discordrat | hxxps://github[.]com/adi33333333334/Project-Ligma/raw/refs/heads/main/Project%20Ligma[.]exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
874	3300	Process not Found
8	3752	chrome.exe
511	1164	Process not Found
292	3300	Process not Found

A potential corporate email address has been identified in the URL: [email protected]
phishing
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
2436	Project Ligma.exe
680	Project Ligma.exe
5972	setup.exe
5728	setup.exe
2320	setup.exe
1216	setup.exe
2236	setup.exe
2264	setup.exe
5856	setup.exe
1908	setup.exe
3120	setup.exe
4388	setup.exe
4908	setup.exe
5584	setup.exe
4584	msedge.exe
4152	msedge.exe
4556	msedge.exe
2968	msedge.exe
2956	elevation_service.exe
4952	msedge.exe
4284	msedge.exe
6604	msedge.exe
6768	msedge.exe
2068	msedge.exe
7016	msedge.exe
6564	msedge.exe
7352	msedge.exe
7340	msedge.exe
7932	msedge.exe
8048	msedge.exe
8124	msedge.exe
1536	msedge.exe
7556	msedge.exe
7576	elevation_service.exe
7248	msedge.exe
7564	msedge.exe
7216	msedge.exe
7184	msedge.exe
7620	msedge.exe
7288	msedge.exe
7612	msedge.exe
6572	msedge.exe
8048	msedge.exe
6352	msedge.exe
4936	identity_helper.exe
6604	identity_helper.exe
5936	msedge.exe
7576	msedge.exe
6544	msedge.exe
7016	msedge.exe
6688	msedge.exe
7716	msedge.exe
7436	msedge.exe
5488	msedge.exe
1856	msedge.exe
7464	msedge.exe
6636	msedge.exe
1340	msedge.exe
7784	msedge.exe
7828	msedge.exe
4876	msedge.exe
7592	msedge.exe
6540	msedge.exe
7840	msedge.exe

Loads dropped DLL 64 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
4152	msedge.exe
4556	msedge.exe
4556	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
4952	msedge.exe
4952	msedge.exe
4584	msedge.exe
4584	msedge.exe
6604	msedge.exe
4284	msedge.exe
6604	msedge.exe
4284	msedge.exe
6604	msedge.exe
2068	msedge.exe
7016	msedge.exe
7016	msedge.exe
2068	msedge.exe
7016	msedge.exe
2068	msedge.exe
6564	msedge.exe
6564	msedge.exe
6564	msedge.exe
7352	msedge.exe
7340	msedge.exe
7352	msedge.exe
7352	msedge.exe
7340	msedge.exe
4584	msedge.exe
4584	msedge.exe
7932	msedge.exe
8048	msedge.exe
8124	msedge.exe
8124	msedge.exe
8048	msedge.exe
7932	msedge.exe
1536	msedge.exe
7556	msedge.exe
7556	msedge.exe
8124	msedge.exe
8124	msedge.exe
7248	msedge.exe
7248	msedge.exe
7564	msedge.exe
7564	msedge.exe
7216	msedge.exe
7184	msedge.exe
7184	msedge.exe
7184	msedge.exe
7620	msedge.exe
7564	msedge.exe
7564	msedge.exe
7564	msedge.exe
7564	msedge.exe
7620	msedge.exe
7612	msedge.exe
7620	msedge.exe
7612	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msedge.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msedge.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5280	powershell.exe
7424	powershell.exe
7404	Process not Found
1408	Process not Found
6584	powershell.exe
6500	powershell.exe
5156	powershell.exe
6036	powershell.exe
5348	Process not Found
4212	powershell.exe
7588	powershell.exe
5156	powershell.exe
1988	powershell.exe
6716	powershell.exe
7064	powershell.exe
1068	powershell.exe
6204	powershell.exe
7060	Process not Found
6832	powershell.exe
4412	powershell.exe
6380	powershell.exe
7968	Process not Found
4076	powershell.exe
6340	powershell.exe
5248	powershell.exe
6324	powershell.exe
2848	powershell.exe
1408	Process not Found
2312	powershell.exe
6764	powershell.exe
6308	powershell.exe
4772	Process not Found

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\A:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\A:	Process not Found
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\V:	Process not Found

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
8	raw.githubusercontent.com
1387	camo.githubusercontent.com
1389	camo.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
964	api.ipify.org
965	api.ipify.org

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedge.exe

Detected potential entity reuse from brand MICROSOFT. 2 IoCs

phishing microsoft

flow	pid	Process
2392	3752	chrome.exe
2392	3752	chrome.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\eu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vccorlib140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\edge_game_assist\EdgeGameAssist.msix	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\es.txt	Process not Found
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe	MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\MicrosoftEdge_X64_133.0.3065.69.exe	MicrosoftEdge_X64_133.0.3065.69.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bs.pak	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ro.txt	Process not Found
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\oneds.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Analytics	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.exe	setup.exe
File created	C:\Program Files (x86)\7-Zip\readme.txt	Process not Found
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\vcruntime140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\133.0.3065.59.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ext.txt	Process not Found
File created	C:\Program Files (x86)\7-Zip\Lang\nn.txt	Process not Found
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ug.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho_64.dll	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	Process not Found
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxil.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\7-Zip\History.txt	Process not Found
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\source5972_869497479\MSEDGE.7z	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\el.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\is.pak	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	Process not Found
File created	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	Process not Found
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\wdag.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ta.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\992a66de-d1aa-486b-8601-2a69816a3787.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\edge_game_assist\VERSION	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	Process not Found
File created	C:\Program Files (x86)\7-Zip\Lang\sv.txt	Process not Found

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8124_385956670\manifest.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Process not Found
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8124_758778415\manifest.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\Installer\e677b3d.msi	Process not Found
File opened for modification	C:\Windows\Installer\MSI7D31.tmp	Process not Found
File created	C:\Windows\SystemTemp\~DF9C2FBE88973CDEF5.TMP	Process not Found
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\~DFCB2A29E9C1BEF3AE.TMP	Process not Found
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8124_1667454689\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8124_385956670\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8124_758778415\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8124_1667454689\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\temED1A.tmp	Clipup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\Installer\e677b41.msi	Process not Found
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Installer\	Process not Found
File created	C:\Windows\SystemTemp\~DFA750A6368D732981.TMP	Process not Found
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8124_1667454689\manifest.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\e9a4418b-b86d-4bcc-9a9e-08d75e21069f.tmp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\Installer\e677b3d.msi	Process not Found
File created	C:\Windows\SystemTemp\~DFF7B6A222FF6340EF.TMP	Process not Found
File created	C:\Windows\Installer\SourceHash{23170F69-40C1-2701-2401-000001000000}	Process not Found
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8124_385956670\nav_config.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5216	sc.exe
7424	Process not Found
5096	sc.exe
6496	sc.exe
6444	sc.exe
8076	Process not Found
7324	Process not Found
1760	Process not Found
2868	Process not Found
6248	sc.exe
6604	sc.exe
6036	sc.exe
8072	sc.exe
4812	sc.exe
4680	sc.exe
6524	sc.exe
560	sc.exe
5332	sc.exe
8040	sc.exe
2360	sc.exe
4816	sc.exe
6976	sc.exe
6716	sc.exe
6352	sc.exe
3564	sc.exe
5572	sc.exe
7520	sc.exe
6484	sc.exe
6332	sc.exe
6520	sc.exe
5108	sc.exe
7128	sc.exe
5688	sc.exe
6516	sc.exe
6800	sc.exe
6024	sc.exe
4284	sc.exe
8048	sc.exe
8092	sc.exe
6572	sc.exe
6196	sc.exe
6804	sc.exe
5156	sc.exe
6760	sc.exe
7352	sc.exe
2340	sc.exe
5916	Process not Found
5708	sc.exe
6388	sc.exe
5108	sc.exe
1552	sc.exe
6240	sc.exe
4176	sc.exe
5300	sc.exe
6352	sc.exe
3016	sc.exe
8036	sc.exe
8152	sc.exe
7976	Process not Found
1688	Process not Found
6504	sc.exe
5540	sc.exe
8156	Process not Found
8052	Process not Found

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Project Ligma.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 24 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7628	cmd.exe
2024	Process not Found
6520	Process not Found
7436	Process not Found
6096	PING.EXE
6944	cmd.exe
5608	PING.EXE
4456	PING.EXE
4700	PING.EXE
6784	Process not Found
6708	Process not Found
6928	Process not Found
784	MicrosoftEdgeUpdate.exe
2452	MicrosoftEdgeUpdate.exe
6328	cmd.exe
6804	cmd.exe
3672	cmd.exe
5656	Process not Found
5352	Process not Found
6908	Process not Found
7128	cmd.exe
6260	PING.EXE
4780	PING.EXE
2224	Process not Found

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	Process not Found
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	Process not Found
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b74d468fc327a7de0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b74d468f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b74d468f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db74d468f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b74d468f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Integrator.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Integrator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133841390172546033"	chrome.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\LanguageFiles = "Complete"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Version = "402718720"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Assignment = "1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\ = "Microsoft Edge MHT Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\DeploymentFlags = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\InstanceType = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AuthorizedLUAApp = "0"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly	setup.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
4948	reg.exe
7128	reg.exe
6340	reg.exe
6432	reg.exe
5332	reg.exe
4552	reg.exe
5236	reg.exe
6972	reg.exe
6752	Process not Found
2656	reg.exe
6208	reg.exe
8060	Process not Found
5572	reg.exe
6360	Process not Found
6576	reg.exe
6316	reg.exe
5688	reg.exe
4984	reg.exe
6580	reg.exe
6356	reg.exe
4812	reg.exe
6512	reg.exe
6324	reg.exe
4636	reg.exe
4368	Process not Found
4848	reg.exe
5216	reg.exe
432	reg.exe
5376	reg.exe
6248	reg.exe
6760	Process not Found
4004	Process not Found
7092	reg.exe
2068	reg.exe
5648	reg.exe
2256	reg.exe
8104	Process not Found
2956	reg.exe
7068	reg.exe
1616	reg.exe
4044	reg.exe
476	reg.exe
7540	reg.exe
6472	Process not Found
4904	reg.exe
5744	reg.exe
6208	reg.exe
7540	Process not Found
5228	reg.exe
6720	reg.exe
5552	reg.exe
8092	reg.exe
5156	reg.exe
5412	Process not Found
560	reg.exe
4524	reg.exe
6436	reg.exe
4596	reg.exe
5452	reg.exe
7928	reg.exe
8096	Process not Found
6808	Process not Found
3564	Process not Found
4680	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Project Ligma.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\7z2401.msi:Zone.Identifier	Process not Found

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
2224	Process not Found
6260	PING.EXE
6096	PING.EXE
5608	PING.EXE
4700	PING.EXE
6928	Process not Found
4456	PING.EXE
4780	PING.EXE
2024	Process not Found
6708	Process not Found
6908	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4876	schtasks.exe
2068	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4140	chrome.exe
4140	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
2236	setup.exe
2236	setup.exe
2024	MicrosoftEdgeUpdate.exe
2024	MicrosoftEdgeUpdate.exe
2024	MicrosoftEdgeUpdate.exe
2024	MicrosoftEdgeUpdate.exe
6524	powershell.exe
6524	powershell.exe
6524	powershell.exe
6292	powershell.exe
6292	powershell.exe
6292	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
6340	powershell.exe
6340	powershell.exe
6340	powershell.exe
2312	powershell.exe
2312	powershell.exe
2312	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
6716	powershell.exe
6716	powershell.exe
6716	powershell.exe
6488	powershell.exe
6488	powershell.exe
6488	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
6356	powershell.exe
6356	powershell.exe
6356	powershell.exe
7064	powershell.exe
7064	powershell.exe
7064	powershell.exe
6324	powershell.exe
6324	powershell.exe
6324	powershell.exe
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
6584	powershell.exe
6584	powershell.exe
6584	powershell.exe
6832	powershell.exe
6832	powershell.exe
6832	powershell.exe
6512	powershell.exe
6512	powershell.exe
6512	powershell.exe
5572	powershell.exe
5572	powershell.exe
5572	powershell.exe
5552	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
6224	WindowsTerminal.exe
6224	WindowsTerminal.exe
1416	WindowsTerminal.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
8124	msedge.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
6224	WindowsTerminal.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
8124	msedge.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
6224	WindowsTerminal.exe
1416	WindowsTerminal.exe
6996	Integrator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 1420	4140	chrome.exe	84
PID 4140 wrote to memory of 1420	4140	chrome.exe	84
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 4516	4140	chrome.exe	85
PID 4140 wrote to memory of 3752	4140	chrome.exe	86
PID 4140 wrote to memory of 3752	4140	chrome.exe	86
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87
PID 4140 wrote to memory of 2980	4140	chrome.exe	87

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/adi33333333334/Project-Ligma/raw/refs/heads/main/Project%20Ligma.exe
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0bdfcc40,0x7ffb0bdfcc4c,0x7ffb0bdfcc58
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1732,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1716 /prefetch:2
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Detected potential entity reuse from brand MICROSOFT.
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1660,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4856,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4860,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4868,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4876,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4884,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5012,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5456,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4352 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3268,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3120 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3380,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4376,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3192,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3092 /prefetch:8
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4352,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4312,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5680,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5332,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4384,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5776,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=4976,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:568
- C:\Users\Admin\Downloads\Project Ligma.exe
  "C:\Users\Admin\Downloads\Project Ligma.exe"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5024,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5940,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6136,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  PID:1224
- C:\Users\Admin\Downloads\Project Ligma.exe
  "C:\Users\Admin\Downloads\Project Ligma.exe"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5500,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6176,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6384,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6156,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=6404,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=6116,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=6284,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6576,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6324,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6792,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6852,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7048,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7096 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5936,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6616,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=7192,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6224,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=7580,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=7156,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=7440,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7184 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7812,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7772 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7940,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7956 /prefetch:8
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=7764,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7760 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=7592,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=7732,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7148 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=6680,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=6708,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=6408,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=7864,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=6664,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=6476,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=5944,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=5172,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=6388,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1432 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=6888,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=5900,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=6028,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=7748,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8140 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=6648,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=6056,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7600 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=6876,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=7872,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=2600,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7480 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=6220,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=7896,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=7324,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7652,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8184 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7648,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8092 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --field-trial-handle=6472,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=8108,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=6956,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7784 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=6120,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7944 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8176,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7708 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7696,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7780 /prefetch:8
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=8196,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7780 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --field-trial-handle=7524,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --field-trial-handle=2648,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=7140,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7064,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7380 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7596,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7948 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --field-trial-handle=8544,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8472 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --field-trial-handle=7884,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8100 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --field-trial-handle=8480,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --field-trial-handle=7916,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8284 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --field-trial-handle=8360,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --field-trial-handle=7224,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --field-trial-handle=6772,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --field-trial-handle=7708,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --field-trial-handle=8312,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8616 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --field-trial-handle=8944,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8924 /prefetch:1
  2⤵
  PID:6728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=9064,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=9056 /prefetch:8
  2⤵
  PID:6796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7336,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=9180 /prefetch:8
  2⤵
  PID:6808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --field-trial-handle=9124,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=9092 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --field-trial-handle=7332,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=9140 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --field-trial-handle=6148,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8536 /prefetch:1
  2⤵
  PID:7092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --field-trial-handle=9048,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8504 /prefetch:1
  2⤵
  PID:6792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7816,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7104 /prefetch:8
  2⤵
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8436,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=7700 /prefetch:8
  2⤵
  PID:6724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --field-trial-handle=9220,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8884 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --field-trial-handle=9108,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8696 /prefetch:1
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --field-trial-handle=9172,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8060 /prefetch:1
  2⤵
  PID:6312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --field-trial-handle=7380,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8644 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --field-trial-handle=6288,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8376 /prefetch:1
  2⤵
  PID:6352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --field-trial-handle=6304,i,10743528785266926237,12249840345935042145,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=8788 /prefetch:1
  2⤵
  PID:4456

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1892

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzk2ODQxQkYtQzY4Ny00Qzk1LTkyQjItNTcyNjRCMjE5QzM5fSIgdXNlcmlkPSJ7QjNBODgxQTYtQUNCQy00QkRCLUE3RUUtMzg4OTQzMkQ3Q0MzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjQ0Qzg5NjUtMUU3Ni00OUFCLUFBN0QtNjA2MTYwMkExQjMyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGluc3RhbGxkYXRldGltZT0iMTczOTI4MjMwMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzUzNTk3Mjc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzNTAxMzMxMzQiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004CC
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5944

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\MicrosoftEdge_X64_133.0.3065.69.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Drops file in Program Files directory
PID:5388
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:5972
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff754e76a68,0x7ff754e76a74,0x7ff754e76a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5728
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:2320
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7BE62548-62AB-4319-98E8-A319EBAD8C1E}\EDGEMITMP_77446.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff754e76a68,0x7ff754e76a74,0x7ff754e76a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1216
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7ee266a68,0x7ff7ee266a74,0x7ff7ee266a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5856
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7ee266a68,0x7ff7ee266a74,0x7ff7ee266a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3120
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7ee266a68,0x7ff7ee266a74,0x7ff7ee266a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4388

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
1⤵
- Drops file in Program Files directory
PID:2840
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\EDGEMITMP_AF65A.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\EDGEMITMP_AF65A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4908
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\EDGEMITMP_AF65A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\EDGEMITMP_AF65A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9E2351A1-F5A6-49B6-B687-EC546CF5206B}\EDGEMITMP_AF65A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x21c,0x240,0x244,0x200,0x248,0x7ff6eed66a68,0x7ff6eed66a74,0x7ff6eed66a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5584

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzk2ODQxQkYtQzY4Ny00Qzk1LTkyQjItNTcyNjRCMjE5QzM5fSIgdXNlcmlkPSJ7QjNBODgxQTYtQUNCQy00QkRCLUE3RUUtMzg4OTQzMkQ3Q0MzfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InszNEI4NzIyMy1FRDM3LTRCOTEtQjhBRS01MDI2NzRBRkY2QzN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNCIgY29ob3J0PSJycmZAMC40NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI1IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins1MkQ0NjVGOS0wMUYxLTQ1MTQtODVCMi0zRkU1QjVEMzlERUZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS42OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSI0IiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM3NTc4MjE2NjUyNDMwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NjA0NDgzNDYxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2MDQ1MjM0NzQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc1OTg2MDU1NzMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hZjhlNWYyYy04YjdmLTQ3OGYtOGY2Yy1mMWRjNTY3ZTBkNjU_UDE9MTc0MDI3MDMwMCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1oNEx1NnlRY0VYZzBURERLeU5nNFV2aTVVZ0U2Z0dSRlp4ZzlYNGhoWmFKcUdKVkltekJITE0wUnAlMmI0RlV3ZVg4WThvU0FmNHNEbUlndTZLVTFJalV3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjIiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4NjYiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc1OTg2MDU1NzMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2FmOGU1ZjJjLThiN2YtNDc4Zi04ZjZjLWYxZGM1NjdlMGQ2NT9QMT0xNzQwMjcwMzAwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWg0THU2eVFjRVhnMFREREt5Tmc0VXZpNVVnRTZnR1JGWnhnOVg0aGhaYUpxR0pWSW16QkhMTTBScCUyYjRGVXdlWDhZOG9TQWY0c0RtSWd1NktVMUlqVXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxMjczOTIzNyIgdG90YWw9IjE3ODYxMTI4MCIgZG93bmxvYWRfdGltZV9tcz0iOTI5MDciLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzU5ODYwNTU3MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0id2luaHR0cCIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYWY4ZTVmMmMtOGI3Zi00NzhmLThmNmMtZjFkYzU2N2UwZDY1P1AxPTE3NDAyNzAzMDAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9aDRMdTZ5UWNFWGcwVERES3lOZzRVdmk1VWdFNmdHUkZaeGc5WDRoaFphSnFHSlZJbXpCSExNMFJwJTJiNEZVd2VYOFk4b1NBZjRzRG1JZ3U2S1UxSWpVdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9Ijk2LjE3LjE3OC4xOTkiIGNkbl9jaWQ9IjIiIGNkbl9jY2M9IkdCIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc4NjExMjgwIiB0b3RhbD0iMTc4NjExMjgwIiBkb3dubG9hZF90aW1lX21zPSI5OTk2NCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NTk4NzgyMTE1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc2MTQ4NjQ5MzQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjgyNzY3ODYxOTIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIyOTY5IiBkb3dubG9hZF90aW1lX21zPSIxOTk0MjMiIGRvd25sb2FkZWQ9IjE3ODYxMTI4MCIgdG90YWw9IjE3ODYxMTI4MCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjYxNzMiLz48cGluZyBhY3RpdmU9IjEiIGE9IjUiIHI9IjUiIGFkPSI2NjE2IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9InszQTQ2M0FEQi1BMTUzLTQ2RjUtQjYyMS01ODQ1QUUwM0NCRTB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGNvaG9ydD0icnJmQDAuNTciIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTYwNDUwMzQ5NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4Mjc2ODE3OTk1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4OTQ5MTU3MjEyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAyNzAzMDEmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bDJBJTJmcGg1WlZSWjZMM0xWcG52T3lkelJYJTJiTjRqSzRYJTJiSWtBa1NzJTJmUnl2SXNYZ2FrZkswWTVyUzBKazlhQmwzaklNY2ZlTmpVeGdoVmJwcm94TlljdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIxIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg5NDkxNzcyNTYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2E0NzJlY2VjLWFlNjktNDQ5ZS1iN2EyLTRlODZkZmVlNThhOT9QMT0xNzQwMjcwMzAxJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWwyQSUyZnBoNVpWUlo2TDNMVnBudk95ZHpSWCUyYk40aks0WCUyYklrQWtTcyUyZlJ5dklzWGdha2ZLMFk1clMwSms5YUJsM2pJTWNmZU5qVXhnaFZicHJveE5ZY3clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSI1ODQ5ODEyOCIgdG90YWw9IjU4NDk4MTI4IiBkb3dubG9hZF90aW1lX21zPSI2NjU0NSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4OTQ5MjI3OTQ5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg5NTcxOTU3MzQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk2MjY4MDYwMzQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIyOTcwIiBkb3dubG9hZF90aW1lX21zPSI2NzIzNyIgZG93bmxvYWRlZD0iNTg0OTgxMjgiIHRvdGFsPSI1ODQ5ODEyOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjY5NTUiLz48cGluZyByPSI1IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins1NjREQkY2RC0zODUzLTQ0ODQtQjE2OC01NDdERDQ5ODY0NDZ9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2452

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1568

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wt.exe"
1⤵
PID:6756
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6224
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:7128
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa2c --server 0xa20
    3⤵
    PID:6500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:6524

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wt.exe"
1⤵
PID:2088
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1416
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:4848
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa20 --server 0xa1c
    3⤵
    PID:6268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:6292
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo CMD is working"
      4⤵
      PID:6108
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd" "
      4⤵
      PID:6272
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:2360
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:5404
    - - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd"
        5⤵
        
        PID:6960
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        5⤵
        
        PID:7100
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:7116
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:2508
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
        5⤵
        
        PID:5228
    - - C:\Windows\System32\find.exe
        
        find /i "ARM64"
        5⤵
        
        PID:3912
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        5⤵
        
        PID:5884
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:6784
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:1220
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd" "
        5⤵
        
        PID:1364
    - - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:5412
    - - C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':PStest:\s*';iex ($f[1])""
        5⤵
        
        PID:3016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':PStest:\s*';iex ($f[1])"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076
    - - C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        5⤵
        
        PID:5216
    - - C:\Windows\System32\fltMC.exe
        
        fltmc
        5⤵
        
        PID:4100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6340
    - - C:\Windows\System32\find.exe
        
        find /i "True"
        5⤵
        
        PID:6684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd""" -el -qedit'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd" -el -qedit"
        6⤵
        
        PID:4540
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        
        PID:6488
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:560
        
        C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd"
        7⤵
        
        PID:6308
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        7⤵
        
        PID:4928
        
        C:\Windows\System32\find.exe
        
        find /i "/"
        7⤵
        
        PID:6356
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        7⤵
        
        PID:4376
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        7⤵
        
        PID:5488
        
        C:\Windows\System32\find.exe
        
        find /i "0x0"
        7⤵
        
        PID:5248
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
        7⤵
        
        PID:6800
        
        C:\Windows\System32\find.exe
        
        find /i "ARM64"
        7⤵
        
        PID:6944
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        7⤵
        
        PID:7020
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        8⤵
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        cmd
        8⤵
        
        PID:7056
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd" "
        7⤵
        
        PID:7072
        
        C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        7⤵
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':PStest:\s*';iex ($f[1])""
        7⤵
        
        PID:688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':PStest:\s*';iex ($f[1])"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        7⤵
        
        PID:3592
        
        C:\Windows\System32\fltMC.exe
        
        fltmc
        7⤵
        
        PID:3888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6716
        
        C:\Windows\System32\find.exe
        
        find /i "True"
        7⤵
        
        PID:3572
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7128
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 activated.win
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6260
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6328
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck30.activated.win
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6096
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        7⤵
        
        PID:5216
        
        C:\Windows\System32\find.exe
        
        find /i "/S"
        7⤵
        
        PID:4672
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        7⤵
        
        PID:6500
        
        C:\Windows\System32\find.exe
        
        find /i "/"
        7⤵
        
        PID:5116
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        7⤵
        
        PID:1316
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        8⤵
        
        PID:6844
        
        C:\Windows\System32\mode.com
        
        mode 76, 34
        7⤵
        
        PID:5376
        
        C:\Windows\System32\choice.exe
        
        choice /C:123456789EH0 /N
        7⤵
        
        PID:5648
        
        C:\Windows\System32\mode.com
        
        mode 100, 36
        7⤵
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=35;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[IO.File]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':sppmgr\:.*';iex ($f[1])"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5248
        
        C:\Windows\System32\mode.com
        
        mode 76, 34
        7⤵
        
        PID:5412
        
        C:\Windows\System32\choice.exe
        
        choice /C:123456789EH0 /N
        7⤵
        
        PID:1780
        
        C:\Windows\System32\mode.com
        
        mode 110, 34
        7⤵
        
        PID:6260
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:5492
        
        C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        7⤵
        
        PID:4816
        
        C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6556
        
        C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:5116
        
        C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:4584
        
        C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:1316
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:6352
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        7⤵
        
        PID:6972
        
        C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        7⤵
        
        PID:6468
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
        7⤵
        
        PID:7124
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        8⤵
        
        PID:5108
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:6340
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
        7⤵
        
        PID:6648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6356
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
        7⤵
        
        PID:1552
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        8⤵
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
        7⤵
        
        PID:2044
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        8⤵
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7064
        
        C:\Windows\System32\find.exe
        
        find /i "Subscription_is_activated"
        7⤵
        
        PID:6996
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        7⤵
        
        PID:5412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6324
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        7⤵
        
        PID:6484
        
        C:\Windows\System32\find.exe
        
        find /i "Windows"
        7⤵
        
        PID:4816
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        
        PID:5572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6584
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        7⤵
        
        PID:7056
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        7⤵
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        7⤵
        
        PID:6332
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        8⤵
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        7⤵
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6944
        
        C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5608
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:5596
        
        C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        7⤵
        
        PID:6996
        
        C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6180
        
        C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:3016
        
        C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:2848
        
        C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:1760
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:6516
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        7⤵
        
        PID:6524
        
        C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        7⤵
        
        PID:5368
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        Launches sc.exe
        
        PID:6248
        
        C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        7⤵
        Launches sc.exe
        
        PID:6484
        
        C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        7⤵
        Launches sc.exe
        
        PID:4816
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
        7⤵
        Modifies registry key
        
        PID:5572
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
        7⤵
        Modifies registry key
        
        PID:4904
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
        7⤵
        
        PID:5332
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
        7⤵
        
        PID:6024
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
        7⤵
        Modifies registry key
        
        PID:4848
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
        7⤵
        Modifies registry key
        
        PID:560
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
        7⤵
        
        PID:6464
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
        7⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        7⤵
        Launches sc.exe
        
        PID:5708
        
        C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        7⤵
        Launches sc.exe
        
        PID:6388
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
        7⤵
        Modifies registry key
        
        PID:4044
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
        7⤵
        Modifies registry key
        
        PID:6576
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
        7⤵
        
        PID:4700
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
        7⤵
        
        PID:6556
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
        7⤵
        
        PID:6844
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
        7⤵
        
        PID:6320
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
        7⤵
        
        PID:7060
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
        7⤵
        
        PID:6976
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        
        PID:6572
        
        C:\Windows\System32\sc.exe
        
        sc query sppsvc
        7⤵
        Launches sc.exe
        
        PID:5108
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
        7⤵
        
        PID:6520
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
        7⤵
        Modifies registry key
        
        PID:7092
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
        7⤵
        
        PID:2488
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:4680
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
        7⤵
        Modifies registry key
        
        PID:5228
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
        7⤵
        
        PID:6104
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
        7⤵
        
        PID:5872
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
        7⤵
        
        PID:5452
        
        C:\Windows\System32\sc.exe
        
        sc start KeyIso
        7⤵
        
        PID:1364
        
        C:\Windows\System32\sc.exe
        
        sc query KeyIso
        7⤵
        Launches sc.exe
        
        PID:6496
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
        7⤵
        Modifies registry key
        
        PID:5744
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
        7⤵
        
        PID:6944
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
        7⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
        7⤵
        
        PID:6560
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
        7⤵
        Modifies registry key
        
        PID:7128
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
        7⤵
        Modifies registry key
        
        PID:2956
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
        7⤵
        
        PID:3496
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
        7⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        7⤵
        Launches sc.exe
        
        PID:5096
        
        C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        7⤵
        Launches sc.exe
        
        PID:6524
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
        7⤵
        
        PID:5368
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
        7⤵
        
        PID:6500
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
        7⤵
        
        PID:2012
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:6316
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
        7⤵
        
        PID:6096
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
        7⤵
        
        PID:5572
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
        7⤵
        
        PID:4912
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
        7⤵
        Modifies registry key
        
        PID:6340
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:560
        
        C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        7⤵
        
        PID:5804
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
        7⤵
        Modifies registry key
        
        PID:6436
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
        7⤵
        Modifies registry key
        
        PID:5688
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
        7⤵
        
        PID:700
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
        7⤵
        Modifies registry key
        
        PID:6432
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
        7⤵
        Modifies registry key
        
        PID:2656
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
        7⤵
        
        PID:4928
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
        7⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
        7⤵
        
        PID:6576
        
        C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        7⤵
        Launches sc.exe
        
        PID:6444
        
        C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        7⤵
        Launches sc.exe
        
        PID:6196
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:6804
        
        C:\Windows\System32\sc.exe
        
        sc start KeyIso
        7⤵
        Launches sc.exe
        
        PID:6976
        
        C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        7⤵
        Launches sc.exe
        
        PID:6572
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:5108
        
        C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        7⤵
        Launches sc.exe
        
        PID:6520
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:432
        
        C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        7⤵
        Launches sc.exe
        
        PID:1552
        
        C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        7⤵
        Launches sc.exe
        
        PID:4680
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:3912
        
        C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        7⤵
        Launches sc.exe
        
        PID:6800
        
        C:\Windows\System32\sc.exe
        
        sc query sppsvc
        7⤵
        Launches sc.exe
        
        PID:6332
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:1220
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        
        PID:5968
        
        C:\Windows\System32\sc.exe
        
        sc query KeyIso
        7⤵
        Launches sc.exe
        
        PID:5156
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:6496
        
        C:\Windows\System32\sc.exe
        
        sc start KeyIso
        7⤵
        Launches sc.exe
        
        PID:6504
        
        C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        7⤵
        Launches sc.exe
        
        PID:6716
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:4076
        
        C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        7⤵
        Launches sc.exe
        
        PID:3016
        
        C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        7⤵
        
        PID:7128
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:2848
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:5216
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        7⤵
        
        PID:2068
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        8⤵
        
        PID:5096
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
        7⤵
        
        PID:5492
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
        7⤵
        
        PID:6260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':wpatest\:.*';iex ($f[1])"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6832
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "10" "
        7⤵
        
        PID:5804
        
        C:\Windows\System32\find.exe
        
        find /i "Error Found"
        7⤵
        
        PID:6648
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
        7⤵
        
        PID:6388
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
        8⤵
        
        PID:6356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6512
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:7116
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        7⤵
        
        PID:2488
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:432
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
        7⤵
        
        PID:3912
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "0x800410 0x800440 0x80131501"
        7⤵
        
        PID:6816
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
        7⤵
        
        PID:6332
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
        7⤵
        
        PID:1364
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        7⤵
        
        PID:6664
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
        7⤵
        
        PID:6776
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
        7⤵
        
        PID:5744
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
        7⤵
        
        PID:6504
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
        7⤵
        
        PID:1780
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        8⤵
        
        PID:4076
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
        7⤵
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
        7⤵
        
        PID:7128
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        8⤵
        
        PID:6516
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
        7⤵
        
        PID:6524
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        8⤵
        
        PID:6724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-WmiObject -Query 'SELECT Description FROM SoftwareLicensingProduct WHERE PartialProductKey IS NOT NULL AND LicenseDependsOn IS NULL' | Select-Object -Property Description"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5572
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "KMS_"
        7⤵
        
        PID:6024
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
        7⤵
        
        PID:6648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5552
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "
        7⤵
        
        PID:5116
        
        C:\Windows\System32\find.exe
        
        find /i "Ready"
        7⤵
        
        PID:6884
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
        7⤵
        
        PID:6556
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
        7⤵
        
        PID:6748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        
        PID:6776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2848
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        7⤵
        
        PID:5952
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
        7⤵
        
        PID:6500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
        7⤵
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
        7⤵
        
        PID:6584
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        8⤵
        
        PID:6684
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
        7⤵
        
        PID:6804
        
        C:\Windows\System32\find.exe
        
        find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
        7⤵
        
        PID:6388
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
        7⤵
        
        PID:4700
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:4284
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        7⤵
        
        PID:6564
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
        7⤵
        
        PID:6800
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        8⤵
        
        PID:5552
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
        7⤵
        
        PID:2488
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        8⤵
        
        PID:5228
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        7⤵
        
        PID:6104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        8⤵
        
        PID:432
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
        7⤵
        
        PID:5412
        
        C:\Windows\System32\find.exe
        
        find "AAAA"
        7⤵
        
        PID:7008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"
        7⤵
        
        PID:6096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6500
        
        C:\Windows\System32\ClipUp.exe
        
        clipup -v -o
        7⤵
        
        PID:6652
        
        C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temEE04.tmp
        8⤵
        Checks SCSI registry key(s)
        
        PID:4948
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        7⤵
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4412
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        7⤵
        
        PID:6616
        
        C:\Windows\System32\find.exe
        
        find /i "Windows"
        7⤵
        
        PID:2484
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
        7⤵
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:5332
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        7⤵
        
        PID:6980
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        7⤵
        
        PID:6260
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
        7⤵
        
        PID:5492
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
        7⤵
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
        7⤵
        
        PID:4596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5156
        
        C:\Windows\System32\mode.com
        
        mode 76, 34
        7⤵
        
        PID:3592
        
        C:\Windows\System32\choice.exe
        
        choice /C:123456789EH0 /N
        7⤵
        
        PID:6636
        
        C:\Windows\System32\mode.com
        
        mode 76, 30
        7⤵
        
        PID:5492
        
        C:\Windows\System32\choice.exe
        
        choice /C:1234567890 /N
        7⤵
        
        PID:4912
        
        C:\Windows\System32\mode.com
        
        mode 115, 32
        7⤵
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
        7⤵
        
        PID:2584
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:4648
        
        C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        7⤵
        
        PID:1780
        
        C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6308
        
        C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:4848
        
        C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6800
        
        C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6944
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        7⤵
        
        PID:5376
        
        C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        7⤵
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
        7⤵
        
        PID:6036
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        8⤵
        
        PID:6000
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:3304
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
        7⤵
        
        PID:4556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        8⤵
        
        PID:6768
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
        7⤵
        
        PID:5416
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        8⤵
        
        PID:6752
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
        7⤵
        
        PID:2656
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        8⤵
        
        PID:6316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6380
        
        C:\Windows\System32\find.exe
        
        find /i "Subscription_is_activated"
        7⤵
        
        PID:6684
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        7⤵
        
        PID:6304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        7⤵
        
        PID:4852
        
        C:\Windows\System32\find.exe
        
        find /i "Windows"
        7⤵
        
        PID:6816
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:6352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
        7⤵
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5280
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        7⤵
        
        PID:3304
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        8⤵
        
        PID:6520
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        7⤵
        
        PID:6432
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6804
        
        C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4456
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:4876
        
        C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        7⤵
        
        PID:6512
        
        C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6312
        
        C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:4556
        
        C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:3496
        
        C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6752
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:6240
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        7⤵
        
        PID:6388
        
        C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        7⤵
        
        PID:4524
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        Launches sc.exe
        
        PID:7128
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:5332
        
        C:\Windows\System32\sc.exe
        
        sc query sppsvc
        7⤵
        
        PID:5552
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
        7⤵
        Modifies registry key
        
        PID:4984
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
        7⤵
        
        PID:7084
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
        7⤵
        Modifies registry key
        
        PID:6580
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
        7⤵
        
        PID:6900
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
        7⤵
        
        PID:5492
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
        7⤵
        
        PID:6392
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
        7⤵
        
        PID:2956
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
        7⤵
        
        PID:1652
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        
        PID:1552
        
        C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        7⤵
        Launches sc.exe
        
        PID:6604
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
        7⤵
        
        PID:7068
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
        7⤵
        
        PID:6324
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
        7⤵
        
        PID:4912
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
        7⤵
        
        PID:6560
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
        7⤵
        
        PID:6708
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
        7⤵
        
        PID:4852
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
        7⤵
        
        PID:5412
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
        7⤵
        Modifies registry key
        
        PID:5216
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        
        PID:5156
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:5688
        
        C:\Windows\System32\sc.exe
        
        sc query sppsvc
        7⤵
        Launches sc.exe
        
        PID:6024
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:2012
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:6760
        
        C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        7⤵
        Launches sc.exe
        
        PID:6036
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:2848
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:4176
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        7⤵
        
        PID:4772
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        8⤵
        
        PID:2340
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
        7⤵
        
        PID:6332
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
        7⤵
        
        PID:6800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':wpatest\:.*';iex ($f[1])"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6204
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "12" "
        7⤵
        
        PID:6192
        
        C:\Windows\System32\find.exe
        
        find /i "Error Found"
        7⤵
        
        PID:4456
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
        7⤵
        
        PID:4044
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
        8⤵
        
        PID:6512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
        7⤵
        
        PID:4556
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:5952
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        7⤵
        
        PID:6980
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:6668
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
        7⤵
        
        PID:5492
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "0x800410 0x800440 0x80131501"
        7⤵
        
        PID:4528
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
        7⤵
        
        PID:2956
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
        7⤵
        
        PID:2488
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        7⤵
        
        PID:1552
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
        7⤵
        
        PID:7064
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
        7⤵
        
        PID:1520
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
        7⤵
        
        PID:7004
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
        7⤵
        
        PID:1068
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        8⤵
        
        PID:7068
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
        7⤵
        
        PID:6708
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
        7⤵
        
        PID:4852
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        8⤵
        
        PID:5412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-WmiObject -Query 'SELECT Description FROM SoftwareLicensingProduct WHERE PartialProductKey IS NOT NULL AND LicenseDependsOn IS NULL' | Select-Object -Property Description"
        7⤵
        
        PID:4100
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "KMS_"
        7⤵
        
        PID:5156
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
        7⤵
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        8⤵
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "
        7⤵
        
        PID:6576
        
        C:\Windows\System32\find.exe
        
        find /i "Ready"
        7⤵
        
        PID:3304
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
        7⤵
        
        PID:5228
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
        7⤵
        
        PID:6664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        
        PID:3712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        
        PID:4124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4212
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        7⤵
        
        PID:6324
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
        7⤵
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
        7⤵
        
        PID:6632
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
        7⤵
        
        PID:2484
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
        7⤵
        
        PID:4376
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName
        7⤵
        
        PID:4848
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /reg:32
        7⤵
        
        PID:4176
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort
        7⤵
        
        PID:3564
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /reg:32
        7⤵
        
        PID:5236
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
        7⤵
        
        PID:4100
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
        7⤵
        
        PID:4680
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
        7⤵
        
        PID:5632
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
        7⤵
        
        PID:5744
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
        7⤵
        
        PID:5648
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
        7⤵
        
        PID:4816
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
        7⤵
        Modifies data under HKEY_USERS
        
        PID:240
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName
        7⤵
        
        PID:1460
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort
        7⤵
        
        PID:2524
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
        7⤵
        
        PID:2916
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
        7⤵
        
        PID:2336
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663" /f
        7⤵
        
        PID:3304
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
        7⤵
        
        PID:5228
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
        7⤵
        
        PID:6664
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
        7⤵
        Modifies registry key
        
        PID:6512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-AppxPackage -name "Microsoft.MicrosoftOfficeHub""
        7⤵
        
        PID:6840
        
        C:\Windows\System32\find.exe
        
        find /i "Office"
        7⤵
        
        PID:5084
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:4560
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
        8⤵
        Modifies registry key
        
        PID:5332
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:6240
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        8⤵
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:6724
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
        8⤵
        Modifies registry key
        
        PID:6208
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:4648
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
        8⤵
        Modifies registry key
        
        PID:5452
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:7084
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:6720
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:6604
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
        8⤵
        
        PID:4212
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:6456
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:6324
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:6524
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:432
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:2012
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:7068
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:5596
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:5376
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)" 2>nul
        7⤵
        
        PID:6336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)"
        8⤵
        
        PID:5688
        
        C:\Windows\System32\sc.exe
        
        sc query ClickToRunSvc
        7⤵
        Launches sc.exe
        
        PID:4284
        
        C:\Windows\System32\sc.exe
        
        sc query OfficeSvc
        7⤵
        
        PID:5756
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
        7⤵
        
        PID:6476
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
        8⤵
        
        PID:4100
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:6384
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        8⤵
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
        7⤵
        
        PID:7092
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
        8⤵
        Modifies registry key
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport" 2>nul
        7⤵
        
        PID:6220
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport
        8⤵
        
        PID:6800
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData" 2>nul
        7⤵
        
        PID:7116
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData
        8⤵
        
        PID:4044
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
        7⤵
        
        PID:6996
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
        8⤵
        Modifies registry key
        
        PID:6248
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
        7⤵
        
        PID:1876
        
        C:\Windows\System32\find.exe
        
        find /i "Wow6432Node"
        7⤵
        
        PID:5440
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"
        7⤵
        
        PID:6792
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
        8⤵
        
        PID:4524
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "Retail Volume"
        8⤵
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "" "
        7⤵
        
        PID:5952
        
        C:\Windows\System32\find.exe
        
        find /i " ProPlusRetail.16 "
        7⤵
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
        7⤵
        
        PID:6900
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
        8⤵
        
        PID:7060
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
        7⤵
        
        PID:5280
        
        C:\Windows\System32\findstr.exe
        
        findstr /I " ProPlusRetail "
        7⤵
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
        7⤵
        
        PID:6636
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "ProPlusRetail"
        7⤵
        
        PID:6208
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
        7⤵
        
        PID:6320
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "O365"
        7⤵
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
        7⤵
        
        PID:5096
        
        C:\Windows\System32\find.exe
        
        find /i "2024"
        7⤵
        
        PID:6720
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: [PrepidBypass] "
        7⤵
        
        PID:7072
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:6496
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -AccessRetail- "
        7⤵
        
        PID:5412
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:6352
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -ExcelRetail- "
        7⤵
        
        PID:6036
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:6708
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: "
        7⤵
        
        PID:6324
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -O365BusinessRetail-O365EduCloudRetail-O365HomePremRetail-O365ProPlusRetail-O365SmallBusPremRetail- "
        7⤵
        
        PID:1760
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: [Bypass] "
        7⤵
        
        PID:7068
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:5788
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -OneNoteRetail-OneNote2021Retail- "
        7⤵
        
        PID:4680
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:3728
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -OutlookRetail- "
        7⤵
        
        PID:6556
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:3852
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -PowerPointRetail- "
        7⤵
        
        PID:700
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:6620
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -ProjectProRetail- "
        7⤵
        
        PID:6336
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: "
        7⤵
        
        PID:6508
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:5448
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -ProjectStdRetail- "
        7⤵
        
        PID:6988
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:6540
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: "
        7⤵
        
        PID:6332
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: -ProPlusRetail-ProfessionalPipcRetail-ProfessionalRetail- "
        7⤵
        
        PID:2336
        
        C:\Windows\System32\find.exe
        
        find /i "-ProPlusRetail-"
        7⤵
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo: HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration "
        7⤵
        
        PID:6156
        
        C:\Windows\System32\find.exe
        
        find /i "propertyBag"
        7⤵
        
        PID:1460
        
        C:\Windows\System32\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlusVolume.OSPPReady /t REG_SZ /d 1
        7⤵
        Modifies registry key
        
        PID:4636
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
        7⤵
        
        PID:7116
        
        C:\Windows\System32\find.exe
        
        find /i "d450596f-894d-49e0-966a-fd39ed4c4c64"
        7⤵
        
        PID:6752
        
        C:\Program Files\Microsoft Office\root\integration\Integrator.exe
        
        "C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=ProPlusVolume.16 PidKey=XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of SetWindowsHookEx
        
        PID:6996
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
        7⤵
        
        PID:6684
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
        8⤵
        
        PID:6720
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c47456e3-265d-47b6-8ca0-c30abbd0ca36 c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 d450596f-894d-49e0-966a-fd39ed4c4c64 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
        7⤵
        
        PID:4912
        
        C:\Windows\System32\find.exe
        
        find /i "d450596f-894d-49e0-966a-fd39ed4c4c64"
        7⤵
        
        PID:5412
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99"
        7⤵
        
        PID:432
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:6560
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        7⤵
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "$p = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'; Get-ChildItem $p | ForEach-Object { $pi = (Get-ItemProperty """"$p\$($_.PSChildName)"""").ProfileImagePath; if ($pi -like '*\Users\*' -and (Test-Path """"$pi\NTUSER.DAT"""") -and -not ($_.PSChildName -match '\.bak$')) { Split-Path $_.PSPath -Leaf } }" 2>nul
        7⤵
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$p = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'; Get-ChildItem $p | ForEach-Object { $pi = (Get-ItemProperty """"$p\$($_.PSChildName)"""").ProfileImagePath; if ($pi -like '*\Users\*' -and (Test-Path """"$pi\NTUSER.DAT"""") -and -not ($_.PSChildName -match '\.bak$')) { Split-Path $_.PSPath -Leaf } }"
        8⤵
        
        PID:6760
        
        C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-2417498994-1216132997-487892065-1000\Software
        7⤵
        
        PID:6336
        
        C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-2417498994-1216132997-487892065-1000\Software\Microsoft\Office\15.0\Common\Licensing /f
        7⤵
        
        PID:6432
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2417498994-1216132997-487892065-1000" /v ProfileImagePath" 2>nul
        7⤵
        
        PID:6508
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2417498994-1216132997-487892065-1000" /v ProfileImagePath
        8⤵
        
        PID:4100
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\Licensing" /f
        7⤵
        
        PID:4780
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\Licensing" /f /reg:32
        7⤵
        
        PID:1616
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Licensing" /f
        7⤵
        
        PID:5228
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Licensing" /f /reg:32
        7⤵
        
        PID:6800
        
        C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-2417498994-1216132997-487892065-1000\Software\Microsoft\Office\16.0\Common\Licensing /f
        7⤵
        
        PID:6512
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2417498994-1216132997-487892065-1000" /v ProfileImagePath" 2>nul
        7⤵
        
        PID:4044
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2417498994-1216132997-487892065-1000" /v ProfileImagePath
        8⤵
        
        PID:4556
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\Licensing" /f
        7⤵
        
        PID:6248
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\Licensing" /f /reg:32
        7⤵
        
        PID:5456
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Licensing" /f
        7⤵
        
        PID:5708
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Licensing" /f /reg:32
        7⤵
        
        PID:4732
        
        C:\Windows\System32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v SharedComputerLicensing /f
        7⤵
        
        PID:2964
        
        C:\Windows\System32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v SharedComputerLicensing /f /reg:32
        7⤵
        Modifies registry key
        
        PID:476
        
        C:\Windows\System32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration /v SharedComputerLicensing /f
        7⤵
        
        PID:5572
        
        C:\Windows\System32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration /v SharedComputerLicensing /f /reg:32
        7⤵
        Modifies registry key
        
        PID:5552
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f *.DeviceBasedLicensing 2>nul | findstr REG_
        7⤵
        
        PID:4840
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f *.DeviceBasedLicensing
        8⤵
        
        PID:2160
        
        C:\Windows\System32\findstr.exe
        
        findstr REG_
        8⤵
        
        PID:1876
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\OEM" /f
        7⤵
        
        PID:7064
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\OEM" /f /reg:32
        7⤵
        
        PID:2068
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f
        7⤵
        
        PID:6748
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f /reg:32
        7⤵
        
        PID:2656
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663" /f
        7⤵
        Modifies data under HKEY_USERS
        
        PID:6388
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663" /f
        7⤵
        
        PID:5952
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\59a52881-a989-479d-af46-f275c6370663" /f
        7⤵
        
        PID:6688
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v Default" 2>nul
        7⤵
        
        PID:6544
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v Default
        8⤵
        
        PID:6720
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul
        7⤵
        
        PID:4948
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE
        8⤵
        
        PID:7004
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo " d450596f-894d-49e0-966a-fd39ed4c4c64" "
        7⤵
        
        PID:6304
        
        C:\Windows\System32\find.exe
        
        find /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"
        7⤵
        
        PID:6524
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call UninstallProductKey
        7⤵
        
        PID:6652
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo " d450596f-894d-49e0-966a-fd39ed4c4c64" "
        7⤵
        
        PID:6816
        
        C:\Windows\System32\find.exe
        
        find /i "d450596f-894d-49e0-966a-fd39ed4c4c64"
        7⤵
        
        PID:2584
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
        7⤵
        
        PID:5156
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (Name like '%office%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul
        7⤵
        
        PID:4176
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (Name like '%office%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE
        8⤵
        
        PID:6024
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (Name like '%office%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul
        7⤵
        
        PID:6620
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path OfficeSoftwareProtectionProduct where (Name like '%office%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE
        8⤵
        
        PID:4284
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' get LicenseFamily /VALUE" 2>nul
        7⤵
        
        PID:4836
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' get LicenseFamily /VALUE
        8⤵
        
        PID:6776
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 kms.ghpym.com 2>nul
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3672
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 kms.ghpym.com
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4780
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5"
        7⤵
        
        PID:6152
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5" /reg:32
        7⤵
        
        PID:5416
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
        7⤵
        
        PID:7128
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
        7⤵
        
        PID:5084
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5"
        7⤵
        
        PID:4884
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
        7⤵
        
        PID:7044
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5"
        7⤵
        
        PID:5772
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5" /reg:32
        7⤵
        
        PID:6084
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
        7⤵
        
        PID:7060
        
        C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
        7⤵
        
        PID:6648
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' call Activate
        7⤵
        
        PID:6840
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' get GracePeriodRemaining /VALUE" 2>nul
        7⤵
        
        PID:4648
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' get GracePeriodRemaining /VALUE
        8⤵
        
        PID:6496
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (Name like '%windows%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul
        7⤵
        
        PID:6456
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (Name like '%windows%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE
        8⤵
        
        PID:6720
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:6980
        
        C:\Windows\System32\find.exe
        
        find /i "\Activation-Renewal"
        7⤵
        
        PID:4700
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:6676
        
        C:\Windows\System32\find.exe
        
        find /i "\Activation-Run_Once"
        7⤵
        
        PID:6708
        
        C:\Windows\System32\schtasks.exe
        
        schtasks /delete /tn Online_KMS_Activation_Script-Renewal /f
        7⤵
        
        PID:6944
        
        C:\Windows\System32\schtasks.exe
        
        schtasks /delete /tn Online_KMS_Activation_Script-Run_Once /f
        7⤵
        
        PID:6324
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKCR\DesktopBackground\shell\Activate Windows - Office" /f
        7⤵
        
        PID:6652
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:2484
        
        C:\Windows\System32\find.exe
        
        find /i "\Activation-Renewal"
        7⤵
        
        PID:3852
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:6632
        
        C:\Windows\System32\find.exe
        
        find /i "\Activation-Run_Once"
        7⤵
        
        PID:4772
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:4376
        
        C:\Windows\System32\find.exe
        
        find /i "\Online_KMS_Activation_Script"
        7⤵
        
        PID:5076
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCR\DesktopBackground\shell\Activate Windows - Office"
        7⤵
        
        PID:5788
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "[Guid]::NewGuid().Guid"
        7⤵
        
        PID:5884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "[Guid]::NewGuid().Guid"
        8⤵
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split \":renewal\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\39270ddeba82-3f86-4220-912c-00c48d3c8eeb\Renewal.xml',$f[1].Trim(),[System.Text.Encoding]::Unicode);"
        7⤵
        
        PID:6808
        
        C:\Windows\System32\schtasks.exe
        
        schtasks /create /tn "Activation-Renewal" /ru "SYSTEM" /xml "C:\Windows\Temp\39270ddeba82-3f86-4220-912c-00c48d3c8eeb\Renewal.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split \":_extracttask\:.*`r`n\"; [io.file]::WriteAllText('C:\Program Files\Activation-Renewal\Activation_task.cmd', '@::0ddeba82-3f86-4220-912c-00c48d3c8eeb' + [Environment]::NewLine + $f[1].Trim(), [System.Text.Encoding]::ASCII)"
        7⤵
        
        PID:3300
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:6668
        
        C:\Windows\System32\find.exe
        
        find /i "\Activation-Renewal"
        7⤵
        
        PID:4984
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
        7⤵
        
        PID:6380
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
        7⤵
        
        PID:6688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
        7⤵
        
        PID:6748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6036
        
        C:\Windows\System32\mode.com
        
        mode 76, 30
        7⤵
        
        PID:7004
        
        C:\Windows\System32\find.exe
        
        find /i "Ver:2.7" "C:\Program Files\Activation-Renewal\Activation_task.cmd"
        7⤵
        
        PID:4952
        
        C:\Windows\System32\choice.exe
        
        choice /C:1234567890 /N
        7⤵
        
        PID:4076
        
        C:\Windows\System32\mode.com
        
        mode 76, 30
        7⤵
        
        PID:2044
        
        C:\Windows\System32\find.exe
        
        find /i "Ver:2.7" "C:\Program Files\Activation-Renewal\Activation_task.cmd"
        7⤵
        
        PID:1248
        
        C:\Windows\System32\choice.exe
        
        choice /C:1234567890 /N
        7⤵
        
        PID:7104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://massgrave.dev/genuine-installation-media
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks system information in the registry
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        System policy modification
        
        PID:4584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x348,0x7ffaef59f208,0x7ffaef59f214,0x7ffaef59f220
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2012,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:11
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2000,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=1992 /prefetch:2
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2516,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:13
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3592,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3604,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4272,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:1
        8⤵
        Executes dropped EXE
        
        PID:6768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4320,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:9
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4340,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4444,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:9
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:14
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,1285154518883954711,2717606201390237792,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:14
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7352
        
        C:\Windows\System32\mode.com
        
        mode 76, 30
        7⤵
        
        PID:7072
        
        C:\Windows\System32\find.exe
        
        find /i "Ver:2.7" "C:\Program Files\Activation-Renewal\Activation_task.cmd"
        7⤵
        
        PID:1068
        
        C:\Windows\System32\choice.exe
        
        choice /C:1234567890 /N
        7⤵
        
        PID:6268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://massgrave.dev/genuine-installation-media
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7932
        
        C:\Windows\System32\mode.com
        
        mode 76, 30
        7⤵
        
        PID:7948
        
        C:\Windows\System32\find.exe
        
        find /i "Ver:2.7" "C:\Program Files\Activation-Renewal\Activation_task.cmd"
        7⤵
        
        PID:7964
        
        C:\Windows\System32\choice.exe
        
        choice /C:1234567890 /N
        7⤵
        
        PID:7980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://massgrave.dev/genuine-installation-media
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8048
        
        C:\Windows\System32\mode.com
        
        mode 76, 30
        7⤵
        
        PID:8064
        
        C:\Windows\System32\find.exe
        
        find /i "Ver:2.7" "C:\Program Files\Activation-Renewal\Activation_task.cmd"
        7⤵
        
        PID:8080
        
        C:\Windows\System32\choice.exe
        
        choice /C:1234567890 /N
        7⤵
        
        PID:8096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://massgrave.dev/genuine-installation-media
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks system information in the registry
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        System policy modification
        
        PID:8124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f4,0x7ffaef59f208,0x7ffaef59f214,0x7ffaef59f220
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1808,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:11
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2124,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=2120 /prefetch:2
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2412,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:13
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3500,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4156,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
        8⤵
        Executes dropped EXE
        
        PID:7288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4180,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=4320 /prefetch:9
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4244,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:9
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4220,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:1
        8⤵
        Executes dropped EXE
        
        PID:6572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4828,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:8048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:6352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6072,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6072,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:6604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3748,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:5936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6500,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5364,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:6544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6552,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6676,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:6688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6668,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6468,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6524,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6452,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6824,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6488 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6520,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:1
        8⤵
        Executes dropped EXE
        
        PID:6636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4952,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6636,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6600,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=2820,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=4900 /prefetch:1
        8⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6724,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=4936,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:1
        8⤵
        Executes dropped EXE
        
        PID:6540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6720,i,518590140608501758,16155871314548331553,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:14
        8⤵
        Executes dropped EXE
        
        PID:7840
        
        C:\Windows\System32\mode.com
        
        mode 76, 30
        7⤵
        
        PID:8164
        
        C:\Windows\System32\find.exe
        
        find /i "Ver:2.7" "C:\Program Files\Activation-Renewal\Activation_task.cmd"
        7⤵
        
        PID:8184
        
        C:\Windows\System32\choice.exe
        
        choice /C:1234567890 /N
        7⤵
        
        PID:7316
        
        C:\Windows\System32\mode.com
        
        mode 115, 32
        7⤵
        
        PID:5916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
        7⤵
        
        PID:560
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:2340
        
        C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        7⤵
        
        PID:1688
        
        C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6768
        
        C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:4044
        
        C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6612
        
        C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:7920
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:8036
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        7⤵
        
        PID:6284
        
        C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        7⤵
        
        PID:8040
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
        7⤵
        
        PID:3988
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        8⤵
        
        PID:8092
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:4784
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
        7⤵
        
        PID:7432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        8⤵
        
        PID:8052
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
        7⤵
        
        PID:4724
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        8⤵
        
        PID:8008
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
        7⤵
        
        PID:6684
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        8⤵
        
        PID:7352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7588
        
        C:\Windows\System32\find.exe
        
        find /i "Subscription_is_activated"
        7⤵
        
        PID:6996
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        7⤵
        
        PID:4552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6764
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        7⤵
        
        PID:5936
        
        C:\Windows\System32\find.exe
        
        find /i "Windows"
        7⤵
        
        PID:572
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
        7⤵
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7424
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        7⤵
        
        PID:6708
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        8⤵
        
        PID:6520
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        7⤵
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7628
        
        C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4700
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        7⤵
        
        PID:8080
        
        C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        7⤵
        
        PID:4848
        
        C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:2432
        
        C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:8008
        
        C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:6400
        
        C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:7384
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:7352
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        7⤵
        
        PID:7656
        
        C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        7⤵
        
        PID:5772
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        Launches sc.exe
        
        PID:3564
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:5300
        
        C:\Windows\System32\sc.exe
        
        sc query sppsvc
        7⤵
        Launches sc.exe
        
        PID:8072
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
        7⤵
        
        PID:6996
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
        7⤵
        Modifies registry key
        
        PID:6208
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
        7⤵
        Modifies registry key
        
        PID:6356
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
        7⤵
        
        PID:7468
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
        7⤵
        
        PID:6448
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
        7⤵
        
        PID:1408
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
        7⤵
        
        PID:6224
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
        7⤵
        Modifies registry key
        
        PID:4552
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:8048
        
        C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        7⤵
        Launches sc.exe
        
        PID:4812
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
        7⤵
        
        PID:2968
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
        7⤵
        Modifies registry key
        
        PID:5648
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
        7⤵
        
        PID:7972
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
        7⤵
        
        PID:5636
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
        7⤵
        
        PID:3912
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
        7⤵
        
        PID:7948
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
        7⤵
        
        PID:7520
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
        7⤵
        
        PID:7428
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:8040
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:8152
        
        C:\Windows\System32\sc.exe
        
        sc query sppsvc
        7⤵
        Launches sc.exe
        
        PID:8092
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:8044
        
        C:\Windows\System32\sc.exe
        
        sc start sppsvc
        7⤵
        Launches sc.exe
        
        PID:2340
        
        C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        7⤵
        
        PID:6096
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:8068
        
        C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        7⤵
        Launches sc.exe
        
        PID:5572
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        7⤵
        
        PID:7968
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        8⤵
        
        PID:6612
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
        7⤵
        
        PID:7224
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
        7⤵
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_9b98fc81-9f7a-49f1-ae05-806e035aa30d.cmd') -split ':wpatest\:.*';iex ($f[1])"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5156
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "13" "
        7⤵
        
        PID:1520
        
        C:\Windows\System32\find.exe
        
        find /i "Error Found"
        7⤵
        
        PID:948
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
        7⤵
        
        PID:8076
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
        8⤵
        
        PID:7340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
        7⤵
        
        PID:8096
        
        C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        7⤵
        
        PID:4220
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        7⤵
        
        PID:7796
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:5656
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
        7⤵
        
        PID:5672
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "0x800410 0x800440 0x80131501"
        7⤵
        
        PID:748
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
        7⤵
        
        PID:6104
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
        7⤵
        
        PID:7324
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        7⤵
        
        PID:1288
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
        7⤵
        
        PID:6032
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
        7⤵
        
        PID:7308
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
        7⤵
        
        PID:8048
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
        7⤵
        
        PID:2576
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        8⤵
        
        PID:5608
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
        7⤵
        
        PID:3732
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
        7⤵
        
        PID:8036
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        8⤵
        
        PID:7944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-WmiObject -Query 'SELECT Description FROM SoftwareLicensingProduct WHERE PartialProductKey IS NOT NULL AND LicenseDependsOn IS NULL' | Select-Object -Property Description"
        7⤵
        
        PID:8064
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "KMS_"
        7⤵
        
        PID:5248
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
        7⤵
        
        PID:6752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        8⤵
        
        PID:7952
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "
        7⤵
        
        PID:4848
        
        C:\Windows\System32\find.exe
        
        find /i "Ready"
        7⤵
        
        PID:7540
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
        7⤵
        
        PID:5156
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
        7⤵
        
        PID:6684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        
        PID:7252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6308
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        7⤵
        
        PID:4552
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
        7⤵
        
        PID:6524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
        7⤵
        
        PID:4044
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
        7⤵
        
        PID:2868
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
        7⤵
        
        PID:7948
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName
        7⤵
        
        PID:6284
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /reg:32
        7⤵
        
        PID:6096
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort
        7⤵
        
        PID:7520
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /reg:32
        7⤵
        
        PID:8064
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
        7⤵
        
        PID:8052
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
        7⤵
        
        PID:4928
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
        7⤵
        
        PID:7060
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
        7⤵
        
        PID:6768
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
        7⤵
        
        PID:6260
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
        7⤵
        
        PID:5600
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
        7⤵
        Modifies data under HKEY_USERS
        
        PID:3256
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName
        7⤵
        
        PID:7952
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort
        7⤵
        
        PID:6752
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
        7⤵
        
        PID:4848
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
        7⤵
        
        PID:7392
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663" /f
        7⤵
        
        PID:1520
        
        C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
        7⤵
        
        PID:5156
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
        7⤵
        
        PID:7992
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
        7⤵
        
        PID:7928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-AppxPackage -name "Microsoft.MicrosoftOfficeHub""
        7⤵
        
        PID:7656
        
        C:\Windows\System32\find.exe
        
        find /i "Office"
        7⤵
        
        PID:7328
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:1416
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
        8⤵
        
        PID:6148
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:4776
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        8⤵
        
        PID:7040
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:668
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
        8⤵
        
        PID:6764
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:2164
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
        8⤵
        
        PID:7020
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:7468
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
        8⤵
        
        PID:7396
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:6308
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:4812
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:4552
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:8092
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:8036
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:5236
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:6668
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
        8⤵
        Modifies registry key
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
        7⤵
        
        PID:5608
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
        8⤵
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)" 2>nul
        7⤵
        
        PID:8044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)"
        8⤵
        
        PID:5648
        
        C:\Windows\System32\sc.exe
        
        sc query ClickToRunSvc
        7⤵
        Launches sc.exe
        
        PID:5540
        
        C:\Windows\System32\sc.exe
        
        sc query OfficeSvc
        7⤵
        Launches sc.exe
        
        PID:7520
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
        7⤵
        
        PID:2172
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
        8⤵
        
        PID:6336
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
        7⤵
        
        PID:5600
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        8⤵
        
        PID:3256
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
        7⤵
        
        PID:6796
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
        8⤵
        Modifies registry key
        
        PID:7540
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport" 2>nul
        7⤵
        
        PID:7352
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport
        8⤵
        Modifies registry key
        
        PID:6972
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData" 2>nul
        7⤵
        
        PID:1520
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData
        8⤵
        Modifies registry key
        
        PID:5156
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
        7⤵
        
        PID:7984
        
        C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
        8⤵
        Modifies registry key
        
        PID:7928
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
        7⤵
        
        PID:6360
        
        C:\Windows\System32\find.exe
        
        find /i "Wow6432Node"
        7⤵
        
        PID:5300
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"
        7⤵
        
        PID:4772
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
        8⤵
        
        PID:3564
        
        C:\Windows\System32\findstr.exe
        
        findstr /i "Retail Volume"
        8⤵
        
        PID:5968
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "" "
        7⤵
        
        PID:6760
        
        C:\Windows\System32\find.exe
        
        find /i " ProPlusRetail.16 "
        7⤵
        
        PID:7588
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AccessRuntimeRetail" "
        7⤵
        
        PID:8076
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7328
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AccessVolume" "
        7⤵
        
        PID:6148
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:6996
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "ExcelVolume" "
        7⤵
        
        PID:6208
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7040
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "MondoRetail" "
        7⤵
        
        PID:6764
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:1408
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "MondoVolume" "
        7⤵
        
        PID:5656
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7020
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "OneNoteFreeRetail" "
        7⤵
        
        PID:7396
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:5280
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "OneNoteVolume" "
        7⤵
        
        PID:4712
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:4812
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "OutlookVolume" "
        7⤵
        
        PID:8092
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "PowerPointVolume" "
        7⤵
        
        PID:5236
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:5624
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "ProjectProVolume" "
        7⤵
        
        PID:2576
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7368
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "ProjectProXVolume" "
        7⤵
        
        PID:5704
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:5608
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "ProjectStdVolume" "
        7⤵
        
        PID:5632
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7628
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "ProjectStdXVolume" "
        7⤵
        
        PID:560
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:6808
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "ProPlusVolume" "
        7⤵
        
        PID:8084
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7948
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "PublisherVolume" "
        7⤵
        
        PID:2664
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7428
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "SkypeServiceBypassRetail" "
        7⤵
        
        PID:5720
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7520
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "SkypeforBusinessEntryRetail" "
        7⤵
        
        PID:6848
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:4700
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "SkypeforBusinessVolume" "
        7⤵
        
        PID:6708
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:7412
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "StandardVolume" "
        7⤵
        
        PID:8116
        
        C:\Windows\System32\findstr.exe
        
        findstr /I "\<ProPlusRetail.*"
        7⤵
        
        PID:6156
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "VisioProVolume" "
        7⤵
        
        PID:7432

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:6804
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\temED1A.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:2244
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:7576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery