1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Lightshot = "C:\\Program Files (x86)\\Skillbrains\\lightshot\\Lightshot.exe"	setup-lightshot.tmp

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6584	powershell.exe
2732	powershell.exe
5564	powershell.exe
2580	powershell.exe
7148	powershell.exe
6680	powershell.exe
7096	powershell.exe
1124	powershell.exe
6864	powershell.exe
2940	powershell.exe
4652	powershell.exe
5560	powershell.exe
6388	powershell.exe
6308	powershell.exe
6880	powershell.exe
6252	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
258	1392	Process not Found
543	4492	firefox.exe
1326	4492	firefox.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
210	camo.githubusercontent.com
1044	discord.com
1045	discord.com
1081	discord.com
1089	discord.com
1109	discord.com
1131	discord.com
211	camo.githubusercontent.com
234	camo.githubusercontent.com
605	discord.com
998	discord.com
1070	discord.com
1090	discord.com
840	discord.com
883	discord.com
930	discord.com
938	discord.com
1016	discord.com
1096	discord.com
1125	discord.com
215	camo.githubusercontent.com
282	discord.com
999	discord.com
1006	discord.com
1088	discord.com
1128	discord.com
212	camo.githubusercontent.com
251	discord.com
1033	discord.com
1065	discord.com
1072	discord.com
1075	discord.com
1091	discord.com
214	camo.githubusercontent.com
216	camo.githubusercontent.com
305	discord.com
885	discord.com
934	discord.com
206	camo.githubusercontent.com
259	discord.com
834	discord.com
1097	discord.com
1098	discord.com
1074	discord.com
1110	discord.com
254	discord.com
599	discord.com
604	discord.com
826	discord.com
1054	discord.com
607	discord.com
1051	discord.com
1076	discord.com
208	camo.githubusercontent.com
213	camo.githubusercontent.com
829	discord.com
1108	discord.com
924	discord.com
1057	discord.com
1078	discord.com
907	discord.com
1073	discord.com
1080	discord.com
1077	discord.com

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	setupupdater.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	setup-lightshot.tmp

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
768	tasklist.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedge.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-SENF4.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\or.pak	setup.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-1OKVE.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dual_engine_adapter_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-8V8JT.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-7KNJF.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files (x86)\Skillbrains\Updater\info.xml	setupupdater.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\edge_feedback\camera_mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mip_protection_sdk.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\is-8SP1D.tmp	setup-lightshot.tmp
File created	C:\Program Files\Activation-Renewal\Activation_task.cmd	powershell.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\kk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\SETUP.EX_	MicrosoftEdge_X64_132.0.2957.140.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\gd.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pl.pak	setup.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-EK862.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\wdag.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mip_core.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\mr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-BS3UE.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-F5VI6.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\info.xml	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\pt-BR.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\cs.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\en-GB.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\show_third_party_software_licenses.bat	setup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_233451907\v1FieldTypes.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_406156588\crl-set	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-shared-components\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-notification\nl\strings.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_390142511\Part-ES	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_390142511\Part-ZH	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_408430121\edge_tracking_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_408430121\shopping_fre.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-hub\fr\strings.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_368244466\deny_full_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_408430121\shopping.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-cu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-es.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-hr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-hub\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-notification\it\strings.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_390142511\Filtering Rules	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_1454134839\classification.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_553561487\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-da.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-notification-shared\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\Tokenized-Card\tokenized-card.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_825884409\nav_config.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-notification-shared\zh-Hant\strings.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_1454134839\travel-facilitated-booking-bing.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_2139031501\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-notification-shared\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-notification-shared\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-ec\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-hub\nl\strings.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_553561487\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-la.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-mul-ethi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-pa.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_406156588\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-notification-shared\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-tokenized-card\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-mobile-hub\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\Mini-Wallet\miniwallet.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_1454134839\automation.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_233451907\autofill_bypass_cache_forms.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-bg.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-fr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-kn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\bnpl_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_1133066179\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\json\i18n-hub\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\Notification\notification.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_602667349\shopping_iframe_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_1454134839\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_408430121\shoppingfre.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7860_819754990\hyph-de-ch-1901.hyb	msedge.exe

Executes dropped EXE 64 IoCs

pid	Process
1700	AnyDesk.exe
2620	AnyDesk.exe
4820	AnyDesk.exe
5540	setup.exe
1352	setup.exe
6048	AnyDesk.exe
7756	setup.exe
7772	setup.exe
7876	setup.exe
7884	setup.exe
7896	setup.exe
7912	setup.exe
7940	setup.exe
7976	setup.exe
7292	setup-lightshot.exe
7368	setup-lightshot.tmp
7088	Lightshot.exe
6280	Lightshot.exe
3860	setupupdater.exe
2604	setupupdater.tmp
6408	Updater.exe
7512	Updater.exe
5116	Updater.exe
7608	Updater.exe
7632	Updater.exe
7700	updater.exe
7784	updater.exe
7820	updater.exe
7780	updater.exe
7860	msedge.exe
6284	msedge.exe
2092	msedge.exe
3928	msedge.exe
668	msedge.exe
7596	elevation_service.exe
7716	msedge.exe
4680	msedge.exe
7236	msedge.exe
8604	msedge.exe
8672	msedge.exe
8848	msedge.exe
8880	msedge.exe
8872	msedge.exe
7240	identity_helper.exe
7544	identity_helper.exe
7752	msedge.exe
8712	msedge.exe
8832	msedge.exe
8440	msedge.exe
9164	msedge.exe
6800	msedge.exe
6420	msedge.exe
8416	msedge.exe
2252	msedge.exe
2036	msedge.exe
888	msedge.exe
9108	msedge.exe
4368	msedge.exe
7648	msedge.exe
8892	msedge.exe
5548	msedge.exe
9100	msedge.exe
5800	msedge.exe
7228	msedge.exe

Launches sc.exe 34 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2288	sc.exe
7128	sc.exe
2940	sc.exe
6452	sc.exe
2228	sc.exe
5504	sc.exe
6620	sc.exe
4024	sc.exe
5936	sc.exe
3656	sc.exe
6580	sc.exe
6872	sc.exe
4504	sc.exe
5024	sc.exe
572	sc.exe
6804	sc.exe
6244	sc.exe
4416	sc.exe
7144	sc.exe
4564	sc.exe
6084	sc.exe
5932	sc.exe
3864	sc.exe
7116	sc.exe
5536	sc.exe
2344	sc.exe
2836	sc.exe
3664	sc.exe
2136	sc.exe
4196	sc.exe
5664	sc.exe
1684	sc.exe
3468	sc.exe
4832	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
4820	AnyDesk.exe
2620	AnyDesk.exe
6280	Lightshot.exe
6280	Lightshot.exe
6280	Lightshot.exe
7860	msedge.exe
7860	msedge.exe
6284	msedge.exe
3928	msedge.exe
3928	msedge.exe
2092	msedge.exe
668	msedge.exe
2092	msedge.exe
668	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
7860	msedge.exe
7860	msedge.exe
7716	msedge.exe
4680	msedge.exe
7716	msedge.exe
4680	msedge.exe
7236	msedge.exe
7236	msedge.exe
4680	msedge.exe
7236	msedge.exe
7716	msedge.exe
8604	msedge.exe
8604	msedge.exe
8672	msedge.exe
8672	msedge.exe
8880	msedge.exe
8880	msedge.exe
8880	msedge.exe
8872	msedge.exe
8848	msedge.exe
8872	msedge.exe
7860	msedge.exe
8848	msedge.exe
7860	msedge.exe
8848	msedge.exe
7544	identity_helper.exe
7544	identity_helper.exe
7752	msedge.exe
7752	msedge.exe
8712	msedge.exe
8712	msedge.exe
8832	msedge.exe
8832	msedge.exe
8440	msedge.exe
8440	msedge.exe
9164	msedge.exe
9164	msedge.exe
6800	msedge.exe
6800	msedge.exe
6420	msedge.exe
6420	msedge.exe
8416	msedge.exe
8416	msedge.exe
2252	msedge.exe
2036	msedge.exe
888	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\setup-lightshot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Discord Auto Typer.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setupupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-lightshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-lightshot.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setupupdater.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightshot.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5524	cmd.exe
1172	cmd.exe
3708	cmd.exe
2604	PING.EXE
7148	cmd.exe
7632	Updater.exe
2344	PING.EXE
3648	PING.EXE
6332	PING.EXE
8544	MicrosoftEdgeUpdate.exe
6336	PING.EXE
7608	Updater.exe
4404	cmd.exe
1052	cmd.exe
3464	PING.EXE

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Integrator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Integrator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
8124	taskkill.exe
1308	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\DEFTEMP-4252\SOFTWARE\Microsoft\Office	reg.exe
Key created	\REGISTRY\USER\DEFTEMP-4252\SOFTWARE\Microsoft\Office\16.0\Common	reg.exe
Key created	\REGISTRY\USER\DEFTEMP-4252\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\Resiliency	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\DEFTEMP-4252	reg.exe
Key created	\REGISTRY\USER\DEFTEMP-4252\SOFTWARE\Microsoft\Office\16.0\Common\Licensing	reg.exe
Set value (str)	\REGISTRY\USER\DEFTEMP-4252\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\Resiliency\TimeOfLastHeartbeatFailure = "2040-01-01T00:00:00Z"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key created	\REGISTRY\USER\DEFTEMP-4252\Software	reg.exe
Key created	\REGISTRY\USER\DEFTEMP-4252\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency	reg.exe
Key created	\REGISTRY\USER\DEFTEMP-4252\SOFTWARE\Microsoft	reg.exe
Key created	\REGISTRY\USER\DEFTEMP-4252\SOFTWARE\Microsoft\Office\16.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133842628257372308"	msedge.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}\ = "ie_to_edge_bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\URL Protocol	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}	setup.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
3132	reg.exe
7008	reg.exe
4636	reg.exe
3504	reg.exe
6168	reg.exe
6356	reg.exe
3740	reg.exe
5764	reg.exe
6064	reg.exe
4404	reg.exe
3468	reg.exe
6964	reg.exe
3800	reg.exe
4448	reg.exe
6700	reg.exe
7120	reg.exe
4448	reg.exe
272	reg.exe
7116	reg.exe
732	reg.exe
6408	reg.exe
6388	reg.exe
5768	reg.exe
5560	reg.exe
2028	reg.exe
5536	reg.exe
6776	reg.exe
6952	reg.exe
2604	reg.exe
6064	reg.exe
6536	reg.exe
1252	reg.exe
3976	reg.exe
1908	reg.exe
2884	reg.exe
2228	reg.exe
1792	reg.exe
6432	reg.exe
1084	reg.exe
4144	reg.exe
4900	reg.exe
4968	reg.exe
6132	reg.exe
6452	reg.exe
376	reg.exe
6536	reg.exe
7044	reg.exe
1544	reg.exe
2468	reg.exe
7064	reg.exe
5000	reg.exe
3028	reg.exe
7140	reg.exe
560	reg.exe
4820	reg.exe
644	reg.exe
6776	reg.exe
1352	reg.exe
5776	reg.exe
1576	reg.exe
5504	reg.exe
6580	reg.exe
2080	reg.exe
6724	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\setup-lightshot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Discord Auto Typer.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier	firefox.exe

Runs net.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
3648	PING.EXE
6332	PING.EXE
2604	PING.EXE
3464	PING.EXE
2344	PING.EXE
6336	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4660	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2732	AnyDesk.exe
2732	AnyDesk.exe
4820	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
4052	AnyDesk.exe
4052	AnyDesk.exe
6880	powershell.exe
6880	powershell.exe
6880	powershell.exe
7096	powershell.exe
7096	powershell.exe
7096	powershell.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
2580	powershell.exe
2580	powershell.exe
2580	powershell.exe
6252	powershell.exe
6252	powershell.exe
6252	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
7056	WMIC.exe
7056	WMIC.exe
7056	WMIC.exe
7056	WMIC.exe
6864	powershell.exe
6864	powershell.exe
6864	powershell.exe
5932	powershell.exe
5932	powershell.exe
5932	powershell.exe
5564	powershell.exe
5564	powershell.exe
5564	powershell.exe
7148	powershell.exe
7148	powershell.exe
7148	powershell.exe
3852	WMIC.exe
3852	WMIC.exe
3852	WMIC.exe
3852	WMIC.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe
4992	WMIC.exe
4992	WMIC.exe
4992	WMIC.exe
4992	WMIC.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
6248	powershell.exe
6248	powershell.exe
6248	powershell.exe
2956	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3832	AnyDesk.exe
6048	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
7860	msedge.exe
7860	msedge.exe
7860	msedge.exe
7860	msedge.exe
7860	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	AnyDesk.exe
Token: 33	552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	552	AUDIODG.EXE
Token: SeDebugPrivilege	5060	AnyDesk.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	6880	powershell.exe
Token: SeDebugPrivilege	7096	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	6252	powershell.exe
Token: SeDebugPrivilege	768	tasklist.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeIncreaseQuotaPrivilege	7056	WMIC.exe
Token: SeSecurityPrivilege	7056	WMIC.exe
Token: SeTakeOwnershipPrivilege	7056	WMIC.exe
Token: SeLoadDriverPrivilege	7056	WMIC.exe
Token: SeSystemProfilePrivilege	7056	WMIC.exe
Token: SeSystemtimePrivilege	7056	WMIC.exe
Token: SeProfSingleProcessPrivilege	7056	WMIC.exe
Token: SeIncBasePriorityPrivilege	7056	WMIC.exe
Token: SeCreatePagefilePrivilege	7056	WMIC.exe
Token: SeBackupPrivilege	7056	WMIC.exe
Token: SeRestorePrivilege	7056	WMIC.exe
Token: SeShutdownPrivilege	7056	WMIC.exe
Token: SeDebugPrivilege	7056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7056	WMIC.exe
Token: SeRemoteShutdownPrivilege	7056	WMIC.exe
Token: SeUndockPrivilege	7056	WMIC.exe
Token: SeManageVolumePrivilege	7056	WMIC.exe
Token: 33	7056	WMIC.exe
Token: 34	7056	WMIC.exe
Token: 35	7056	WMIC.exe
Token: 36	7056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7056	WMIC.exe
Token: SeSecurityPrivilege	7056	WMIC.exe
Token: SeTakeOwnershipPrivilege	7056	WMIC.exe
Token: SeLoadDriverPrivilege	7056	WMIC.exe
Token: SeSystemProfilePrivilege	7056	WMIC.exe
Token: SeSystemtimePrivilege	7056	WMIC.exe
Token: SeProfSingleProcessPrivilege	7056	WMIC.exe
Token: SeIncBasePriorityPrivilege	7056	WMIC.exe
Token: SeCreatePagefilePrivilege	7056	WMIC.exe
Token: SeBackupPrivilege	7056	WMIC.exe
Token: SeRestorePrivilege	7056	WMIC.exe
Token: SeShutdownPrivilege	7056	WMIC.exe
Token: SeDebugPrivilege	7056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7056	WMIC.exe
Token: SeRemoteShutdownPrivilege	7056	WMIC.exe
Token: SeUndockPrivilege	7056	WMIC.exe
Token: SeManageVolumePrivilege	7056	WMIC.exe
Token: 33	7056	WMIC.exe
Token: 34	7056	WMIC.exe
Token: 35	7056	WMIC.exe
Token: 36	7056	WMIC.exe
Token: SeDebugPrivilege	6864	powershell.exe
Token: SeDebugPrivilege	5932	powershell.exe
Token: SeDebugPrivilege	5564	powershell.exe
Token: SeDebugPrivilege	7148	powershell.exe
Token: SeIncreaseQuotaPrivilege	3852	WMIC.exe
Token: SeSecurityPrivilege	3852	WMIC.exe
Token: SeTakeOwnershipPrivilege	3852	WMIC.exe
Token: SeLoadDriverPrivilege	3852	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
3832	AnyDesk.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
7368	setup-lightshot.tmp
6280	Lightshot.exe
6280	Lightshot.exe
6280	Lightshot.exe
2604	setupupdater.tmp
7860	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
2732	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
4820	AnyDesk.exe
6280	Lightshot.exe
6280	Lightshot.exe
6280	Lightshot.exe
7860	msedge.exe
7860	msedge.exe
7860	msedge.exe
7860	msedge.exe
7860	msedge.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
4660	AnyDesk.exe
4660	AnyDesk.exe
3832	AnyDesk.exe
3832	AnyDesk.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
5876	Integrator.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
6048	AnyDesk.exe
6048	AnyDesk.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 5060	4052	AnyDesk.exe	91
PID 4052 wrote to memory of 5060	4052	AnyDesk.exe	91
PID 4052 wrote to memory of 5060	4052	AnyDesk.exe	91
PID 4052 wrote to memory of 2732	4052	AnyDesk.exe	92
PID 4052 wrote to memory of 2732	4052	AnyDesk.exe	92
PID 4052 wrote to memory of 2732	4052	AnyDesk.exe	92
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 1152 wrote to memory of 4492	1152	firefox.exe	119
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5264	4492	firefox.exe	120
PID 4492 wrote to memory of 5340	4492	firefox.exe	121
PID 4492 wrote to memory of 5340	4492	firefox.exe	121

System policy modification 1 TTPs 5 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4660
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3832
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1924 -prefsLen 27191 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1128b92d-d331-4c65-9476-325d456e1893} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" gpu
    3⤵
    PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2408 -prefsLen 27069 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0456be3d-3013-4b4d-9384-b73d95d7182e} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" socket
    3⤵
    PID:5340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 3300 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20a9dbec-443a-427c-ad09-d2bc1def8765} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:5584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2668 -childID 2 -isForBrowser -prefsHandle 3716 -prefMapHandle 3712 -prefsLen 32443 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d703f60-da7b-44ad-bb13-5156a71ec8a9} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:5808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1636 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4460 -prefMapHandle 4484 -prefsLen 32443 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {620fd6a4-9733-40b1-9361-d7ce3ddd0f24} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" utility
    3⤵
    - Checks processor information in registry
    PID:6444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -childID 3 -isForBrowser -prefsHandle 5244 -prefMapHandle 5276 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06068c96-7759-4c86-b0cb-72a07b8be1fa} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:7020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5456 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {badc1e85-922f-4aa3-8cd6-3216007f8eea} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:7044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5628 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ccdae0a-41ea-4333-9273-b26c229aeba4} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:7108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6760 -childID 6 -isForBrowser -prefsHandle 6836 -prefMapHandle 6832 -prefsLen 28339 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5ed89e9-0155-44ce-91e3-0517110f5dca} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:6960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7128 -childID 7 -isForBrowser -prefsHandle 7076 -prefMapHandle 7140 -prefsLen 28339 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {988d6936-5782-4382-a370-93d2a51d23ba} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:5864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6300 -childID 8 -isForBrowser -prefsHandle 6584 -prefMapHandle 3952 -prefsLen 28339 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d77c78a0-0cef-45d1-80d9-fa709cde38f6} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:5500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7348 -childID 9 -isForBrowser -prefsHandle 6676 -prefMapHandle 7288 -prefsLen 28379 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00157d1f-9f8e-4779-b6b5-a4096c106006} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:6880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7404 -parentBuildID 20240401114208 -prefsHandle 7908 -prefMapHandle 7912 -prefsLen 34357 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b02d19-c46b-435b-9e9a-f1584d4915a7} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" rdd
    3⤵
    PID:1760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7268 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 8036 -prefMapHandle 7816 -prefsLen 34357 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc6dd0b8-6b1a-41af-a23a-8931fda73d96} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" utility
    3⤵
    - Checks processor information in registry
    PID:6244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 10 -isForBrowser -prefsHandle 4356 -prefMapHandle 4348 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60afb46d-4e8d-4ae1-a383-115c68b5aa76} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:1072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6484 -childID 11 -isForBrowser -prefsHandle 7180 -prefMapHandle 3968 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d2f9723-1990-49e9-97f5-317098d875a0} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:5324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7504 -childID 12 -isForBrowser -prefsHandle 8680 -prefMapHandle 8684 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12dd7717-0847-4001-919d-07545dc2fd12} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:4516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8864 -childID 13 -isForBrowser -prefsHandle 8872 -prefMapHandle 8880 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8d6d130-5a22-4027-aa6a-9918e7661fe4} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:1464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8992 -childID 14 -isForBrowser -prefsHandle 8964 -prefMapHandle 8972 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b709f0c5-dec8-43d5-b090-8cba0eaa3930} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9140 -childID 15 -isForBrowser -prefsHandle 6484 -prefMapHandle 3968 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73f894b2-7a50-49f4-bdc0-cd614abc02f6} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9232 -childID 16 -isForBrowser -prefsHandle 9672 -prefMapHandle 9140 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6be358e-b33c-49bf-b493-be7bec108a48} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9924 -childID 17 -isForBrowser -prefsHandle 9936 -prefMapHandle 9932 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {762f5c23-51d4-4880-b9e2-14f9e1cb1fe3} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:2116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9996 -childID 18 -isForBrowser -prefsHandle 10004 -prefMapHandle 10012 -prefsLen 28673 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f3e996a-5ace-4b1e-befe-adea678d3e2b} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:3004
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1700
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2620
    - - C:\Users\Admin\Downloads\AnyDesk.exe
        
        "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:6048
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6696 -childID 19 -isForBrowser -prefsHandle 9148 -prefMapHandle 9812 -prefsLen 28729 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9219034d-2e7c-42f3-9ce7-9cbd2261ea5e} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:3504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10216 -childID 20 -isForBrowser -prefsHandle 10720 -prefMapHandle 10716 -prefsLen 28729 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ed53e1-4e00-4a25-967e-4b67b93fc1cc} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:7492
- - C:\Users\Admin\Downloads\setup-lightshot.exe
    "C:\Users\Admin\Downloads\setup-lightshot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7292
  - - C:\Users\Admin\AppData\Local\Temp\is-2S0GC.tmp\setup-lightshot.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2S0GC.tmp\setup-lightshot.tmp" /SL5="$30366,2148280,486912,C:\Users\Admin\Downloads\setup-lightshot.exe"
      4⤵
      Adds Run key to start application
      Checks computer location settings
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:7368
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:8124
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill.exe" /F /IM lightshot.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1308
    - - C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe
        
        "C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7088
      - C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe
        
        "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6280
    - - C:\Users\Admin\AppData\Local\Temp\is-5G0N9.tmp\setupupdater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5G0N9.tmp\setupupdater.exe" /verysilent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3860
      - C:\Users\Admin\AppData\Local\Temp\is-BHRUM.tmp\setupupdater.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BHRUM.tmp\setupupdater.tmp" /SL5="$104A4,490430,120832,C:\Users\Admin\AppData\Local\Temp\is-5G0N9.tmp\setupupdater.exe" /verysilent
        6⤵
        Checks computer location settings
        Drops file in Program Files directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2604
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" START SCHEDULE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7184
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 START SCHEDULE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6408
        
        C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7512
        
        C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7608
        
        C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7632
    - - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7700
      - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7784
    - - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7820
      - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default
        5⤵
        Checks computer location settings
        Checks system information in the registry
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        System policy modification
        
        PID:7860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x30c,0x310,0x314,0x308,0x31c,0x7ffbbc51b078,0x7ffbbc51b084,0x7ffbbc51b090
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2044,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=2036 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1896,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2568,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=2800 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3584,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3596,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4700,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:2
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3588,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5572,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5228,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5528,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5564,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8880
      - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3812,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:7240
      - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3812,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6308,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6584,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6616,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6624 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6404,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6640,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6372,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6396 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6764,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5024,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5012,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=772 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5004,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6068,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:9108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6236,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:4368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6192,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:7648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6684,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:8892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6472,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:5548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6756,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:9100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:5800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:7228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4088,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:8
        6⤵
        
        PID:7584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6792,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
        6⤵
        
        PID:8312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5412,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
        6⤵
        
        PID:4248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5944,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6044 /prefetch:8
        6⤵
        
        PID:2364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:8
        6⤵
        
        PID:8884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6852,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:8
        6⤵
        
        PID:8228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4476,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:8
        6⤵
        
        PID:1244
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3856,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6468 /prefetch:8
        6⤵
        
        PID:7836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6352,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6624 /prefetch:8
        6⤵
        
        PID:8372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:8
        6⤵
        
        PID:8800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6340,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:8
        6⤵
        
        PID:4332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6040,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:8
        6⤵
        
        PID:2600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6444,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:8
        6⤵
        
        PID:6340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5084,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6704 /prefetch:8
        6⤵
        
        PID:8436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=1208 /prefetch:8
        6⤵
        
        PID:8216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6656 /prefetch:8
        6⤵
        
        PID:2576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4012,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:8
        6⤵
        
        PID:8172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4132,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=6824 /prefetch:8
        6⤵
        
        PID:8272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5784,i,5496603675122551872,2924058605081480086,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:8
        6⤵
        
        PID:4060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1300 -childID 21 -isForBrowser -prefsHandle 6116 -prefMapHandle 7668 -prefsLen 28729 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e91c429-ba23-4c21-8132-11f59c8e5965} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9812 -childID 22 -isForBrowser -prefsHandle 11164 -prefMapHandle 9164 -prefsLen 28729 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98e36919-1bc1-4345-84cd-723e0e8aad17} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:8332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10888 -childID 23 -isForBrowser -prefsHandle 7672 -prefMapHandle 8732 -prefsLen 28729 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19d2f0e6-9bdf-43c0-ba1b-82cf59cfe52a} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:6424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11280 -childID 24 -isForBrowser -prefsHandle 11404 -prefMapHandle 11400 -prefsLen 28729 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae6cdfb7-29ef-4189-b73e-1ae5b4bd1235} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" tab
    3⤵
    PID:8932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
1⤵
PID:5916
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:4196
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:644
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:1132
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:568
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:1196
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2344
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
  2⤵
  PID:6692
- C:\Windows\System32\find.exe
  find /i "ARM64"
  2⤵
  PID:6712
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:6360
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:6580
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:3556
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
  2⤵
  PID:6860
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:6776
- C:\Windows\System32\cmd.exe
  cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PStest:\s*';iex ($f[1])""
  2⤵
  PID:6788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PStest:\s*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6880
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:6800
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:7128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7096
- C:\Windows\System32\find.exe
  find /i "True"
  2⤵
  PID:6808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd""" -el -qedit'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" -el -qedit"
    3⤵
    PID:5508
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:5504
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1348
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_AIO.cmd"
      4⤵
      PID:3852
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:1652
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:412
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:4024
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:732
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:5644
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
      4⤵
      PID:696
  - - C:\Windows\System32\find.exe
      find /i "ARM64"
      4⤵
      PID:4996
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:2952
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:1212
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:2028
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
      4⤵
      PID:1352
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:7164
  - - C:\Windows\System32\cmd.exe
      cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PStest:\s*';iex ($f[1])""
      4⤵
      PID:3864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PStest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
  - - C:\Windows\System32\find.exe
      find /i "FullLanguage"
      4⤵
      PID:7048
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:7140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6252
  - - C:\Windows\System32\find.exe
      find /i "True"
      4⤵
      PID:5536
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4404
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 activated.win
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2344
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5524
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck30.activated.win
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6336
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:6324
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:6360
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:6860
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:920
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:7016
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:5024
  - - C:\Windows\System32\mode.com
      mode 76, 34
      4⤵
      PID:7056
  - - C:\Windows\System32\choice.exe
      choice /C:123456789EH0 /N
      4⤵
      PID:7144
  - - C:\Windows\System32\mode.com
      mode 76, 25
      4⤵
      PID:7076
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c tasklist | findstr /I ".exe" 2>nul
      4⤵
      PID:6072
    - - C:\Windows\System32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\findstr.exe
        
        findstr /I ".exe"
        5⤵
        
        PID:5912
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:2096
  - - C:\Windows\System32\find.exe
      find /i "-msaccess.exe-"
      4⤵
      PID:7096
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:4552
  - - C:\Windows\System32\find.exe
      find /i "-excel.exe-"
      4⤵
      PID:5236
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:3852
  - - C:\Windows\System32\find.exe
      find /i "-groove.exe-"
      4⤵
      PID:3196
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:412
  - - C:\Windows\System32\find.exe
      find /i "-lync.exe-"
      4⤵
      PID:4808
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:5876
  - - C:\Windows\System32\find.exe
      find /i "-onenote.exe-"
      4⤵
      PID:5540
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:4740
  - - C:\Windows\System32\find.exe
      find /i "-outlook.exe-"
      4⤵
      PID:4812
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:1212
  - - C:\Windows\System32\find.exe
      find /i "-powerpnt.exe-"
      4⤵
      PID:1956
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:2952
  - - C:\Windows\System32\find.exe
      find /i "-winproj.exe-"
      4⤵
      PID:3712
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:7164
  - - C:\Windows\System32\find.exe
      find /i "-mspub.exe-"
      4⤵
      PID:384
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:1904
  - - C:\Windows\System32\find.exe
      find /i "-visio.exe-"
      4⤵
      PID:6436
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:1028
  - - C:\Windows\System32\find.exe
      find /i "-winword.exe-"
      4⤵
      PID:1516
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -unsecapp.exe- -svchost.exe- -taskhostw.exe- -svchost.exe- -svchost.exe- -svchost.exe- -explorer.exe- -svchost.exe- -RuntimeBroker.exe- -SearchApp.exe- -RuntimeBroker.exe- -dllhost.exe- -RuntimeBroker.exe- -sppsvc.exe- -SppExtComObj.Exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -MicrosoftEdgeUpdate.exe- -svchost.exe- -svchost.exe- -svchost.exe- -MicrosoftEdgeUpdate.exe- -OfficeClickToRun.exe- -svchost.exe- -dllhost.exe- -TextInputHost.exe- -svchost.exe- -svchost.exe- -AnyDesk.exe- -AnyDesk.exe- -svchost.exe- -svchost.exe- -audiodg.exe- -svchost.exe- -AnyDesk.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -ShellExperienceHost.exe- -RuntimeBroker.exe- -dllhost.exe- -smartscreen.exe- -svchost.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -firefox.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- -WmiPrvSE.exe- "
      4⤵
      PID:3504
  - - C:\Windows\System32\find.exe
      find /i "-lime.exe-"
      4⤵
      PID:3200
  - - C:\Windows\System32\choice.exe
      choice /C:1230 /N
      4⤵
      PID:4924
  - - C:\Windows\System32\mode.com
      mode 130, 32
      4⤵
      PID:7048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:6244
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:2984
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:6132
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:6336
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:6564
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:2956
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:6580
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:7008
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:920
  - - C:\Windows\System32\cmd.exe
      cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
      4⤵
      PID:5024
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7056
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:7016
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:7152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6864
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "
      4⤵
      PID:2432
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:6068
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:6872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5564
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:5764
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:3292
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:1028
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:2952
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:5636
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5048
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:2580
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4780
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5892
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:2288
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:4924
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:6284
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:5664
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1684
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:6804
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:644
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      Modifies registry key
      PID:2884
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:2228
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:6952
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      PID:5536
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:6356
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      Modifies registry key
      PID:6700
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      Modifies registry key
      PID:6724
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:6244
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:3468
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      PID:3556
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      Modifies registry key
      PID:7120
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      Modifies registry key
      PID:6776
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      Modifies registry key
      PID:3740
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      Modifies registry key
      PID:7008
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      Modifies registry key
      PID:6132
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      Modifies registry key
      PID:6964
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      Modifies registry key
      PID:6064
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:6620
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:2344
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:6084
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5816
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4416
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:7128
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:7136
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:2940
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:5772
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:6784
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:7152
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
      4⤵
      PID:6404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7148
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "10" "
      4⤵
      PID:2456
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:3100
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
      4⤵
      PID:376
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3796
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:4636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4992
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:4740
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:4812
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440 0x80131501"
      4⤵
      PID:5640
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:5644
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:5908
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:3048
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
      4⤵
      PID:216
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
      4⤵
      PID:5312
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
      4⤵
      PID:4228
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:1472
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:6436
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:1516
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:6236
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:6412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Get-WmiObject -Query 'SELECT Description FROM SoftwareLicensingProduct WHERE PartialProductKey IS NOT NULL AND LicenseDependsOn IS NULL' | Select-Object -Property Description"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5000
  - - C:\Windows\System32\findstr.exe
      findstr /i "KMS_"
      4⤵
      PID:4292
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
      4⤵
      PID:5040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6248
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "
      4⤵
      PID:6724
  - - C:\Windows\System32\find.exe
      find /i "Ready"
      4⤵
      PID:2232
  - - C:\Windows\System32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
      4⤵
      PID:3468
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
      4⤵
      PID:3556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      PID:2932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2940
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:1716
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
      4⤵
      PID:1004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
      4⤵
      PID:6080
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:3080
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:1352
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:1084
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:1544
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
      4⤵
      Modifies registry key
      PID:732
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
      4⤵
      Modifies registry key
      PID:2028
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)" 2>nul
      4⤵
      PID:6168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)"
        5⤵
        
        PID:1576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Get-AppxPackage -name "Microsoft.MicrosoftOfficeHub""
      4⤵
      PID:6420
  - - C:\Windows\System32\find.exe
      find /i "Office"
      4⤵
      PID:3048
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:1844
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        
        PID:2288
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:7140
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:2468
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:3200
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:1792
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:2836
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:7064
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:6276
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
        5⤵
        
        PID:5000
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:2260
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:5536
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:6328
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:6408
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:6388
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:6536
  - - C:\Windows\System32\sc.exe
      sc query ClickToRunSvc
      4⤵
      Launches sc.exe
      PID:6452
  - - C:\Windows\System32\sc.exe
      sc query OfficeSvc
      4⤵
      Launches sc.exe
      PID:2228
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v ProductType
      4⤵
      PID:6688
  - - C:\Windows\System32\find.exe
      find /i "WinNT"
      4⤵
      PID:5432
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
      4⤵
      PID:6364
  - - C:\Windows\System32\find.exe
      find /i "Server"
      4⤵
      PID:6724
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
      4⤵
      PID:3468
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
        5⤵
        
        PID:3556
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:7008
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:6776
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
      4⤵
      PID:920
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
        5⤵
        Modifies registry key
        
        PID:6064
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport" 2>nul
      4⤵
      PID:5024
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport
        5⤵
        Modifies registry key
        
        PID:5768
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData" 2>nul
      4⤵
      PID:5976
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData
        5⤵
        Modifies registry key
        
        PID:3800
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
      4⤵
      PID:3572
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
        5⤵
        
        PID:2640
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
      4⤵
      PID:4772
  - - C:\Windows\System32\find.exe
      find /i "Wow6432Node"
      4⤵
      PID:3092
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"
      4⤵
      PID:5696
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
        5⤵
        
        PID:2344
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Retail Volume"
        5⤵
        
        PID:4820
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "" "
      4⤵
      PID:6904
  - - C:\Windows\System32\find.exe
      find /i " ProPlusRetail.16 "
      4⤵
      PID:7016
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
      4⤵
      PID:2184
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
        5⤵
        
        PID:2224
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
      4⤵
      PID:1700
  - - C:\Windows\System32\findstr.exe
      findstr /I " ProPlusRetail "
      4⤵
      PID:6864
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
      4⤵
      PID:2752
  - - C:\Windows\System32\findstr.exe
      findstr /I "ProPlusRetail"
      4⤵
      PID:4684
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
      4⤵
      PID:5316
  - - C:\Windows\System32\find.exe
      find /i "2024"
      4⤵
      PID:6020
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Retail" "
      4⤵
      PID:3464
  - - C:\Windows\System32\find.exe
      find /i "Subscription"
      4⤵
      PID:992
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
      4⤵
      PID:5568
  - - C:\Windows\System32\find.exe
      find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
      4⤵
      PID:1652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"
      4⤵
      PID:5572
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:4816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:5520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':hexedit\:.*';iex ($m[1]);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      PID:4652
  - - C:\Windows\System32\find.exe
      find /i "Error found"
      4⤵
      PID:4140
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo " ProPlusRetail " "
      4⤵
      PID:4716
  - - C:\Windows\System32\find.exe
      find /i "Volume"
      4⤵
      PID:4996
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$p = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'; Get-ChildItem $p | ForEach-Object { $pi = (Get-ItemProperty """"$p\$($_.PSChildName)"""").ProfileImagePath; if ($pi -like '*\Users\*' -and (Test-Path """"$pi\NTUSER.DAT"""") -and -not ($_.PSChildName -match '\.bak$')) { Split-Path $_.PSPath -Leaf } }" 2>nul
      4⤵
      PID:436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$p = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'; Get-ChildItem $p | ForEach-Object { $pi = (Get-ItemProperty """"$p\$($_.PSChildName)"""").ProfileImagePath; if ($pi -like '*\Users\*' -and (Test-Path """"$pi\NTUSER.DAT"""") -and -not ($_.PSChildName -match '\.bak$')) { Split-Path $_.PSPath -Leaf } }"
        5⤵
        
        PID:2444
  - - C:\Windows\System32\reg.exe
      reg query HKU\S-1-5-21-67687450-2252871228-2016797368-1000\Software
      4⤵
      PID:3292
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-21-67687450-2252871228-2016797368-1000\Software\Microsoft\Office\15.0\Common\Licensing /f
      4⤵
      PID:1576
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-67687450-2252871228-2016797368-1000" /v ProfileImagePath" 2>nul
      4⤵
      PID:2288
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-67687450-2252871228-2016797368-1000" /v ProfileImagePath
        5⤵
        
        PID:1844
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\Licensing" /f
      4⤵
      PID:3796
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\Licensing" /f /reg:32
      4⤵
      PID:7140
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Licensing" /f
      4⤵
      PID:1792
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Licensing" /f /reg:32
      4⤵
      PID:3200
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-21-67687450-2252871228-2016797368-1000\Software\Microsoft\Office\16.0\Common\Licensing /f
      4⤵
      PID:5896
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-67687450-2252871228-2016797368-1000" /v ProfileImagePath" 2>nul
      4⤵
      PID:2836
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-67687450-2252871228-2016797368-1000" /v ProfileImagePath
        5⤵
        
        PID:5636
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\Licensing" /f
      4⤵
      PID:6692
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\Licensing" /f /reg:32
      4⤵
      PID:6252
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Licensing" /f
      4⤵
      PID:6544
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Licensing" /f /reg:32
      4⤵
      PID:6308
  - - C:\Windows\System32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v SharedComputerLicensing /f
      4⤵
      Modifies registry key
      PID:5000
  - - C:\Windows\System32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v SharedComputerLicensing /f /reg:32
      4⤵
      Modifies registry key
      PID:6536
  - - C:\Windows\System32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration /v SharedComputerLicensing /f
      4⤵
      Modifies registry key
      PID:6388
  - - C:\Windows\System32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration /v SharedComputerLicensing /f /reg:32
      4⤵
      Modifies registry key
      PID:6452
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f *.DeviceBasedLicensing 2>nul | findstr REG_
      4⤵
      PID:2884
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f *.DeviceBasedLicensing
        5⤵
        
        PID:3520
    - - C:\Windows\System32\findstr.exe
        
        findstr REG_
        5⤵
        
        PID:6680
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\OEM" /f
      4⤵
      PID:6688
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\OEM" /f /reg:32
      4⤵
      PID:6244
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f
      4⤵
      PID:6364
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f /reg:32
      4⤵
      PID:6884
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:7120
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663" /f
      4⤵
      PID:6860
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\59a52881-a989-479d-af46-f275c6370663" /f
      4⤵
      PID:6868
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v Default" 2>nul
      4⤵
      PID:6580
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v Default
        5⤵
        
        PID:3740
  - - C:\Windows\System32\reg.exe
      reg load HKU\DEFTEMP-4252 "C:\Users\Default\NTUSER.DAT"
      4⤵
      PID:6976
  - - C:\Windows\System32\reg.exe
      reg query HKU\DEFTEMP-4252\Software
      4⤵
      PID:7156
  - - C:\Windows\System32\reg.exe
      reg add HKU\DEFTEMP-4252\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2268
  - - C:\Windows\System32\reg.exe
      reg unload HKU\DEFTEMP-4252
      4⤵
      PID:6620
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-21-67687450-2252871228-2016797368-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
      4⤵
      PID:4344
  - - C:\Windows\System32\reg.exe
      reg add HKU\S-1-5-21-67687450-2252871228-2016797368-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
      4⤵
      PID:1824
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:4976
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE
        5⤵
        
        PID:4192
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "
      4⤵
      PID:3024
  - - C:\Windows\System32\find.exe
      find /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"
      4⤵
      PID:6088
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call UninstallProductKey
      4⤵
      PID:7136
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "
      4⤵
      PID:6904
  - - C:\Windows\System32\find.exe
      find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
      4⤵
      PID:2096
  - - C:\Windows\System32\mode.com
      mode 76, 34
      4⤵
      PID:5024
  - - C:\Windows\System32\choice.exe
      choice /C:123456789EH0 /N
      4⤵
      PID:5976
  - - C:\Windows\System32\mode.com
      mode 76, 30
      4⤵
      PID:3464
  - - C:\Windows\System32\choice.exe
      choice /C:1234567890 /N
      4⤵
      PID:992
  - - C:\Windows\System32\mode.com
      mode 115, 32
      4⤵
      PID:2452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
      4⤵
      PID:3656
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:4404
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:5764
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4144
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5776
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:3028
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:3504
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4504
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:5912
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:3292
  - - C:\Windows\System32\cmd.exe
      cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
      4⤵
      PID:3864
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        
        PID:1200
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:2248
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:7048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        
        PID:1292
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:5000
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:924
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:4196
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        
        PID:1132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6680
  - - C:\Windows\System32\find.exe
      find /i "Subscription_is_activated"
      4⤵
      PID:2228
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:5064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5560
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "
      4⤵
      PID:460
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:6160
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
      4⤵
      PID:4480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6584
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:5800
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:6156
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:4164
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1172
    - - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3648
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5076
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:2904
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:6024
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5792
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:1004
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5548
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:572
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:4524
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:5976
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:4832
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4024
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:7144
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:376
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      Modifies registry key
      PID:272
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:1252
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:3976
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:4636
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:7044
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      Modifies registry key
      PID:1908
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      PID:216
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:3656
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:5932
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      Modifies registry key
      PID:5764
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      Modifies registry key
      PID:4144
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      Modifies registry key
      PID:5776
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      Modifies registry key
      PID:3028
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      Modifies registry key
      PID:3504
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      PID:4504
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      Modifies registry key
      PID:1576
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      PID:3292
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:3664
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:7116
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:3864
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4924
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5936
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:5536
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:6376
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:2836
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:4880
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:6952
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:5664
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
      4⤵
      PID:7064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6388
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "11" "
      4⤵
      PID:5524
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:6324
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
      4⤵
      PID:6244
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
        5⤵
        
        PID:6632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
      4⤵
      PID:2956
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:6620
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:7128
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:1152
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:6904
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440 0x80131501"
      4⤵
      PID:4820
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:4152
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:5720
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:4560
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
      4⤵
      PID:7136
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
      4⤵
      PID:7056
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
      4⤵
      PID:7100
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:1180
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:3092
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:7016
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:3572
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:3440
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:2344
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        5⤵
        
        PID:4660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Get-WmiObject -Query 'SELECT Description FROM SoftwareLicensingProduct WHERE PartialProductKey IS NOT NULL AND LicenseDependsOn IS NULL' | Select-Object -Property Description"
      4⤵
      PID:6856
  - - C:\Windows\System32\findstr.exe
      findstr /i "KMS_"
      4⤵
      PID:6800
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
      4⤵
      PID:5356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        5⤵
        
        PID:4704
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "
      4⤵
      PID:1084
  - - C:\Windows\System32\find.exe
      find /i "Ready"
      4⤵
      PID:956
  - - C:\Windows\System32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
      4⤵
      PID:1252
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
      4⤵
      PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      PID:7044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      PID:3048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6308
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:6708
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
      4⤵
      PID:6364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
      4⤵
      PID:3520
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
      4⤵
      PID:3556
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
      4⤵
      PID:6724
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName
      4⤵
      PID:6244
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /reg:32
      4⤵
      PID:6976
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort
      4⤵
      PID:6868
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /reg:32
      4⤵
      PID:7008
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
      4⤵
      PID:384
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
      4⤵
      PID:3740
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
      4⤵
      PID:6716
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
      4⤵
      PID:1032
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
      4⤵
      PID:2764
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
      4⤵
      PID:1052
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2168
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName
      4⤵
      PID:4968
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort
      4⤵
      PID:6904
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
      4⤵
      PID:4820
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
      4⤵
      PID:3308
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663" /f
      4⤵
      PID:5720
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
      4⤵
      PID:4560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:7136
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:1716
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value 2>nul
      4⤵
      PID:3956
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value
        5⤵
        
        PID:3036
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:6060
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:4480
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "
      4⤵
      PID:1172
  - - C:\Windows\System32\find.exe
      find /i "32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee"
      4⤵
      PID:6136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="M7XTQ-FN8P6-TTKYV-9D4CC-J462D"
      4⤵
      PID:4316
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:3648
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:1160
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
      4⤵
      Modifies registry key
      PID:6432
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
      4⤵
      PID:6800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Get-AppxPackage -name "Microsoft.MicrosoftOfficeHub""
      4⤵
      PID:6684
  - - C:\Windows\System32\find.exe
      find /i "Office"
      4⤵
      PID:4680
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:3976
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:1084
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:3728
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:4448
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:3708
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:6168
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:4144
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:5504
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:4816
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:4404
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:2488
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
        5⤵
        
        PID:2196
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:3664
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:7116
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:6692
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
        5⤵
        
        PID:768
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:1840
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:7140
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:5896
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
        5⤵
        
        PID:2836
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)" 2>nul
      4⤵
      PID:5636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' | Select-Object -ExpandProperty InstallLocation)"
        5⤵
        
        PID:5048
  - - C:\Windows\System32\sc.exe
      sc query ClickToRunSvc
      4⤵
      Launches sc.exe
      PID:4564
  - - C:\Windows\System32\sc.exe
      sc query OfficeSvc
      4⤵
      Launches sc.exe
      PID:2136
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
      4⤵
      PID:2028
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
        5⤵
        
        PID:6688
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:6884
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:3132
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
      4⤵
      PID:1684
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
        5⤵
        Modifies registry key
        
        PID:3468
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport" 2>nul
      4⤵
      PID:6632
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport
        5⤵
        Modifies registry key
        
        PID:4900
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData" 2>nul
      4⤵
      PID:5744
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData
        5⤵
        Modifies registry key
        
        PID:5560
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
      4⤵
      PID:6064
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
        5⤵
        Modifies registry key
        
        PID:6580
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
      4⤵
      PID:5064
  - - C:\Windows\System32\find.exe
      find /i "Wow6432Node"
      4⤵
      PID:460
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"
      4⤵
      PID:2956
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
        5⤵
        
        PID:6160
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Retail Volume"
        5⤵
        
        PID:2992
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "" "
      4⤵
      PID:560
  - - C:\Windows\System32\find.exe
      find /i " ProPlusRetail.16 "
      4⤵
      PID:3188
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
      4⤵
      PID:2872
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
        5⤵
        Modifies registry key
        
        PID:2080
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
      4⤵
      PID:220
  - - C:\Windows\System32\findstr.exe
      findstr /I " ProPlusRetail "
      4⤵
      PID:4224
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
      4⤵
      PID:4560
  - - C:\Windows\System32\findstr.exe
      findstr /I "ProPlusRetail"
      4⤵
      PID:432
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
      4⤵
      PID:1180
  - - C:\Windows\System32\findstr.exe
      findstr /i "O365"
      4⤵
      PID:7100
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo ProPlusRetail "
      4⤵
      PID:1364
  - - C:\Windows\System32\find.exe
      find /i "2024"
      4⤵
      PID:7152
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: [PrepidBypass] "
      4⤵
      PID:6084
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:4772
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -AccessRetail- "
      4⤵
      PID:4976
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:4060
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -ExcelRetail- "
      4⤵
      PID:6824
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:2344
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: "
      4⤵
      PID:7088
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:5076
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -O365BusinessRetail-O365EduCloudRetail-O365HomePremRetail-O365ProPlusRetail-O365SmallBusPremRetail- "
      4⤵
      PID:5224
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:1192
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: [Bypass] "
      4⤵
      PID:2332
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:5680
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -OneNoteRetail-OneNote2021Retail- "
      4⤵
      PID:6156
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:3648
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -OutlookRetail- "
      4⤵
      PID:3852
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:4476
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -PowerPointRetail- "
      4⤵
      PID:1700
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:5728
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -ProjectProRetail- "
      4⤵
      PID:5520
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:2116
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: "
      4⤵
      PID:5548
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:6224
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -ProjectStdRetail- "
      4⤵
      PID:3464
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:4620
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: "
      4⤵
      PID:2560
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:1820
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: -ProPlusRetail-ProfessionalPipcRetail-ProfessionalRetail- "
      4⤵
      PID:3704
  - - C:\Windows\System32\find.exe
      find /i "-ProPlusRetail-"
      4⤵
      PID:4148
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo: HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration "
      4⤵
      PID:2476
  - - C:\Windows\System32\find.exe
      find /i "propertyBag"
      4⤵
      PID:3976
  - - C:\Windows\System32\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlusVolume.OSPPReady /t REG_SZ /d 1
      4⤵
      Modifies registry key
      PID:4448
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
      4⤵
      PID:4228
  - - C:\Windows\System32\find.exe
      find /i "d450596f-894d-49e0-966a-fd39ed4c4c64"
      4⤵
      PID:6168
  - - C:\Program Files\Microsoft Office\root\integration\Integrator.exe
      "C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=ProPlusVolume.16 PidKey=XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:5876
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
      4⤵
      PID:2768
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
        5⤵
        
        PID:6408
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c47456e3-265d-47b6-8ca0-c30abbd0ca36 c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 d450596f-894d-49e0-966a-fd39ed4c4c64 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
      4⤵
      PID:436
  - - C:\Windows\System32\find.exe
      find /i "d450596f-894d-49e0-966a-fd39ed4c4c64"
      4⤵
      PID:5896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99"
      4⤵
      PID:1292
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:6132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:6376
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$p = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'; Get-ChildItem $p | ForEach-Object { $pi = (Get-ItemProperty """"$p\$($_.PSChildName)"""").ProfileImagePath; if ($pi -like '*\Users\*' -and (Test-Path """"$pi\NTUSER.DAT"""") -and -not ($_.PSChildName -match '\.bak$')) { Split-Path $_.PSPath -Leaf } }" 2>nul
      4⤵
      PID:6124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$p = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'; Get-ChildItem $p | ForEach-Object { $pi = (Get-ItemProperty """"$p\$($_.PSChildName)"""").ProfileImagePath; if ($pi -like '*\Users\*' -and (Test-Path """"$pi\NTUSER.DAT"""") -and -not ($_.PSChildName -match '\.bak$')) { Split-Path $_.PSPath -Leaf } }"
        5⤵
        
        PID:6972
  - - C:\Windows\System32\reg.exe
      reg query HKU\S-1-5-21-67687450-2252871228-2016797368-1000\Software
      4⤵
      PID:6412
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-21-67687450-2252871228-2016797368-1000\Software\Microsoft\Office\15.0\Common\Licensing /f
      4⤵
      PID:7120
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-67687450-2252871228-2016797368-1000" /v ProfileImagePath" 2>nul
      4⤵
      PID:6884
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-67687450-2252871228-2016797368-1000" /v ProfileImagePath
        5⤵
        
        PID:6248
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\Licensing" /f
      4⤵
      PID:1684
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\Licensing" /f /reg:32
      4⤵
      PID:2268
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Licensing" /f
      4⤵
      PID:6632
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Licensing" /f /reg:32
      4⤵
      PID:5104
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-21-67687450-2252871228-2016797368-1000\Software\Microsoft\Office\16.0\Common\Licensing /f
      4⤵
      PID:5744
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-67687450-2252871228-2016797368-1000" /v ProfileImagePath" 2>nul
      4⤵
      PID:384
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-67687450-2252871228-2016797368-1000" /v ProfileImagePath
        5⤵
        
        PID:7008
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\Licensing" /f
      4⤵
      PID:4956
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\Licensing" /f /reg:32
      4⤵
      PID:6716
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Licensing" /f
      4⤵
      PID:6088
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Licensing" /f /reg:32
      4⤵
      PID:1052
  - - C:\Windows\System32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v SharedComputerLicensing /f
      4⤵
      Modifies registry key
      PID:2604
  - - C:\Windows\System32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v SharedComputerLicensing /f /reg:32
      4⤵
      Modifies registry key
      PID:4968
  - - C:\Windows\System32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration /v SharedComputerLicensing /f
      4⤵
      Modifies registry key
      PID:560
  - - C:\Windows\System32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration /v SharedComputerLicensing /f /reg:32
      4⤵
      Modifies registry key
      PID:4820
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f *.DeviceBasedLicensing 2>nul | findstr REG_
      4⤵
      PID:7128
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f *.DeviceBasedLicensing
        5⤵
        
        PID:3324
    - - C:\Windows\System32\findstr.exe
        
        findstr REG_
        5⤵
        
        PID:2916
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\OEM" /f
      4⤵
      PID:4224
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\15.0\Common\OEM" /f /reg:32
      4⤵
      PID:4560
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f
      4⤵
      PID:432
  - - C:\Windows\System32\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f /reg:32
      4⤵
      PID:1180
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1716
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\0ff1ce15-a989-479d-af46-f275c6370663" /f
      4⤵
      PID:1364
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\59a52881-a989-479d-af46-f275c6370663" /f
      4⤵
      PID:3024
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v Default" 2>nul
      4⤵
      PID:6084
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v Default
        5⤵
        
        PID:4660
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:4976
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE
        5⤵
        
        PID:6532
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo " d450596f-894d-49e0-966a-fd39ed4c4c64" "
      4⤵
      PID:1172
  - - C:\Windows\System32\find.exe
      find /i "d450596f-894d-49e0-966a-fd39ed4c4c64"
      4⤵
      PID:972
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo " d450596f-894d-49e0-966a-fd39ed4c4c64" "
      4⤵
      PID:2184
  - - C:\Windows\System32\find.exe
      find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
      4⤵
      PID:4516
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='de52bd50-9564-4adc-8fcb-a345c17f84f9' call UninstallProductKey
      4⤵
      PID:4316
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
      4⤵
      PID:3724
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (Name like '%windows%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul
      4⤵
      PID:5792
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (Name like '%windows%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE
        5⤵
        
        PID:5028
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (Name like '%office%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul
      4⤵
      PID:5976
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (Name like '%office%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE
        5⤵
        
        PID:6800
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (Name like '%office%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul
      4⤵
      PID:2116
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path OfficeSoftwareProtectionProduct where (Name like '%office%' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE
        5⤵
        
        PID:5356
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' get GracePeriodRemaining /VALUE" 2>nul
      4⤵
      PID:6684
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' get GracePeriodRemaining /VALUE
        5⤵
        
        PID:2380
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' get LicenseFamily /VALUE" 2>nul
      4⤵
      PID:3712
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' get LicenseFamily /VALUE
        5⤵
        
        PID:3612
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 win.kms.pub 2>nul
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3708
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 win.kms.pub
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6332
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "45.156.21.11"
      4⤵
      PID:6372
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "45.156.21.11" /reg:32
      4⤵
      PID:2248
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:3664
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
      4⤵
      PID:3504
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "45.156.21.11"
      4⤵
      PID:6128
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:5312
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "45.156.21.11"
      4⤵
      PID:6328
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "45.156.21.11" /reg:32
      4⤵
      PID:4144
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:5876
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
      4⤵
      PID:1576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' call Activate
      4⤵
      PID:4780
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 kms.sixyin.com 2>nul
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1052
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 kms.sixyin.com
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2604
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "121.4.72.85"
      4⤵
      PID:2760
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "121.4.72.85" /reg:32
      4⤵
      PID:1756
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:5720
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
      4⤵
      PID:6904
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "121.4.72.85"
      4⤵
      PID:888
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:1960
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "121.4.72.85"
      4⤵
      PID:4152
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "121.4.72.85" /reg:32
      4⤵
      PID:7100
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:7136
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
      4⤵
      PID:7152
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' call Activate
      4⤵
      PID:5816
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 kms.ghpym.com 2>nul
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:7148
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 kms.ghpym.com
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3464
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5"
      4⤵
      PID:376
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5" /reg:32
      4⤵
      PID:232
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:1908
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
      4⤵
      PID:4448
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5"
      4⤵
      PID:6236
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:6340
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5"
      4⤵
      PID:6264
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "154.12.81.5" /reg:32
      4⤵
      PID:6280
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
      4⤵
      PID:2856
  - - C:\Windows\System32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
      4⤵
      PID:4052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' call Activate
      4⤵
      PID:768
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' get GracePeriodRemaining /VALUE" 2>nul
      4⤵
      PID:6296
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee' get GracePeriodRemaining /VALUE
        5⤵
        
        PID:7140
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' get LicenseFamily /VALUE" 2>nul
      4⤵
      PID:6284
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' get LicenseFamily /VALUE
        5⤵
        
        PID:1008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' call Activate
      4⤵
      PID:6132
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' get GracePeriodRemaining /VALUE" 2>nul
      4⤵
      PID:6728
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' get GracePeriodRemaining /VALUE
        5⤵
        
        PID:7048
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:1300
  - - C:\Windows\System32\find.exe
      find /i "\Activation-Renewal"
      4⤵
      PID:3132
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:6216
  - - C:\Windows\System32\find.exe
      find /i "\Activation-Run_Once"
      4⤵
      PID:2444
  - - C:\Windows\System32\schtasks.exe
      schtasks /delete /tn Online_KMS_Activation_Script-Renewal /f
      4⤵
      PID:6148
  - - C:\Windows\System32\schtasks.exe
      schtasks /delete /tn Online_KMS_Activation_Script-Run_Once /f
      4⤵
      PID:7008
  - - C:\Windows\System32\reg.exe
      reg delete "HKCR\DesktopBackground\shell\Activate Windows - Office" /f
      4⤵
      PID:6580
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:6900
  - - C:\Windows\System32\find.exe
      find /i "\Activation-Renewal"
      4⤵
      PID:6160
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:6620
  - - C:\Windows\System32\find.exe
      find /i "\Activation-Run_Once"
      4⤵
      PID:6408
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:4780
  - - C:\Windows\System32\find.exe
      find /i "\Online_KMS_Activation_Script"
      4⤵
      PID:1140
  - - C:\Windows\System32\reg.exe
      reg query "HKCR\DesktopBackground\shell\Activate Windows - Office"
      4⤵
      PID:5556
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "[Guid]::NewGuid().Guid"
      4⤵
      PID:4464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "[Guid]::NewGuid().Guid"
        5⤵
        
        PID:2956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split \":renewal\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\2550222e4221f-6540-461f-bd86-c2f0359b2622\Renewal.xml',$f[1].Trim(),[System.Text.Encoding]::Unicode);"
      4⤵
      PID:7056
  - - C:\Windows\System32\schtasks.exe
      schtasks /create /tn "Activation-Renewal" /ru "SYSTEM" /xml "C:\Windows\Temp\2550222e4221f-6540-461f-bd86-c2f0359b2622\Renewal.xml"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split \":_extracttask\:.*`r`n\"; [io.file]::WriteAllText('C:\Program Files\Activation-Renewal\Activation_task.cmd', '@::22e4221f-6540-461f-bd86-c2f0359b2622' + [Environment]::NewLine + $f[1].Trim(), [System.Text.Encoding]::ASCII)"
      4⤵
      Drops file in Program Files directory
      PID:3676
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:2184
  - - C:\Windows\System32\find.exe
      find /i "\Activation-Renewal"
      4⤵
      PID:2332
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
      4⤵
      PID:6840
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
      4⤵
      PID:6048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
      4⤵
      PID:3168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2732

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:2184

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:4704

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\MicrosoftEdge_X64_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Drops file in Program Files directory
PID:3840
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:5540
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7ca5ea818,0x7ff7ca5ea824,0x7ff7ca5ea830
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    PID:1352
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:7756
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A962B28-8224-423D-A17C-08117D3E755C}\EDGEMITMP_B3208.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7ca5ea818,0x7ff7ca5ea824,0x7ff7ca5ea830
      4⤵
      Executes dropped EXE
      PID:7772
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    PID:7876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7e48aa818,0x7ff7e48aa824,0x7ff7e48aa830
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      PID:7912
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    PID:7884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7e48aa818,0x7ff7e48aa824,0x7ff7e48aa830
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      PID:7940
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    PID:7896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7e48aa818,0x7ff7e48aa824,0x7ff7e48aa830
      4⤵
      Executes dropped EXE
      PID:7976

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:7596

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTA5N0I5NTMtNjVFMy00NzQ0LTlDOTgtQjFDMTFFRTM1NzNDfSIgdXNlcmlkPSJ7ODI2QjAzNkUtRTNBQy00N0RFLTkxQTUtODI4OEFGMDRFNkUwfSIgaW5zdGFsbHNvdXJjZT0iY29yZSIgcmVxdWVzdGlkPSJ7NkNDRjU2QzEtRTQ0Ni00MzMzLUJCRkUtNUI2MkNFQTY3NDcxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgY29ob3J0PSJycmZAMC4xMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI0IiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins4MjRBMkFDNy1BRDQ5LTQ3OTUtQjJERC1DQjM3NjJCRjE4MTR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMyI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTkzNjY0NDE5NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxOTM2NjQ0MTk3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDQ0NTI1NDc1NCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5ODc0MjQzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUg4VFpNUFZjaDZRalFmQ1ElMmZWOEo2V0w5MCUyYlVsWGVPUHQlMmIwQjlLeSUyYkN0M0oyJTJiJTJiTHlKVUxZVnV5QnJHVk5sJTJmeGdFaXlmZUZCeDN2UFk3QjklMmJXaUFIUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODY2IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDQ0NTI5NDc3OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk4NzQyNDMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SDhUWk1QVmNoNlFqUWZDUSUyZlY4SjZXTDkwJTJiVWxYZU9QdCUyYjBCOUt5JTJiQ3QzSjIlMmIlMmJMeUpVTFlWdXlCckdWTmwlMmZ4Z0VpeWZlRkJ4M3ZQWTdCOSUyYldpQUhRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iODA4MzQ0NyIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iMTUxMjI3Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODg5IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDQ0NTI5NDc3OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0id2luaHR0cCIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk4NzQyNDMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SDhUWk1QVmNoNlFqUWZDUSUyZlY4SjZXTDkwJTJiVWxYZU9QdCUyYjBCOUt5JTJiQ3QzSjIlMmIlMmJMeUpVTFlWdXlCckdWTmwlMmZ4Z0VpeWZlRkJ4M3ZQWTdCOSUyYldpQUhRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNDQ1Mjk0Nzc5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk4NzQyNDMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SDhUWk1QVmNoNlFqUWZDUSUyZlY4SjZXTDkwJTJiVWxYZU9QdCUyYjBCOUt5JTJiQ3QzSjIlMmIlMmJMeUpVTFlWdXlCckdWTmwlMmZ4Z0VpeWZlRkJ4M3ZQWTdCOSUyYldpQUhRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNDQ1MzM0Nzk2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTg3NDI0MyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1IOFRaTVBWY2g2UWpRZkNRJTJmVjhKNldMOTAlMmJVbFhlT1B0JTJiMEI5S3klMmJDdDNKMiUyYiUyYkx5SlVMWVZ1eUJyR1ZObCUyZnhnRWl5ZmVGQngzdlBZN0I5JTJiV2lBSFElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSI4NTY1NDI0IiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSI1MTkyNzYwNzkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA0NDUzMzQ3OTYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5ODc0MjQzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUg4VFpNUFZjaDZRalFmQ1ElMmZWOEo2V0w5MCUyYlVsWGVPUHQlMmIwQjlLeSUyYkN0M0oyJTJiJTJiTHlKVUxZVnV5QnJHVk5sJTJmeGdFaXlmZUZCeDN2UFk3QjklMmJXaUFIUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjE5OS4yMzIuMjE0LjE3MiIgY2RuX2NpZD0iMyIgY2RuX2NjYz0iR0IiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IkhJVCIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjI2ODk1MSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDQ0NTQ1NDc3OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDQ1ODczNTg2OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTEwNDk0NDc5NDYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMjkwNiIgZG93bmxvYWRfdGltZV9tcz0iNTE5NzM3Mzk3IiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjU5MDY3Ii8-PHBpbmcgYWN0aXZlPSIwIiByPSI0IiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins5NTg0QjVCNS1ENzEyLTQwNkYtODU4Qi1DNTlCMjcyRUQ4MjV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuNjciPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iNCIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NUNFMjQzMDYtQTZBMS00Mzc1LUIzMDItQkFEQkMzMTBFRkUzfSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:8544

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
1⤵
- System Location Discovery: System Language Discovery
PID:7496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery