\F:	Explorer.EXE
File opened (read-only)	\??\D:	Explorer.EXE
File opened (read-only)	\??\F:	Explorer.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
250	drive.google.com
396	drive.google.com
472	drive.google.com
2	drive.google.com
5	drive.google.com
7	drive.google.com
127	drive.google.com
196	drive.google.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Explorer.EXE

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\explorer.exe	xcopy.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy	xcopy.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap.xml	xcopy.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap.xml	xcopy.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\explorer.exe	xcopy.exe
File opened for modification	C:\Windows\explorer.exe	xcopy.exe
File created	C:\Windows\explorer.exe\:Zone.Identifier:$DATA	xcopy.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap.xml	xcopy.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy	xcopy.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy	xcopy.exe
File opened for modification	C:\Windows\SystemTemp\temC162.tmp	Clipup.exe

Launches sc.exe 36 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3120	sc.exe
1120	sc.exe
4516	sc.exe
4076	sc.exe
4956	sc.exe
588	sc.exe
5868	sc.exe
3336	sc.exe
968	sc.exe
3096	sc.exe
6056	sc.exe
1444	sc.exe
3956	sc.exe
1044	sc.exe
4296	sc.exe
3500	sc.exe
3856	sc.exe
5608	sc.exe
3796	sc.exe
2260	sc.exe
2936	sc.exe
3616	sc.exe
3856	sc.exe
968	sc.exe
1468	sc.exe
2416	sc.exe
2148	sc.exe
1044	sc.exe
2116	sc.exe
5192	sc.exe
2920	sc.exe
3236	sc.exe
4992	sc.exe
5872	sc.exe
5540	sc.exe
4992	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5236	cmd.exe
4048	PING.EXE
2140	cmd.exe
1704	PING.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	Explorer.EXE

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5528	taskkill.exe
1616	taskkill.exe
4836	taskkill.exe

Modifies Control Panel 8 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\TranscodedImageCount = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Keyboard	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Colors	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\TranscodedImageCount = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Keyboard	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Colors	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133778157641580836"	chrome.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\ExtendedProperties	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\Mode = "8"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1048"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\TV_FolderType = "{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "13"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727749804457597"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1982"	SearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2410826464-2353372766-2364966905-1000\{D3A766E3-53F8-480F-8C5D-B3A5C01E0FB4}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0047006e00660078007a00740065002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e8070c0050004300480020003500340025000d000a005a0072007a00620065006c0020003700310025000d000a0051007600660078002000310025000d000a004100720067006a00620065007800200030002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000200000000000000000000000000000000000000000000000000000000000000922dfbf38a46db0100000000000000000000000047006e006600780020005a006e0061006e00740072006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000006ac84468ae18db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8300"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14254"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1015"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = a9021f005902d5dfa3234b02040000000000470200003153505305d5cdd59c2e1b10939708002b2cf9ae7f01000012000000004100750074006f004c006900730074000000420000001e000000700072006f00700034003200390034003900360037003200390035000000000035010000aea54e38e1ad8a4e8a9b7bea78fff1e90600008000000000010000000200008001000000010000000200000020000000000000002f0014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001e00530065006100720063006800200052006500730075006c0074007300200069006e002000570069006e0064006f00770073002000280043003a002900000000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d0065000000140000007b6bc36a3b0000007300000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f00000020000000530065006100720063006800200052006500730075006c0074007300200069006e002000570069006e0064006f00770073002000280043003a0029003000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000007f020000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000020000000000000001000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2410826464-2353372766-2364966905-1000\{6C24D131-A8C6-48B8-98C3-112DD58C1B2F}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13287"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1015"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\Sort = 0000000000000000000000000000000003000000901c6949177e1a10a91c08002b2ecda903000000ffffffff30f125b7ef471a10a5f102608c9eebac0e000000ffffffff30f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100040000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000006ac84468ae18db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14694"	SearchHost.exe

Modifies registry key 1 TTPs 48 IoCs

Modify Registry

pid	Process
5424	reg.exe
3980	reg.exe
6124	reg.exe
236	reg.exe
904	reg.exe
1456	reg.exe
2948	reg.exe
3800	reg.exe
5372	reg.exe
5880	reg.exe
1416	reg.exe
2768	reg.exe
3956	reg.exe
2920	reg.exe
3536	reg.exe
1616	reg.exe
5664	reg.exe
1900	reg.exe
3660	reg.exe
3748	reg.exe
2564	reg.exe
5236	reg.exe
3880	reg.exe
5104	reg.exe
1580	reg.exe
1216	reg.exe
5148	reg.exe
3272	reg.exe
4272	reg.exe
6044	reg.exe
960	reg.exe
1008	reg.exe
4956	reg.exe
1588	reg.exe
2468	reg.exe
5228	reg.exe
408	reg.exe
4728	reg.exe
3472	reg.exe
6080	reg.exe
1944	reg.exe
4296	reg.exe
2232	reg.exe
1432	reg.exe
5444	reg.exe
2188	reg.exe
5720	reg.exe
5452	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\10-20241204T200022Z-001.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\AdminAccess.bat:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy-20241204T200724Z-001.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Microsoft.Windows.Search_cw5n1h2txyewy-20241204T200909Z-001.zip:Zone.Identifier	chrome.exe
File created	C:\Windows\explorer.exe\:Zone.Identifier:$DATA	xcopy.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
568	NOTEPAD.EXE
1216	NOTEPAD.EXE
4464	NOTEPAD.EXE
392	NOTEPAD.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4048	PING.EXE
1704	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2512	Explorer.EXE
1404	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
656	chrome.exe
656	chrome.exe
5344	powershell.exe
5344	powershell.exe
5344	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
5600	powershell.exe
5600	powershell.exe
5600	powershell.exe
2160	powershell.exe
2160	powershell.exe
2160	powershell.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
5724	powershell.exe
5724	powershell.exe
5724	powershell.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
5472	powershell.exe
5472	powershell.exe
5472	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2132	powershell.exe
2132	powershell.exe
2132	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
932	powershell.exe
932	powershell.exe
932	powershell.exe
5948	powershell.exe
5948	powershell.exe
5948	powershell.exe
5904	powershell.exe
5904	powershell.exe
5904	powershell.exe
6116	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2512	Explorer.EXE
2256	Taskmgr.exe
1404	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
656	chrome.exe
656	chrome.exe
656	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE
2512	Explorer.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2512	Explorer.EXE
712	SearchHost.exe
2512	Explorer.EXE
1404	Explorer.EXE
2744	SearchHost.exe
5744	StartMenuExperienceHost.exe
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 5556	656	chrome.exe	79
PID 656 wrote to memory of 5556	656	chrome.exe	79
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 864	656	chrome.exe	80
PID 656 wrote to memory of 5848	656	chrome.exe	81
PID 656 wrote to memory of 5848	656	chrome.exe	81
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82
PID 656 wrote to memory of 468	656	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/10giNQ3CzG2OWwqUogveWyzYYsj5zuqD4?usp=drive_link
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3d2dcc40,0x7ffc3d2dcc4c,0x7ffc3d2dcc58
  2⤵
  PID:5556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:3
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4616,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5028,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=736 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5176,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3132,i,3051164936093932351,13536041021240615433,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5100

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1124

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4492

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:5344
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd" "
    3⤵
    PID:2372
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:588
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:392
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd"
      4⤵
      PID:2188
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:1900
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:2916
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:1712
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
      4⤵
      PID:5188
  - - C:\Windows\System32\find.exe
      find /i "ARM64"
      4⤵
      PID:2020
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:3360
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:3228
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:4800
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd" "
      4⤵
      PID:928
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1852
  - - C:\Windows\System32\cmd.exe
      cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
      4⤵
      PID:4868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
  - - C:\Windows\System32\find.exe
      find /i "FullLanguage"
      4⤵
      PID:1344
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:3148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5600
  - - C:\Windows\System32\find.exe
      find /i "True"
      4⤵
      PID:2784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd""" -el -qedit'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2160
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd" -el -qedit"
        5⤵
        
        PID:5960
      - C:\Windows\System32\sc.exe
        
        sc query Null
        6⤵
        Launches sc.exe
        
        PID:3616
      - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        6⤵
        
        PID:4212
      - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd"
        6⤵
        
        PID:2148
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        6⤵
        
        PID:2136
      - C:\Windows\System32\find.exe
        
        find /i "/"
        6⤵
        
        PID:568
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        6⤵
        
        PID:6056
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        6⤵
        
        PID:4744
      - C:\Windows\System32\find.exe
        
        find /i "0x0"
        6⤵
        
        PID:1432
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
        6⤵
        
        PID:5716
      - C:\Windows\System32\find.exe
        
        find /i "ARM64"
        6⤵
        
        PID:3956
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        6⤵
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        7⤵
        
        PID:1444
        
        C:\Windows\System32\cmd.exe
        
        cmd
        7⤵
        
        PID:2152
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd" "
        6⤵
        
        PID:3732
      - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        
        PID:2564
      - C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
        6⤵
        
        PID:5472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3864
      - C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        6⤵
        
        PID:3856
      - C:\Windows\System32\fltMC.exe
        
        fltmc
        6⤵
        
        PID:1252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
      - C:\Windows\System32\find.exe
        
        find /i "True"
        6⤵
        
        PID:1016
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5236
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4048
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
        6⤵
        
        PID:5108
      - C:\Windows\System32\find.exe
        
        find "127.69"
        6⤵
        
        PID:3208
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
        6⤵
        
        PID:5944
      - C:\Windows\System32\find.exe
        
        find "127.69.2.8"
        6⤵
        
        PID:3012
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        6⤵
        
        PID:3788
      - C:\Windows\System32\find.exe
        
        find /i "/S"
        6⤵
        
        PID:588
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        6⤵
        
        PID:1948
      - C:\Windows\System32\find.exe
        
        find /i "/"
        6⤵
        
        PID:5540
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        6⤵
        
        PID:2936
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        7⤵
        
        PID:5760
      - C:\Windows\System32\mode.com
        
        mode 76, 33
        6⤵
        
        PID:2028
      - C:\Windows\System32\choice.exe
        
        choice /C:123456789H0 /N
        6⤵
        
        PID:3644
      - C:\Windows\System32\mode.com
        
        mode 110, 34
        6⤵
        
        PID:3372
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        6⤵
        
        PID:928
      - C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        6⤵
        
        PID:3256
      - C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:1612
      - C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:2440
      - C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:5428
      - C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:5452
      - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        6⤵
        Launches sc.exe
        
        PID:2416
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        6⤵
        
        PID:3796
      - C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        6⤵
        
        PID:3336
      - C:\Windows\System32\cmd.exe
        
        cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
        6⤵
        
        PID:3568
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        7⤵
        
        PID:1904
      - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        6⤵
        
        PID:960
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
        6⤵
        
        PID:5584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5724
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
        6⤵
        
        PID:3616
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        7⤵
        
        PID:1416
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
        6⤵
        
        PID:2768
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        7⤵
        
        PID:2804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
      - C:\Windows\System32\find.exe
        
        find /i "Subscription_is_activated"
        6⤵
        
        PID:472
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        6⤵
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4716
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        6⤵
        
        PID:2828
      - C:\Windows\System32\find.exe
        
        find /i "Windows"
        6⤵
        
        PID:3500
      - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        6⤵
        Launches sc.exe
        
        PID:3856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        6⤵
        
        PID:228
      - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        6⤵
        
        PID:3788
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        6⤵
        
        PID:928
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        7⤵
        
        PID:5900
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        6⤵
        
        PID:4572
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2140
        
        C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        6⤵
        
        PID:5640
      - C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        6⤵
        
        PID:3660
      - C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:1008
      - C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:5880
      - C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:1216
      - C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:960
      - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        6⤵
        Launches sc.exe
        
        PID:4296
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        6⤵
        
        PID:5600
      - C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        6⤵
        
        PID:3800
      - C:\Windows\System32\sc.exe
        
        sc query Null
        6⤵
        Launches sc.exe
        
        PID:968
      - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        6⤵
        Launches sc.exe
        
        PID:3236
      - C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        6⤵
        Launches sc.exe
        
        PID:2148
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
        6⤵
        Modifies registry key
        
        PID:1416
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
        6⤵
        Modifies registry key
        
        PID:5148
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
        6⤵
        Modifies registry key
        
        PID:2768
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
        6⤵
        Modifies registry key
        
        PID:4956
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
        6⤵
        Modifies registry key
        
        PID:2232
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
        6⤵
        Modifies registry key
        
        PID:3956
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
        6⤵
        Modifies registry key
        
        PID:1432
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
        6⤵
        Modifies registry key
        
        PID:5424
      - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        6⤵
        Launches sc.exe
        
        PID:1044
      - C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        6⤵
        Launches sc.exe
        
        PID:4992
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
        6⤵
        Modifies registry key
        
        PID:904
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
        6⤵
        Modifies registry key
        
        PID:2920
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
        6⤵
        Modifies registry key
        
        PID:3472
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
        6⤵
        Modifies registry key
        
        PID:3748
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
        6⤵
        Modifies registry key
        
        PID:3980
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
        6⤵
        Modifies registry key
        
        PID:6080
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
        6⤵
        Modifies registry key
        
        PID:2564
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
        6⤵
        Modifies registry key
        
        PID:1944
      - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        6⤵
        Launches sc.exe
        
        PID:3500
      - C:\Windows\System32\sc.exe
        
        sc query sppsvc
        6⤵
        Launches sc.exe
        
        PID:3856
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
        6⤵
        Modifies registry key
        
        PID:1588
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
        6⤵
        Modifies registry key
        
        PID:3536
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
        6⤵
        Modifies registry key
        
        PID:6044
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
        6⤵
        Modifies registry key
        
        PID:4272
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
        6⤵
        Modifies registry key
        
        PID:3272
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
        6⤵
        Modifies registry key
        
        PID:5444
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
        6⤵
        Modifies registry key
        
        PID:5236
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
        6⤵
        Modifies registry key
        
        PID:1456
      - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        6⤵
        Launches sc.exe
        
        PID:5608
      - C:\Windows\System32\sc.exe
        
        sc query KeyIso
        6⤵
        Launches sc.exe
        
        PID:2116
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
        6⤵
        Modifies registry key
        
        PID:1616
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
        6⤵
        Modifies registry key
        
        PID:3880
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
        6⤵
        Modifies registry key
        
        PID:5104
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
        6⤵
        Modifies registry key
        
        PID:5372
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
        6⤵
        Modifies registry key
        
        PID:2468
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
        6⤵
        Modifies registry key
        
        PID:1580
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
        6⤵
        Modifies registry key
        
        PID:5228
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
        6⤵
        Modifies registry key
        
        PID:6124
      - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        6⤵
        Launches sc.exe
        
        PID:5872
      - C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        6⤵
        Launches sc.exe
        
        PID:5868
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
        6⤵
        Modifies registry key
        
        PID:2948
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
        6⤵
        Modifies registry key
        
        PID:2188
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
        6⤵
        Modifies registry key
        
        PID:1900
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
        6⤵
        Modifies registry key
        
        PID:236
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
        6⤵
        Modifies registry key
        
        PID:5720
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
        6⤵
        Modifies registry key
        
        PID:408
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
        6⤵
        Modifies registry key
        
        PID:4728
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
        6⤵
        Modifies registry key
        
        PID:5452
      - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        6⤵
        Launches sc.exe
        
        PID:3796
      - C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        6⤵
        Launches sc.exe
        
        PID:3336
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
        6⤵
        Modifies registry key
        
        PID:3660
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
        6⤵
        Modifies registry key
        
        PID:1008
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
        6⤵
        Modifies registry key
        
        PID:5880
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
        6⤵
        Modifies registry key
        
        PID:1216
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
        6⤵
        Modifies registry key
        
        PID:960
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
        6⤵
        Modifies registry key
        
        PID:4296
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
        6⤵
        Modifies registry key
        
        PID:5664
      - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
        6⤵
        Modifies registry key
        
        PID:3800
      - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        6⤵
        Launches sc.exe
        
        PID:968
      - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        6⤵
        Launches sc.exe
        
        PID:3120
      - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        6⤵
        Launches sc.exe
        
        PID:1120
      - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        6⤵
        Launches sc.exe
        
        PID:4516
      - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        6⤵
        Launches sc.exe
        
        PID:3096
      - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        6⤵
        Launches sc.exe
        
        PID:2260
      - C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        6⤵
        Launches sc.exe
        
        PID:6056
      - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        6⤵
        
        PID:4176
      - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        6⤵
        Launches sc.exe
        
        PID:1468
      - C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        6⤵
        Launches sc.exe
        
        PID:1444
      - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        6⤵
        
        PID:2136
      - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        6⤵
        Launches sc.exe
        
        PID:5540
      - C:\Windows\System32\sc.exe
        
        sc query sppsvc
        6⤵
        Launches sc.exe
        
        PID:2936
      - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        6⤵
        
        PID:5188
      - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        6⤵
        Launches sc.exe
        
        PID:4076
      - C:\Windows\System32\sc.exe
        
        sc query KeyIso
        6⤵
        Launches sc.exe
        
        PID:4956
      - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        6⤵
        
        PID:4544
      - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        6⤵
        Launches sc.exe
        
        PID:3956
      - C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        6⤵
        Launches sc.exe
        
        PID:5192
      - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        6⤵
        
        PID:4084
      - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        6⤵
        Launches sc.exe
        
        PID:1044
      - C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        6⤵
        Launches sc.exe
        
        PID:4992
      - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        6⤵
        
        PID:3296
      - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        6⤵
        Launches sc.exe
        
        PID:2920
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        6⤵
        
        PID:5096
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        7⤵
        
        PID:5024
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
        6⤵
        
        PID:868
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
        6⤵
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0c8b30ad-ba0a-43f4-a0b7-c2dd4b9be2b2.cmd') -split ':wpatest\:.*';iex ($f[1])"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5472
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "10" "
        6⤵
        
        PID:4684
      - C:\Windows\System32\find.exe
        
        find /i "Error Found"
        6⤵
        
        PID:4108
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
        6⤵
        
        PID:4272
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
        7⤵
        
        PID:5236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
      - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        6⤵
        
        PID:2408
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        6⤵
        
        PID:3256
      - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        6⤵
        
        PID:1852
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
        6⤵
        
        PID:1564
      - C:\Windows\System32\findstr.exe
        
        findstr /i "0x800410 0x800440 0x80131501"
        6⤵
        
        PID:392
      - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
        6⤵
        
        PID:3788
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
        6⤵
        
        PID:3760
      - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        6⤵
        
        PID:928
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
        6⤵
        
        PID:2676
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
        6⤵
        
        PID:2416
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
        6⤵
        
        PID:3404
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
        6⤵
        
        PID:4556
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        7⤵
        
        PID:4148
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
        6⤵
        
        PID:4868
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
        6⤵
        
        PID:5644
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        7⤵
        
        PID:1904
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
        6⤵
        
        PID:4640
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        7⤵
        
        PID:1216
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
        6⤵
        
        PID:6000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "
        6⤵
        
        PID:1712
      - C:\Windows\System32\find.exe
        
        find /i "Ready"
        6⤵
        
        PID:5760
      - C:\Windows\System32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
        6⤵
        
        PID:3464
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
        6⤵
        
        PID:3516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:932
      - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        6⤵
        
        PID:4500
      - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
        6⤵
        
        PID:6136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5948
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
        6⤵
        
        PID:4224
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        7⤵
        
        PID:4944
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
        6⤵
        
        PID:2440
      - C:\Windows\System32\find.exe
        
        find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
        6⤵
        
        PID:2984
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
        6⤵
        
        PID:5900
      - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        6⤵
        
        PID:4572
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        6⤵
        
        PID:408
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
        6⤵
        
        PID:4148
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        7⤵
        
        PID:4556
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
        6⤵
        
        PID:4868
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        7⤵
        
        PID:3092
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        6⤵
        
        PID:5664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5904
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
        6⤵
        
        PID:568
      - C:\Windows\System32\find.exe
        
        find "AAAA"
        6⤵
        
        PID:2148
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1432
      - C:\Windows\System32\ClipUp.exe
        
        clipup -v -o
        6⤵
        
        PID:6124
        
        C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temC24C.tmp
        7⤵
        Checks SCSI registry key(s)
        
        PID:5176
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        6⤵
        
        PID:928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3360
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        6⤵
        
        PID:1440
      - C:\Windows\System32\find.exe
        
        find /i "Windows"
        6⤵
        
        PID:1444
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
        6⤵
        
        PID:4068
      - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b -2143326207
        6⤵
        
        PID:4116
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        6⤵
        
        PID:5312
      - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        6⤵
        
        PID:568
      - C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5424
      - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
        6⤵
        
        PID:4084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 20 | Out-Null"
        6⤵
        
        PID:1248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1392
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 20 | Out-Null"
        6⤵
        
        PID:5472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 20 | Out-Null"
        6⤵
        
        PID:236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5148
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        6⤵
        
        PID:1264
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
        6⤵
        
        PID:5312
      - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        6⤵
        
        PID:868
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        6⤵
        
        PID:1052
      - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        6⤵
        
        PID:2052
      - C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
        6⤵
        
        PID:3732
      - C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
        6⤵
        
        PID:5092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
        6⤵
        
        PID:4240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3500

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:932
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\temC162.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3d2dcc40,0x7ffc3d2dcc4c,0x7ffc3d2dcc58
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1348,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3268,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4544,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3324,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5296,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5264,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5288,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:5172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5460,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5260,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5684 /prefetch:2
  2⤵
  PID:5408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3288,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5004,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5528,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - NTFS ADS
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4456,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4480,i,6065324053975409696,4212684096852054083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:1044

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:6116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5232
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\explorer.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5684
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\explorer.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4756
- C:\Windows\system32\xcopy.exe
  xcopy /f explorer.exe C:\Windows\explorer.exe
  2⤵
  - Drops file in Windows directory
  PID:3412
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\explorer.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4568
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\explorer.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5208
- C:\Windows\system32\xcopy.exe
  xcopy /f AdminAccess.bat C:\Windows\explorer.exe
  2⤵
  PID:1200
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\explorer.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3404
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\explorer.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4116
- C:\Windows\system32\xcopy.exe
  xcopy /f explorer.exe C:\Windows\explorer.exe
  2⤵
  - Drops file in Windows directory
  PID:5116
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5528
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\explorer.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2744
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\explorer.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2548
- C:\Windows\system32\xcopy.exe
  xcopy /f explorer.exe C:\Windows\explorer.exe
  2⤵
  - Drops file in Windows directory
  - NTFS ADS
  PID:4084
- C:\Users\Admin\Desktop\explorer.exe
  explorer
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Modifies registry class
  PID:2792
- C:\Users\Admin\Desktop\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:3728
- C:\Windows\system32\userinit.exe
  userinit
  2⤵
  PID:816
- - C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Checks system information in the registry
    - Checks SCSI registry key(s)
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2512
  - - C:\Windows\System32\pf6bhg.exe
      "C:\Windows\System32\pf6bhg.exe"
      4⤵
      PID:348
- C:\Windows\system32\userinit.exe
  userinit.exe
  2⤵
  PID:724
- - C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    3⤵
    - Executes dropped EXE
    PID:132
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5112
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5844
- C:\Windows\system32\xcopy.exe
  xcopy /f Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
  2⤵
  - Drops file in Windows directory
  PID:2296
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2256
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1616
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5280
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5036
- C:\Windows\system32\xcopy.exe
  xcopy /f Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
  2⤵
  - Drops file in Windows directory
  PID:820
- C:\Windows\system32\xcopy.exe
  xcopy Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
  2⤵
  - Drops file in Windows directory
  PID:3552
- C:\Windows\system32\userinit.exe
  userinit.exe
  2⤵
  PID:664
- - C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Checks system information in the registry
    - Checks SCSI registry key(s)
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1404
  - - C:\Windows\System32\pf6bhg.exe
      "C:\Windows\System32\pf6bhg.exe"
      4⤵
      PID:5108
  - - C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AdminPriv.bat
      4⤵
      Opens file in notepad (likely ransom note)
      PID:4464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\AdminPriv.bat" "
      4⤵
      PID:1704
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2796
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" /grant Administrators:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5032
    - - C:\Windows\system32\xcopy.exe
        
        xcopy /f /s /e /h /y "Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
        5⤵
        
        PID:1972
  - - C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AdminPriv.bat
      4⤵
      Opens file in notepad (likely ransom note)
      PID:392
  - - C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AdminPriv.bat
      4⤵
      Opens file in notepad (likely ransom note)
      PID:568
  - - C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AdminPriv.bat
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\AdminPriv.bat" "
      4⤵
      PID:2272
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\SystemApps\@echo off" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3176
- C:\Users\Admin\Desktop\explorer.exe
  explorer
  2⤵
  PID:1696
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" /r /d y
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5756
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" /grant Administrators:F /t
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4152
- C:\Windows\system32\xcopy.exe
  xcopy /f /s /e /h /y "C:\Users\Admin\Desktop\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
  2⤵
  PID:2160
- C:\Windows\system32\taskkill.exe
  taskkill explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5064

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5744

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:3768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery