a5dc155fa98ab7edaa456de7fb437b5ba07ce3401416a25a92693a37df1c6300

Analysis

max time kernel
185s
max time network
156s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27/02/2025, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MRPQTGv125.0.exe
Size

7.7MB
MD5

76d9bda14978cfb72485c6032c800fad
SHA1

29a8a065531bcfe7adb0d1a7b7adb78cd336e14c
SHA256

a5dc155fa98ab7edaa456de7fb437b5ba07ce3401416a25a92693a37df1c6300
SHA512

be4c21a721e0586fc15e780d956a80d78a8610180f9eddb7e308e64956bac7c1c121a7740f519b6b8bc5110b81f2237309b3fbbebefb17544d45cb81d6eaa65b
SSDEEP

98304:n4p/sbedo6JBrqU1TzhFc20tWsc20tWFc20tWtc20tWlHlCc20tWuiFmfpP4g:n6doe95FVuVPVHV3HlCVoDpP4g

Score

10^/10

defense_evasion discovery execution persistence privilege_escalation trojan upx

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\MRP_QT = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\GUI_QT = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4916	powershell.exe
2860	powershell.exe
4152	powershell.exe
4912	powershell.exe
236	powershell.exe
4840	powershell.exe
2644	powershell.exe
3440	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3868	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	reg.exe

Executes dropped EXE 36 IoCs

pid	Process
408	ChkValid.exe
2664	ChkValid.exe
4144	ChkValid.exe
4980	ChkValid.exe
2388	ChkValid.exe
3460	ChkValid.exe
1124	ChkValid.exe
3852	ChkValid.exe
1560	ChkValid.exe
1120	MRP_VMDetect.Exe
2108	Generic.exe
4292	Generic.exe
1768	Generic.exe
2512	Generic.exe
1416	Generic.exe
1124	ChkValid.exe
1736	ChkValid.exe
116	ChkValid.exe
236	Generic.exe
64	Generic.exe
1352	Generic.exe
464	ChkValid.exe
1736	ChkValid.exe
4556	ChkValid.exe
2540	ChkValid.exe
60	ChkValid.exe
2652	ChkValid.exe
2136	ChkValid.exe
2584	ChkValid.exe
3656	MBRGPT.exe
4144	Process not Found
1108	Process not Found
1556	Process not Found
4792	Process not Found
636	Process not Found
4912	Process not Found

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
4676	bcdedit.exe

Power Settings 1 TTPs 5 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3176	reg.exe
436	powercfg.exe
4752	cmd.exe
4188	reg.exe
4020	cmd.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000027efb-156.dat	autoit_exe
behavioral1/files/0x0008000000027ef9-231.dat	autoit_exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000027ef5-170.dat	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
420	sc.exe
2876	sc.exe
4344	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MRP_VMDetect.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3088	cmd.exe
412	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	reg.exe

Delays execution with timeout.exe 27 IoCs

defense_evasion

pid	Process
4924	timeout.exe
1988	timeout.exe
2196	timeout.exe
2204	timeout.exe
568	Process not Found
3128	Process not Found
4776	timeout.exe
1648	timeout.exe
3044	timeout.exe
2132	Process not Found
3608	Process not Found
4312	timeout.exe
4844	timeout.exe
1552	timeout.exe
1352	Process not Found
1552	Process not Found
236	Process not Found
820	timeout.exe
3736	timeout.exe
4556	timeout.exe
1244	timeout.exe
4672	timeout.exe
5000	timeout.exe
3628	timeout.exe
2228	timeout.exe
344	timeout.exe
3860	timeout.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVersion	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVersion	reg.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4672	systeminfo.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\MRP_QT\winmgmts:\root\CIMV2	MRP_VMDetect.Exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2616	WMIC.exe
2616	WMIC.exe
2616	WMIC.exe
2616	WMIC.exe
4276	WMIC.exe
4276	WMIC.exe
4276	WMIC.exe
4276	WMIC.exe
4916	powershell.exe
4916	powershell.exe
4152	powershell.exe
4152	powershell.exe
4912	powershell.exe
4912	powershell.exe
2860	powershell.exe
2860	powershell.exe
1816	WMIC.exe
1816	WMIC.exe
1816	WMIC.exe
1816	WMIC.exe
2724	WMIC.exe
2724	WMIC.exe
2724	WMIC.exe
2724	WMIC.exe
2876	WMIC.exe
2876	WMIC.exe
2876	WMIC.exe
2876	WMIC.exe
236	powershell.exe
236	powershell.exe
4840	powershell.exe
4840	powershell.exe
3672	WMIC.exe
3672	WMIC.exe
3672	WMIC.exe
3672	WMIC.exe
1532	WMIC.exe
1532	WMIC.exe
1532	WMIC.exe
1532	WMIC.exe
3064	WMIC.exe
3064	WMIC.exe
3064	WMIC.exe
3064	WMIC.exe
1184	WMIC.exe
1184	WMIC.exe
1184	WMIC.exe
1184	WMIC.exe
3024	WMIC.exe
3024	WMIC.exe
3024	WMIC.exe
3024	WMIC.exe
3856	WMIC.exe
3856	WMIC.exe
3856	WMIC.exe
3856	WMIC.exe
2584	WMIC.exe
2584	WMIC.exe
2584	WMIC.exe
2584	WMIC.exe
1020	powershell.exe
1020	powershell.exe
3056	WMIC.exe
3056	WMIC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4912	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2616	WMIC.exe
Token: SeSecurityPrivilege	2616	WMIC.exe
Token: SeTakeOwnershipPrivilege	2616	WMIC.exe
Token: SeLoadDriverPrivilege	2616	WMIC.exe
Token: SeSystemProfilePrivilege	2616	WMIC.exe
Token: SeSystemtimePrivilege	2616	WMIC.exe
Token: SeProfSingleProcessPrivilege	2616	WMIC.exe
Token: SeIncBasePriorityPrivilege	2616	WMIC.exe
Token: SeCreatePagefilePrivilege	2616	WMIC.exe
Token: SeBackupPrivilege	2616	WMIC.exe
Token: SeRestorePrivilege	2616	WMIC.exe
Token: SeShutdownPrivilege	2616	WMIC.exe
Token: SeDebugPrivilege	2616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2616	WMIC.exe
Token: SeRemoteShutdownPrivilege	2616	WMIC.exe
Token: SeUndockPrivilege	2616	WMIC.exe
Token: SeManageVolumePrivilege	2616	WMIC.exe
Token: 33	2616	WMIC.exe
Token: 34	2616	WMIC.exe
Token: 35	2616	WMIC.exe
Token: 36	2616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2616	WMIC.exe
Token: SeSecurityPrivilege	2616	WMIC.exe
Token: SeTakeOwnershipPrivilege	2616	WMIC.exe
Token: SeLoadDriverPrivilege	2616	WMIC.exe
Token: SeSystemProfilePrivilege	2616	WMIC.exe
Token: SeSystemtimePrivilege	2616	WMIC.exe
Token: SeProfSingleProcessPrivilege	2616	WMIC.exe
Token: SeIncBasePriorityPrivilege	2616	WMIC.exe
Token: SeCreatePagefilePrivilege	2616	WMIC.exe
Token: SeBackupPrivilege	2616	WMIC.exe
Token: SeRestorePrivilege	2616	WMIC.exe
Token: SeShutdownPrivilege	2616	WMIC.exe
Token: SeDebugPrivilege	2616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2616	WMIC.exe
Token: SeRemoteShutdownPrivilege	2616	WMIC.exe
Token: SeUndockPrivilege	2616	WMIC.exe
Token: SeManageVolumePrivilege	2616	WMIC.exe
Token: 33	2616	WMIC.exe
Token: 34	2616	WMIC.exe
Token: 35	2616	WMIC.exe
Token: 36	2616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4276	WMIC.exe
Token: SeSecurityPrivilege	4276	WMIC.exe
Token: SeTakeOwnershipPrivilege	4276	WMIC.exe
Token: SeLoadDriverPrivilege	4276	WMIC.exe
Token: SeSystemProfilePrivilege	4276	WMIC.exe
Token: SeSystemtimePrivilege	4276	WMIC.exe
Token: SeProfSingleProcessPrivilege	4276	WMIC.exe
Token: SeIncBasePriorityPrivilege	4276	WMIC.exe
Token: SeCreatePagefilePrivilege	4276	WMIC.exe
Token: SeBackupPrivilege	4276	WMIC.exe
Token: SeRestorePrivilege	4276	WMIC.exe
Token: SeShutdownPrivilege	4276	WMIC.exe
Token: SeDebugPrivilege	4276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4276	WMIC.exe
Token: SeRemoteShutdownPrivilege	4276	WMIC.exe
Token: SeUndockPrivilege	4276	WMIC.exe
Token: SeManageVolumePrivilege	4276	WMIC.exe
Token: 33	4276	WMIC.exe
Token: 34	4276	WMIC.exe
Token: 35	4276	WMIC.exe
Token: 36	4276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4276	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 3916	3168	MRPQTGv125.0.exe	82
PID 3168 wrote to memory of 3916	3168	MRPQTGv125.0.exe	82
PID 3168 wrote to memory of 3916	3168	MRPQTGv125.0.exe	82
PID 3916 wrote to memory of 1740	3916	cmd.exe	83
PID 3916 wrote to memory of 1740	3916	cmd.exe	83
PID 3916 wrote to memory of 1740	3916	cmd.exe	83
PID 3916 wrote to memory of 3652	3916	cmd.exe	84
PID 3916 wrote to memory of 3652	3916	cmd.exe	84
PID 3916 wrote to memory of 3652	3916	cmd.exe	84
PID 3916 wrote to memory of 892	3916	cmd.exe	85
PID 3916 wrote to memory of 892	3916	cmd.exe	85
PID 3916 wrote to memory of 924	3916	cmd.exe	86
PID 3916 wrote to memory of 924	3916	cmd.exe	86
PID 3916 wrote to memory of 2372	3916	cmd.exe	87
PID 3916 wrote to memory of 2372	3916	cmd.exe	87
PID 3916 wrote to memory of 4444	3916	cmd.exe	88
PID 3916 wrote to memory of 4444	3916	cmd.exe	88
PID 3916 wrote to memory of 4152	3916	cmd.exe	89
PID 3916 wrote to memory of 4152	3916	cmd.exe	89
PID 3916 wrote to memory of 1704	3916	cmd.exe	90
PID 3916 wrote to memory of 1704	3916	cmd.exe	90
PID 3916 wrote to memory of 4080	3916	cmd.exe	91
PID 3916 wrote to memory of 4080	3916	cmd.exe	91
PID 3916 wrote to memory of 4080	3916	cmd.exe	91
PID 3916 wrote to memory of 3740	3916	cmd.exe	92
PID 3916 wrote to memory of 3740	3916	cmd.exe	92
PID 3916 wrote to memory of 3740	3916	cmd.exe	92
PID 3740 wrote to memory of 2744	3740	cmd.exe	93
PID 3740 wrote to memory of 2744	3740	cmd.exe	93
PID 3916 wrote to memory of 4352	3916	cmd.exe	95
PID 3916 wrote to memory of 4352	3916	cmd.exe	95
PID 3916 wrote to memory of 4352	3916	cmd.exe	95
PID 4352 wrote to memory of 1440	4352	cmd.exe	96
PID 4352 wrote to memory of 1440	4352	cmd.exe	96
PID 3916 wrote to memory of 3868	3916	cmd.exe	97
PID 3916 wrote to memory of 3868	3916	cmd.exe	97
PID 3916 wrote to memory of 1960	3916	cmd.exe	98
PID 3916 wrote to memory of 1960	3916	cmd.exe	98
PID 3916 wrote to memory of 1960	3916	cmd.exe	98
PID 3916 wrote to memory of 2616	3916	cmd.exe	99
PID 3916 wrote to memory of 2616	3916	cmd.exe	99
PID 3916 wrote to memory of 1020	3916	cmd.exe	100
PID 3916 wrote to memory of 1020	3916	cmd.exe	100
PID 3916 wrote to memory of 344	3916	cmd.exe	101
PID 3916 wrote to memory of 344	3916	cmd.exe	101
PID 3916 wrote to memory of 568	3916	cmd.exe	105
PID 3916 wrote to memory of 568	3916	cmd.exe	105
PID 3916 wrote to memory of 568	3916	cmd.exe	105
PID 568 wrote to memory of 4112	568	cmd.exe	106
PID 568 wrote to memory of 4112	568	cmd.exe	106
PID 3916 wrote to memory of 4200	3916	cmd.exe	107
PID 3916 wrote to memory of 4200	3916	cmd.exe	107
PID 3916 wrote to memory of 4200	3916	cmd.exe	107
PID 4200 wrote to memory of 4276	4200	cmd.exe	108
PID 4200 wrote to memory of 4276	4200	cmd.exe	108
PID 3916 wrote to memory of 3660	3916	cmd.exe	109
PID 3916 wrote to memory of 3660	3916	cmd.exe	109
PID 3916 wrote to memory of 3660	3916	cmd.exe	109
PID 3916 wrote to memory of 4384	3916	cmd.exe	110
PID 3916 wrote to memory of 4384	3916	cmd.exe	110
PID 3916 wrote to memory of 2228	3916	cmd.exe	111
PID 3916 wrote to memory of 2228	3916	cmd.exe	111
PID 3916 wrote to memory of 2228	3916	cmd.exe	111
PID 3916 wrote to memory of 4620	3916	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3868	attrib.exe

C:\Users\Admin\AppData\Local\Temp\MRPQTGv125.0.exe
"C:\Users\Admin\AppData\Local\Temp\MRPQTGv125.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\mode.com
    mode con cols=90 lines=23
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3652
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Wow6432Node"
    3⤵
    PID:892
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Wow6432Node\Microsoft\Windows Kits\Installed Roots" /v "KitsRoot81"
    3⤵
    PID:924
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Kits\Installed Roots" /v "KitsRoot81"
    3⤵
    PID:2372
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Wow6432Node"
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Wow6432Node\Microsoft\Windows Kits\Installed Roots" /v "KitsRoot10"
    3⤵
    PID:4152
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Kits\Installed Roots" /v "KitsRoot10"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CALL "zfileVer.cmd" "dism.exe"
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CALL "zfileVer.cmd" "C:\Windows\System32\DISM.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\system32\cscript.exe
      cscript //nologo //e:jscript "C:\Users\Admin\AppData\Local\Temp\MRP_QT\zFileVer.cmd" /file:"C:\Windows\System32\Dism.exe"
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CALL "zfileVer.cmd" "C:\Windows\SysWOW64\DISM.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\system32\cscript.exe
      cscript //nologo //e:jscript "C:\Users\Admin\AppData\Local\Temp\MRP_QT\zFileVer.cmd" /file:"C:\Windows\SysWOW64\Dism.exe"
      4⤵
      PID:1440
- - C:\Windows\system32\attrib.exe
    Attrib "C:\Users\Admin\AppData\Local\Temp\MRP_QT" +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1960
- - C:\Windows\system32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\system32\find.exe
    find /i "ComputerSystem"
    3⤵
    PID:1020
- - C:\Windows\system32\timeout.exe
    TIMEOUT /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "MRPDetectCPU.vbs" 2>Nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "MRPDetectCPU.vbs"
      4⤵
      PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS GET osarchitecture /value 2>nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS GET osarchitecture /value
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO "64-bit " "
    3⤵
    PID:3660
- - C:\Windows\system32\findstr.exe
    FindStr /i "64"
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO "64-bit " "
    3⤵
    PID:2228
- - C:\Windows\system32\findstr.exe
    FindStr /i "32"
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" /v "ExecutionPolicy" 2>nul
    3⤵
    PID:3656
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" /v "ExecutionPolicy"
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" 2>nul
    3⤵
    PID:4308
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy"
      4⤵
      PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PowerShellVersion" 2>nul | FindStr /I "PowerShellVersion" 2>nul
    3⤵
    PID:2204
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PowerShellVersion"
      4⤵
      PID:3836
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PowerShellVersion"
      4⤵
      PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PowerShellVersion" 2>nul | FindStr /I "PowerShellVersion" 2>nul
    3⤵
    PID:920
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PowerShellVersion"
      4⤵
      PID:2368
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PowerShellVersion"
      4⤵
      PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PSCompatibleVersion" 2>nul | FindStr /I "PSCompatibleVersion" 2>nul
    3⤵
    PID:916
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PSCompatibleVersion"
      4⤵
      PID:3304
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PSCompatibleVersion"
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PSCompatibleVersion" 2>nul | FindStr /I "PSCompatibleVersion" 2>nul
    3⤵
    PID:988
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PSCompatibleVersion"
      4⤵
      PID:1040
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PSCompatibleVersion"
      4⤵
      PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v "Install" 2>nul | FindStr /I "Install" 2>nul
    3⤵
    PID:4496
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v "Install"
      4⤵
      PID:3892
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Install"
      4⤵
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3" /v "Install" 2>nul | FindStr /I "Install" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3" /v "Install"
      4⤵
      PID:2580
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Install"
      4⤵
      PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "1.0, 2.0, 3.0, 4.0, 5.0, 5.1 " "
    3⤵
    PID:1748
- - C:\Windows\system32\findstr.exe
    findstr /i "3."
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "1.0, 2.0, 3.0, 4.0, 5.0, 5.1 " "
    3⤵
    PID:4304
- - C:\Windows\system32\findstr.exe
    findstr /i "5."
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "5.1.19041.1 " "
    3⤵
    PID:2768
- - C:\Windows\system32\findstr.exe
    findstr /i "5."
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\9.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:412
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\9.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\9.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:2496
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\9.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:3632
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\10.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:4488
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\10.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\11.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:4812
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\11.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\11.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:4768
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\11.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\12.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4536
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\12.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\12.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\12.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\14.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:1184
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\14.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\14.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:2940
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\14.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:1544
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "CompUpTime2.vbs" 2>Nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "CompUpTime2.vbs"
      4⤵
      PID:1484
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
    3⤵
    PID:2652
- - C:\Windows\system32\findstr.exe
    FindStr /I "C:\Users\Admin\AppData\Local\Temp\MRP_QT"
    3⤵
    PID:2144
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $A='HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths','preserve','S-1-1-0','','','';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd')-split':Own1\:.*')[1])
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4916
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Local\Temp\MRP_QT" /d "0" /t reg_dword /f
    3⤵
    - Windows security bypass
    PID:1168
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Local\Temp\GUI_QT" /d "0" /t reg_dword /f
    3⤵
    - Windows security bypass
    PID:4444
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MRP_QT" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4152
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MRP_QT' -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4912
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $A='HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths','none','S-1-1-0','','','';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd')-split':Own1\:.*')[1])
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
    3⤵
    PID:2228
- - C:\Windows\system32\findstr.exe
    FindStr /I "C:\Users\Admin\AppData\Local\Temp\MRP_QT"
    3⤵
    PID:4620
- - C:\Windows\system32\timeout.exe
    timeout /t 2 /NoBreak
    3⤵
    - Delays execution with timeout.exe
    PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" 2>nul
    3⤵
    PID:1456
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled"
      4⤵
      PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "DisplayLogo" 2>nul
    3⤵
    PID:2432
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "DisplayLogo"
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "DisplayLogo" 2>nul
    3⤵
    PID:4148
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "DisplayLogo"
      4⤵
      PID:3736
- - C:\Windows\system32\Wbem\WMIC.exe
    WMIC /locale:ms_409 process get processid,parentprocessid,executablepath
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
- - C:\Windows\system32\findstr.exe
    FindStr /I "Powershell"
    3⤵
    PID:1392
- - C:\Windows\system32\Wbem\WMIC.exe
    WMIC /locale:ms_409 process get processid,parentprocessid,executablepath
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- - C:\Windows\system32\findstr.exe
    FindStr /I "CMD"
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" 2>nul
    3⤵
    PID:4788
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion"
      4⤵
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Control" /v "DirtyShutdownCount" 2>nul
    3⤵
    PID:3332
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Control" /v "DirtyShutdownCount"
      4⤵
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionVersion" /v "EditionBuildQfe" 2>nul
    3⤵
    PID:1644
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionVersion" /v "EditionBuildQfe"
      4⤵
      PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" Echo "0x11b1 " 2>nul"
    3⤵
    PID:2300
- - C:\Windows\system32\findstr.exe
    FindStr /I "0x"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Control" /v "PEFirmwareType" 2>nul
    3⤵
    PID:1720
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Control" /v "PEFirmwareType"
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" 2>nul
    3⤵
    PID:2468
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection"
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TPExclusions" 2>nul
    3⤵
    PID:1196
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TPExclusions"
      4⤵
      PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" 2>nul
    3⤵
    PID:2844
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction"
      4⤵
      PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic os get LocalDateTime /value 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
  - - C:\Windows\system32\Wbem\WMIC.exe
      wmic os get LocalDateTime /value
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity"
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "CompUpTime2.vbs" 2>Nul
    3⤵
    PID:1184
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "CompUpTime2.vbs"
      4⤵
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection"
      4⤵
      PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TPExclusions" 2>nul
    3⤵
    PID:4324
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TPExclusions"
      4⤵
      PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" 2>nul
    3⤵
    PID:3856
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction"
      4⤵
      PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE" /v "MRP_Version_Used" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE" /v "MRP_Version_Used"
      4⤵
      PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\MRP3" /v "MRP_Version_Used" 2>nul
    3⤵
    PID:2584
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\MRP3" /v "MRP_Version_Used"
      4⤵
      PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "FindTPM.vbs" 2>Nul
    3⤵
    PID:3420
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "FindTPM.vbs"
      4⤵
      PID:1224
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Powershell -executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive.ps1" 2>nul
    3⤵
    PID:3604
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Powershell -executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive1.ps1" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive1.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" 2>nul
    3⤵
    PID:1648
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck"
      4⤵
      PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" 2>nul
    3⤵
    PID:4908
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck"
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" 2>nul
    3⤵
    PID:2668
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck"
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU" 2>nul
    3⤵
    PID:4072
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU"
      4⤵
      PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\SYSTEM\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\SYSTEM\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU"
      4⤵
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionSubVersion" 2>NUL
    3⤵
    PID:3304
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionSubVersion"
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionSubString" 2>NUL
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionSubString"
      4⤵
      PID:4256
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE" /v "MRP_Version_Used" 2>nul
    3⤵
    PID:1680
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE" /v "MRP_Version_Used"
      4⤵
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\MRP3" /v "MRP_Version_Used" 2>nul
    3⤵
    PID:1436
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\MRP3" /v "MRP_Version_Used"
      4⤵
      PID:1756
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId"
    3⤵
    PID:2384
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<EnterpriseEval\>"
    3⤵
    PID:884
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId"
    3⤵
    PID:4428
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<EnterpriseEvalN\>"
    3⤵
    PID:3568
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId"
    3⤵
    PID:2644
- - C:\Windows\system32\findstr.exe
    FindStr /I "Eval"
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "Isw11.vbs" 2>Nul
    3⤵
    PID:3056
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "Isw11.vbs"
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" 2>nul
    3⤵
    PID:3632
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
      4⤵
      PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType" 2>nul
    3⤵
    PID:5024
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"
      4⤵
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersion" 2>nul
    3⤵
    PID:4812
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersion"
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersionInfo" 2>nul
    3⤵
    PID:4980
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersionInfo"
      4⤵
      PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" 2>nul
    3⤵
    PID:2388
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork"
      4⤵
      PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3768
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate"
      4⤵
      PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" 2>nul
    3⤵
    PID:3252
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled"
      4⤵
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "DestBuildNum" 2>nul
    3⤵
    PID:60
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "DestBuildNum"
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "RedReason" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "RedReason"
      4⤵
      PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "UpgEx" 2>nul
    3⤵
    PID:1560
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "UpgEx"
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "UpgExU" 2>nul
    3⤵
    PID:4424
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "UpgExU"
      4⤵
      PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "DX12" 2>nul
    3⤵
    PID:2512
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "DX12"
      4⤵
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "Genuine" 2>nul
    3⤵
    PID:1416
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "Genuine"
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "OEM" 2>nul
    3⤵
    PID:4448
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "OEM"
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "Touch" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "Touch"
      4⤵
      PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser" /v "HaveUploadedForTarget" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser" /v "HaveUploadedForTarget"
      4⤵
      PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "SystemDriveTooFull" 2>nul
    3⤵
    PID:3964
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "SystemDriveTooFull"
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" 2>nul
    3⤵
    PID:4228
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride"
      4⤵
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" 2>nul
    3⤵
    PID:3468
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask"
      4⤵
      PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" 2>NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CompositionEditionID" 2>NUL
    3⤵
    PID:4068
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CompositionEditionID"
      4⤵
      PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>NUL | FindStr /I "CurrentVersion" 2>nul
    3⤵
    PID:3084
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
      4⤵
      PID:4836
  - - C:\Windows\system32\findstr.exe
      FindStr /I "CurrentVersion"
      4⤵
      PID:2640
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-EnterpriseSEdition~31bf3856ad364e35~amd64~~10.0.19041.1288" /v "CurrentState"
    3⤵
    PID:4464
- - C:\Windows\system32\findstr.exe
    FindStr /I "0x70"
    3⤵
    PID:3660
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-EnterpriseSEdition~31bf3856ad364e35~amd64~~10.0.19041.4529" /v "CurrentState"
    3⤵
    PID:2248
- - C:\Windows\system32\findstr.exe
    FindStr /I "0x70"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ECHO "Microsoft-Windows-EnterpriseSEdition~31bf3856ad364e35~amd64~~10.0.19041.4529"
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE" 2>nul
    3⤵
    PID:3344
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId" 2>nul
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId"
      4⤵
      PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Servicing\CodeSigning\SHA2" /v "SHA2-Codesigning-Support" 2>nul
    3⤵
    PID:2608
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Servicing\CodeSigning\SHA2" /v "SHA2-Codesigning-Support"
      4⤵
      PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Servicing\CodeSigning\SHA2" /v "SHA2-Core-Codesigning-Support" 2>nul
    3⤵
    PID:3052
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Servicing\CodeSigning\SHA2" /v "SHA2-Core-Codesigning-Support"
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\BitlockerStatus" /v "BootStatus" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\BitlockerStatus" /v "BootStatus"
      4⤵
      PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus" /v "BootStatus" 2>nul
    3⤵
    PID:1980
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus" /v "BootStatus"
      4⤵
      PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "01" 2>nul
    3⤵
    PID:1040
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "01"
      4⤵
      PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "32" 2>nul
    3⤵
    PID:4548
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "32"
      4⤵
      PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "512" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3700
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "512"
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul
    3⤵
    PID:2716
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
      4⤵
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\Control Panel\Desktop" /v "WallpaperStyle" 2>nul
    3⤵
    PID:2580
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\Control Panel\Desktop" /v "WallpaperStyle"
      4⤵
      PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "InstallationType" 2>nul
    3⤵
    PID:1844
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"
      4⤵
      PID:2460
- - C:\Windows\system32\Wbem\WMIC.exe
    WMIC /locale:ms_409 /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\Windows\system32\findstr.exe
    FindStr /v /r /c:"^$" /c:"displayName"
    3⤵
    PID:1720
- - C:\Windows\system32\sort.exe
    sort "C:\Users\Admin\AppData\Local\Temp\MRP_QT\AvDummy.txt"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Type "C:\Users\Admin\AppData\Local\Temp\MRP_QT\AvDummy.txt" 2>Nul
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query "MpsSvc" 2>nul
    3⤵
    PID:5024
  - - C:\Windows\system32\sc.exe
      sc query "MpsSvc"
      4⤵
      Launches sc.exe
      PID:420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\MpsSvc" /v "Start" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4812
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\MpsSvc" /v "Start"
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query "WinDefend" 2>nul
    3⤵
    PID:4980
  - - C:\Windows\system32\sc.exe
      sc query "WinDefend"
      4⤵
      Launches sc.exe
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" 2>nul
    3⤵
    PID:2388
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start"
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 ComputerSystem get HypervisorPresent /format:list" 2>nul
    3⤵
    PID:4640
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 ComputerSystem get HypervisorPresent /format:list
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 ComputerSystem get PartOfDomain /format:list" 2>nul
    3⤵
    PID:2108
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 ComputerSystem get PartOfDomain /format:list
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 ComputerSystem get DomainRole /format:list" 2>nul
    3⤵
    PID:872
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 ComputerSystem get DomainRole /format:list
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 ComputerSystem get PCSystemType /format:list" 2>nul
    3⤵
    PID:1272
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 ComputerSystem get PCSystemType /format:list
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 logicaldisk where ^(caption="C:"^) get filesystem /value" 2>nul
    3⤵
    PID:3164
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 logicaldisk where (caption="C:") get filesystem /value
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "GetInstDate.vbs" 2>Nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:976
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "GetInstDate.vbs"
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "QueryDisks.vbs" 2>Nul
    3⤵
    PID:3860
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "QueryDisks.vbs"
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "232138804165" 2
    3⤵
    PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "232138804165" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c PowerShell "Get-PhysicalDisk | Select MediaType, DeviceID" 2>nul
    3⤵
    PID:3468
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell "Get-PhysicalDisk | Select MediaType, DeviceID"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "WDC WDS100T2B0A" 2
    3⤵
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "WDC WDS100T2B0A" 2
      4⤵
      Executes dropped EXE
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query "defragsvc" 2>nul
    3⤵
    PID:4708
  - - C:\Windows\system32\sc.exe
      sc query "defragsvc"
      4⤵
      Launches sc.exe
      PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Services\DefragSvc" /v "Start" 2>nul
    3⤵
    PID:4560
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Services\DefragSvc" /v "Start"
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH 2>nul | findstr /I "Disabled" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH
      4⤵
      PID:1244
  - - C:\Windows\system32\findstr.exe
      findstr /I "Disabled"
      4⤵
      PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH 2>nul | findstr /I "Ready" 2>nul
    3⤵
    PID:1944
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH
      4⤵
      PID:3140
  - - C:\Windows\system32\findstr.exe
      findstr /I "Ready"
      4⤵
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH 2>nul | findstr /I "Running" 2>nul
    3⤵
    PID:1296
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH
      4⤵
      PID:4072
  - - C:\Windows\system32\findstr.exe
      findstr /I "Running"
      4⤵
      PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /v /FO list /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" 2>nul | findstr /I /C:"Status:" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4312
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /v /FO list /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"
      4⤵
      PID:2332
  - - C:\Windows\system32\findstr.exe
      findstr /I /C:"Status:"
      4⤵
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /v /FO list /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" 2>nul | findstr /I /C:"Scheduled Task State:" 2>nul
    3⤵
    PID:3304
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /v /FO list /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"
      4⤵
      PID:4892
  - - C:\Windows\system32\findstr.exe
      findstr /I /C:"Scheduled Task State:"
      4⤵
      PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tzutil /g
    3⤵
    PID:1680
  - - C:\Windows\system32\tzutil.exe
      tzutil /g
      4⤵
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "UTC" 2
    3⤵
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "UTC" 2
      4⤵
      Executes dropped EXE
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "TimeZoneKeyName" 2>nul
    3⤵
    PID:1748
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "TimeZoneKeyName"
      4⤵
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "ActiveTimeBias" | FindStr /i "ActiveTimeBias" 2>nul
    3⤵
    PID:2604
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "ActiveTimeBias"
      4⤵
      PID:2460
  - - C:\Windows\system32\findstr.exe
      FindStr /i "ActiveTimeBias"
      4⤵
      PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo 0 2>nul
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic useraccount where name='Admin' get sid"
    3⤵
    PID:1532
  - - C:\Windows\system32\Wbem\WMIC.exe
      wmic useraccount where name='Admin' get sid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International" /v "LocaleName" 2>nul
    3⤵
    PID:3632
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International" /v "LocaleName"
      4⤵
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International" /v "sCountry" 2>nul
    3⤵
    PID:3764
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International" /v "sCountry"
      4⤵
      PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\PowerCfg" /v "CurrentPowerPolicy" 2>nul
    3⤵
    - Power Settings
    PID:4752
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\PowerCfg" /v "CurrentPowerPolicy"
      4⤵
      Power Settings
      PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\PowerCfg\PowerPolicies\0" /v "Name" 2>nul
    3⤵
    - Power Settings
    PID:4020
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\PowerCfg\PowerPolicies\0" /v "Name"
      4⤵
      Power Settings
      PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get OSLanguage /format:list" 2>nul
    3⤵
    PID:3044
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get OSLanguage /format:list
      4⤵
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /ad /b "C:\Windows\*-*"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\.DEFAULT\Control Panel\International\Geo" /v "Nation" | FindStr /i "Nation" 2>nul
    3⤵
    PID:4792
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\.DEFAULT\Control Panel\International\Geo" /v "Nation"
      4⤵
      PID:4284
  - - C:\Windows\system32\findstr.exe
      FindStr /i "Nation"
      4⤵
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKCU\Control Panel\International\Geo" /v "Nation" | FindStr /i "Nation" 2>nul
    3⤵
    PID:2208
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKCU\Control Panel\International\Geo" /v "Nation"
      4⤵
      PID:1736
  - - C:\Windows\system32\findstr.exe
      FindStr /i "Nation"
      4⤵
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS GET CAPTION /VALUE 2>nul
    3⤵
    PID:2144
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS GET CAPTION /VALUE
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS GET NumberOfLicensedUsers /value 2>nul
    3⤵
    PID:4940
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS GET NumberOfLicensedUsers /value
      4⤵
      PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS GET PortableOperatingSystem /value 2>nul
    3⤵
    PID:2136
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS GET PortableOperatingSystem /value
      4⤵
      PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_32BitApplications /format:list" 2>nul
    3⤵
    PID:1076
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_32BitApplications /format:list
      4⤵
      PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_Available /format:list" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_Available /format:list
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_Drivers /format:list" 2>nul
    3⤵
    PID:852
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_Drivers /format:list
      4⤵
      PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_SupportPolicy /format:list" 2>nul
    3⤵
    PID:1880
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_SupportPolicy /format:list
      4⤵
      PID:3564
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:4836
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<WINDOWS\>"
    3⤵
    PID:2508
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<INSIDER\>"
    3⤵
    PID:4288
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:1596
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<WINDOWS\>"
    3⤵
    PID:3328
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<PREVIEW\>"
    3⤵
    PID:1552
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:568
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<WINDOWS\>"
    3⤵
    PID:1444
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<10\>"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" 2>nul
    3⤵
    PID:3660
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade"
      4⤵
      PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "DisableOSUpgrade" 2>nul
    3⤵
    PID:2132
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "DisableOSUpgrade"
      4⤵
      PID:4708
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKCR\PackagedCom\ClassIndex\{9F156763-7844-4DC4-B2B1-901F640F5155}"
    3⤵
    PID:216
- - C:\Windows\system32\findstr.exe
    FindStr /I "WindowsTerminal"
    3⤵
    PID:2712
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKCR\PackagedCom\Package\"
    3⤵
    PID:4620
- - C:\Windows\system32\findstr.exe
    FindStr /I "WindowsTerminal"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup" /f "Source OS" /k | FindStr /I "Source" 2>nul
    3⤵
    PID:2608
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup" /f "Source OS" /k
      4⤵
      PID:3140
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Source"
      4⤵
      PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" 2>NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3152
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves"
      4⤵
      PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "BranchReadinessLevel" 2>nul
    3⤵
    PID:4660
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "BranchReadinessLevel"
      4⤵
      PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "BranchReadinessLevel" 2>nul
    3⤵
    PID:240
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "BranchReadinessLevel"
      4⤵
      PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus" 2>nul
    3⤵
    PID:2332
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus"
      4⤵
      PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus" 2>nul
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus"
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 CSPRODUCT GET NAME /format:list" 2>nul
    3⤵
    PID:548
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 CSPRODUCT GET NAME /format:list
      4⤵
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 COMPUTERSYSTEM GET MODEL /format:list" 2>nul
    3⤵
    PID:3804
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 COMPUTERSYSTEM GET MODEL /format:list
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BASEBOARD GET PRODUCT /format:list" 2>nul
    3⤵
    PID:2580
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BASEBOARD GET PRODUCT /format:list
      4⤵
      PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 CSPRODUCT GET VENDOR /format:list" 2>nul
    3⤵
    PID:1564
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 CSPRODUCT GET VENDOR /format:list
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 COMPUTERSYSTEM GET MANUFACTURER /format:list" 2>nul
    3⤵
    PID:412
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 COMPUTERSYSTEM GET MANUFACTURER /format:list
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BASEBOARD GET MANUFACTURER /format:list" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1420
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BASEBOARD GET MANUFACTURER /format:list
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET VERSION /format:list" 2>nul
    3⤵
    PID:1532
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET VERSION /format:list
      4⤵
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS Get VERSION /Value" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1200
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get VERSION /Value
      4⤵
      PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BXPC____" 2
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BXPC____" 2
      4⤵
      Executes dropped EXE
      PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS_" 2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS_" 2
      4⤵
      Executes dropped EXE
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS" 2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS" 2
      4⤵
      Executes dropped EXE
      PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:1184
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:752
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:1284
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:1928
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____ " "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____ " "
    3⤵
    PID:4776
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____ " "
    3⤵
    PID:1704
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____ " "
    3⤵
    PID:4608
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "N/A " "
    3⤵
    PID:3636
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "N/A " "
    3⤵
    PID:4160
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "N/A " "
    3⤵
    PID:1080
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "N/A " "
    3⤵
    PID:408
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:2508
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:116
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:1444
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS_ " "
    3⤵
    PID:4464
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS_ " "
    3⤵
    PID:3020
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS_ " "
    3⤵
    PID:216
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS_ " "
    3⤵
    PID:4620
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:2524
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:2608
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:3472
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:3656
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS " "
    3⤵
    PID:3052
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS " "
    3⤵
    PID:1832
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS " "
    3⤵
    PID:3736
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS " "
    3⤵
    PID:4076
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files (x86)\" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3804
- - C:\Windows\system32\findstr.exe
    findstr /irc:"NVIDIA Corporation"
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2700
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -ExecutionPolicy Unrestricted -command "C:\Users\Admin\AppData\Local\Temp\MRP_QT\PSVid3.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path Win32_WinSAT get CPUScore, MemoryScore, D3DScore, GraphicsScore, DiskScore, WinSPRLevel, WinSATAssessmentState" /value 2>nul | FindStr "=" 2>Nul
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path Win32_WinSAT get CPUScore, MemoryScore, D3DScore, GraphicsScore, DiskScore, WinSPRLevel, WinSATAssessmentState" /value
      4⤵
      PID:4768
    - - C:\Windows\system32\Wbem\WMIC.exe
        
        WMIC /locale:ms_409 path Win32_WinSAT get CPUScore, MemoryScore, D3DScore, GraphicsScore, DiskScore, WinSPRLevel, WinSATAssessmentState /value
        5⤵
        
        PID:2876
  - - C:\Windows\system32\findstr.exe
      FindStr "="
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "NETAdapt.vbs" 2>Nul
    3⤵
    PID:4520
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "NETAdapt.vbs"
      4⤵
      PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo 66:C5:59:04:A4:E9
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4788
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS get OperatingSystemSKU /VALUE 2>nul
    3⤵
    PID:2880
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS get OperatingSystemSKU /VALUE
      4⤵
      PID:2108
- - C:\Windows\system32\cmd.exe
    cmd /c exit /b 125
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c MRP_VMDetect.exe
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP_VMDetect.Exe
      MRP_VMDetect.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters\" /v "PhysicalHostNameFullyQualified" | FindStr /i "PhysicalHostNameFullyQualified" 2>nul
    3⤵
    PID:3164
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters\" /v "PhysicalHostNameFullyQualified"
      4⤵
      PID:4900
  - - C:\Windows\system32\findstr.exe
      FindStr /i "PhysicalHostNameFullyQualified"
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft Basic Display Adapter " "
    3⤵
    PID:3652
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hyper-V"
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo " " "
    3⤵
    PID:4448
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hyper-V"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET VERSION /format:list" 2>nul
    3⤵
    PID:924
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET VERSION /format:list
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "SystemBiosVersion" 2>nul | FindStr /I "VRTUAL" 2>nul
    3⤵
    PID:3860
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "SystemBiosVersion"
      4⤵
      Checks BIOS information in registry
      PID:1960
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VRTUAL"
      4⤵
      PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:1880
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:2472
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:3284
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:2640
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:1552
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:1596
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:2248
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:2128
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    PID:3672
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:4964
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    PID:4560
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:3344
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3124
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:1192
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    PID:4908
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:1988
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    PID:3688
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:2196
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    PID:988
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:4844
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    PID:4892
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:3848
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    PID:3080
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:548
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor" 2>nul | FindStr /I "VMWare" 2>nul
    3⤵
    PID:4676
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:2452
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWare"
      4⤵
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion" 2>nul | FindStr /I "VMWare" 2>nul
    3⤵
    PID:4144
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:2580
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWare"
      4⤵
      PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    PID:1748
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion"
      4⤵
      Checks BIOS information in registry
      PID:2052
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:3984
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion"
      4⤵
      Checks BIOS information in registry
      PID:3120
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion"
      4⤵
      Checks BIOS information in registry
      PID:4188
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3632
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:232
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4980
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:3764
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2876
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:2256
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2388
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:2312
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4696
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4428
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:4556
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2412
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:1072
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:1736
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:3024
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4292
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:896
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4420
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:2584
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:1928
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:3584
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:1168
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3964
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:2984
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4200
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:1240
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2472
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:3604
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:640
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:3284
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3608
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:1552
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:568
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:2248
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3464
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:3672
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:5068
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:3344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:4560
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:1252
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:1192
- - C:\Windows\system32\timeout.exe
    timeout /T 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1244
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4672
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:5000
- - C:\Windows\system32\cmd.exe
    cmd /C exit 1033
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" 2>nul | FindStr /i "PreferredUILanguages" 2>nul
    3⤵
    PID:4660
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages"
      4⤵
      PID:2820
  - - C:\Windows\system32\findstr.exe
      FindStr /i "PreferredUILanguages"
      4⤵
      PID:3688
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | findstr /i "v2" 2>nul
    3⤵
    PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:1832
  - - C:\Windows\system32\findstr.exe
      findstr /i "v2"
      4⤵
      PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | findstr /i "v3.5" 2>nul
    3⤵
    PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:1456
  - - C:\Windows\system32\findstr.exe
      findstr /i "v3.5"
      4⤵
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | findstr /i "v4" 2>nul
    3⤵
    PID:3080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:3568
  - - C:\Windows\system32\findstr.exe
      findstr /i "v4"
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Release" 2>nul
    3⤵
    PID:4676
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Release"
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Version" 2>nul
    3⤵
    PID:1108
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Version"
      4⤵
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | FindStr /i "v1" 2>nul
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:1748
  - - C:\Windows\system32\findstr.exe
      FindStr /i "v1"
      4⤵
      PID:716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | FindStr /i "v2" 2>nul
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4728
  - - C:\Windows\system32\findstr.exe
      FindStr /i "v2"
      4⤵
      PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup" /v "InstallSuccess" 2>nul
    3⤵
    PID:324
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup" /v "InstallSuccess"
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup" /v "Version" 2>nul
    3⤵
    PID:3632
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup" /v "Version"
      4⤵
      PID:420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" /v "Install" 2>nul
    3⤵
    PID:1048
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" /v "Install"
      4⤵
      PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" /v "Version" 2>nul
    3⤵
    PID:5032
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" /v "Version"
      4⤵
      PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | FindStr /i "v4" 2>nul
    3⤵
    PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:4932
  - - C:\Windows\system32\findstr.exe
      FindStr /i "v4"
      4⤵
      PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 DataFile where "Name='C:\\Program Files\\DotNet\\Dotnet.exe'" get Version /VALUE 2>nul
    3⤵
    PID:3064
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 DataFile where "Name='C:\\Program Files\\DotNet\\Dotnet.exe'" get Version /VALUE
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Program Files\\DotNet\\Dotnet.exe'" GET Version /VALUE 2>nul
    3⤵
    PID:3268
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Program Files\\DotNet\\Dotnet.exe'" GET Version /VALUE
      4⤵
      PID:2312
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "Generic.exe" /OS
    3⤵
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
      Generic.exe /OS
      4⤵
      Executes dropped EXE
      PID:2108
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3628
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    Generic.exe /SLIC
    3⤵
    - Executes dropped EXE
    PID:4292
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    Generic.exe /CERT
    3⤵
    - Executes dropped EXE
    PID:1768
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    Generic.exe /KEY
    3⤵
    - Executes dropped EXE
    PID:2512
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4776
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    Generic.exe /MSDM
    3⤵
    - Executes dropped EXE
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PowerShellVersion" 2>nul | FindStr /I "PowerShellVersion" 2>nul
    3⤵
    PID:1076
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PowerShellVersion"
      4⤵
      PID:2744
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PowerShellVersion"
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PowerShellVersion" 2>nul | FindStr /I "PowerShellVersion" 2>nul
    3⤵
    PID:3740
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PowerShellVersion"
      4⤵
      PID:852
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PowerShellVersion"
      4⤵
      PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PSCompatibleVersion" 2>nul | FindStr /I "PSCompatibleVersion" 2>nul
    3⤵
    PID:1960
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PSCompatibleVersion"
      4⤵
      PID:3684
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PSCompatibleVersion"
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PSCompatibleVersion" 2>nul | FindStr /I "PSCompatibleVersion" 2>nul
    3⤵
    PID:1080
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PSCompatibleVersion"
      4⤵
      PID:2508
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PSCompatibleVersion"
      4⤵
      PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v "Install" 2>nul | FindStr /I "Install" 2>nul
    3⤵
    PID:4912
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v "Install"
      4⤵
      PID:3328
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Install"
      4⤵
      PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3" /v "Install" 2>nul | FindStr /I "Install" 2>nul
    3⤵
    PID:3732
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3" /v "Install"
      4⤵
      PID:2488
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Install"
      4⤵
      PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "MRPCPUNum.vbs" 2>Nul
    3⤵
    PID:1552
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "MRPCPUNum.vbs"
      4⤵
      PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "DynamicDaylightTimeDisabled" 2>nul | FindStr /I "DynamicDaylightTimeDisabled" 2>nul
    3⤵
    PID:732
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "DynamicDaylightTimeDisabled"
      4⤵
      PID:2132
  - - C:\Windows\system32\findstr.exe
      FindStr /I "DynamicDaylightTimeDisabled"
      4⤵
      PID:2712
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1648
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SystemInfo 2>Nul | FindStr /I /B /C:"OS Name" 2>nul
    3⤵
    PID:1988
  - - C:\Windows\system32\systeminfo.exe
      SystemInfo
      4⤵
      Gathers system information
      PID:4672
  - - C:\Windows\system32\findstr.exe
      FindStr /I /B /C:"OS Name"
      4⤵
      PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\cbdhsvc" /v "Start" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1392
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\cbdhsvc" /v "Start"
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\cbdhsvc" /v "DelayedAutoStart" 2>nul
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\cbdhsvc" /v "DelayedAutoStart"
      4⤵
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Clipboard" /v "EnableClipboardHistory" 2>nul
    3⤵
    PID:1756
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Clipboard" /v "EnableClipboardHistory"
      4⤵
      PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" 2>nul
    3⤵
    PID:3332
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard"
      4⤵
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" 2>nul
    3⤵
    PID:1452
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory"
      4⤵
      PID:2460
- - C:\Windows\system32\bcdedit.exe
    bcdedit /enum {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4676
- - C:\Windows\system32\findstr.exe
    findstr /I /R /C:"^flightsigning *Yes$"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Powershell -NoProfile "(Get-AppxPackage -Name 'MicrosoftWindows.Client.CBS').Version" 2>nul
    3⤵
    PID:2052
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -NoProfile "(Get-AppxPackage -Name 'MicrosoftWindows.Client.CBS').Version"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "BIOSVersion" 2>nul
    3⤵
    PID:5024
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "BIOSVersion"
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "BIOSReleaseDate" 2>nul
    3⤵
    PID:1932
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "BIOSReleaseDate"
      4⤵
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" 2>nul
    3⤵
    PID:2324
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType" 2>nul
    3⤵
    PID:2348
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"
      4⤵
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "InstallationType" 2>nul
    3⤵
    PID:4792
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CSDVersion" 2>nul
    3⤵
    PID:1700
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CSDVersion"
      4⤵
      PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion" 2>nul
    3⤵
    PID:4428
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion"
      4⤵
      PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BaseBuildRevisionNumber" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BaseBuildRevisionNumber"
      4⤵
      PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildLabEx" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildLabEx"
      4⤵
      PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildBranch" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildBranch"
      4⤵
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" 2>nul
    3⤵
    PID:2208
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
      4⤵
      PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "UBR" 2>nul
    3⤵
    PID:4552
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "UBR"
      4⤵
      PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul
    3⤵
    PID:2144
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ReleaseID" 2>nul
    3⤵
    PID:1256
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ReleaseID"
      4⤵
      PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo vb_release 2>nul
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID" 2>nul
    3⤵
    PID:2512
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID"
      4⤵
      PID:4776
- - C:\Windows\system32\cmd.exe
    cmd /C exit 004250
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 DataFile where "Name='C:\\Windows\\System32\\winver.exe'" get Version /VALUE 2>nul
    3⤵
    PID:1704
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 DataFile where "Name='C:\\Windows\\System32\\winver.exe'" get Version /VALUE
      4⤵
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Windows\\System32\\winver.exe'" GET Version /VALUE 2>nul
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Windows\\System32\\winver.exe'" GET Version /VALUE
      4⤵
      PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 DataFile where "Name='C:\\Windows\\System32\\attrib.exe'" get Version /VALUE 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3740
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 DataFile where "Name='C:\\Windows\\System32\\attrib.exe'" get Version /VALUE
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Windows\\System32\\attrib.exe'" GET Version /VALUE 2>nul
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Windows\\System32\\attrib.exe'" GET Version /VALUE
      4⤵
      PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMajorVersionNumber" 2>nul
    3⤵
    PID:3816
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMajorVersionNumber"
      4⤵
      PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMinorVersionNumber" 2>nul
    3⤵
    PID:3868
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMinorVersionNumber"
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>NUL WMIC /locale:ms_409 SystemEnclosure GET ChassisTypes 2>nul | FindStr /i "}" 2>nul
    3⤵
    PID:1128
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET ChassisTypes
      4⤵
      PID:3468
  - - C:\Windows\system32\findstr.exe
      FindStr /i "}"
      4⤵
      PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4344
- - C:\Windows\system32\powercfg.exe
    powercfg /list
    3⤵
    - Power Settings
    PID:436
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:1552
- - C:\Windows\system32\findstr.exe
    FindStr /I "381b4222-f694-41f0-9685-ff5bb260df2e" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:216
- - C:\Windows\system32\findstr.exe
    FindStr /I "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:3020
- - C:\Windows\system32\findstr.exe
    FindStr /I "a1841308-3541-4fab-bc81-f71556f20b4a" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:2884
- - C:\Windows\system32\findstr.exe
    FindStr /I "e9a42b02-d5df-448d-aa00-03f14749eb61" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:1648
- - C:\Windows\system32\findstr.exe
    FindStr /I "381b4222-f694-41f0-9685-ff5bb260df2e" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:3412
- - C:\Windows\system32\findstr.exe
    Findstr /I "*"
    3⤵
    PID:4936
- - C:\Windows\system32\findstr.exe
    FindStr /I "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:2228
- - C:\Windows\system32\findstr.exe
    Findstr /I "*"
    3⤵
    PID:1244
- - C:\Windows\system32\findstr.exe
    FindStr /I "a1841308-3541-4fab-bc81-f71556f20b4a" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:3988
- - C:\Windows\system32\findstr.exe
    Findstr /I "*"
    3⤵
    PID:4084
- - C:\Windows\system32\findstr.exe
    FindStr /I "e9a42b02-d5df-448d-aa00-03f14749eb61" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:3152
- - C:\Windows\system32\findstr.exe
    Findstr /I "*"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BaseBoard GET Manufacturer /Value 2>nul
    3⤵
    PID:4908
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BaseBoard GET Manufacturer /Value
      4⤵
      PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BaseBoard GET Model /Value 2>nul
    3⤵
    PID:1832
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BaseBoard GET Model /Value
      4⤵
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BaseBoard GET Product /Value 2>nul
    3⤵
    PID:4584
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BaseBoard GET Product /Value
      4⤵
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BaseBoard GET SerialNumber /Value 2>nul
    3⤵
    PID:3568
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BaseBoard GET SerialNumber /Value
      4⤵
      PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 SystemEnclosure GET PartNumber /Value 2>nul
    3⤵
    PID:1452
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET PartNumber /Value
      4⤵
      PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 SystemEnclosure GET SecurityStatus /Value 2>nul
    3⤵
    PID:1844
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET SecurityStatus /Value
      4⤵
      PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 SystemEnclosure GET ServicePhilosophy /Value 2>nul
    3⤵
    PID:324
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET ServicePhilosophy /Value
      4⤵
      PID:716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 SystemEnclosure GET Version /Value 2>nul
    3⤵
    PID:4728
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET Version /Value
      4⤵
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "Name" | Findstr /I "Name" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "Name"
      4⤵
      PID:4980
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Name"
      4⤵
      PID:420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "Vendor" | Findstr /I "Vendor" 2>nul
    3⤵
    PID:2644
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "Vendor"
      4⤵
      PID:4932
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Vendor"
      4⤵
      PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "UUID" | Findstr /I "UUID" 2>nul
    3⤵
    PID:2940
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "UUID"
      4⤵
      PID:4640
  - - C:\Windows\system32\findstr.exe
      Findstr /I "UUID"
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystem" "Model" | Findstr /I "Model" 2>nul
    3⤵
    PID:4520
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystem" "Model"
      4⤵
      PID:3400
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Model"
      4⤵
      PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystem" "Manufacturer" | Findstr /I "Manufacturer" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystem" "Manufacturer"
      4⤵
      PID:820
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Manufacturer"
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Product" | Findstr /I "Product" 2>nul
    3⤵
    PID:1184
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Product"
      4⤵
      PID:2208
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Product"
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Manufacturer" | Findstr /I "Manufacturer" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1284
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Manufacturer"
      4⤵
      PID:2136
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Manufacturer"
      4⤵
      PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Model" | Findstr /I "Model" 2>nul
    3⤵
    PID:3652
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Model"
      4⤵
      PID:2512
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Model"
      4⤵
      PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "SerialNumber" | Findstr /I "SerialNumber" 2>nul
    3⤵
    PID:1704
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "SerialNumber"
      4⤵
      PID:4228
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SerialNumber"
      4⤵
      PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Tag" | Findstr /I "Tag" 2>nul
    3⤵
    PID:2472
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Tag"
      4⤵
      PID:2600
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Tag"
      4⤵
      PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "SerialNumber" | Findstr /I "SerialNumber" 2>nul
    3⤵
    PID:1960
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "SerialNumber"
      4⤵
      PID:4916
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SerialNumber"
      4⤵
      PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "PartNumber" | Findstr /I "PartNumber" 2>nul
    3⤵
    PID:2664
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "PartNumber"
      4⤵
      PID:4152
  - - C:\Windows\system32\findstr.exe
      Findstr /I "PartNumber"
      4⤵
      PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "SecurityStatus" | Findstr /I "SecurityStatus" 2>nul
    3⤵
    PID:4344
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "SecurityStatus"
      4⤵
      PID:4276
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SecurityStatus"
      4⤵
      PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "ServicePhilosophy" | Findstr /I "ServicePhilosophy" 2>nul
    3⤵
    PID:2712
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "ServicePhilosophy"
      4⤵
      PID:1252
  - - C:\Windows\system32\findstr.exe
      Findstr /I "ServicePhilosophy"
      4⤵
      PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "Version" | Findstr /I "Version" 2>nul
    3⤵
    PID:4092
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "Version"
      4⤵
      PID:3052
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Version"
      4⤵
      PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SerialNumber" | Findstr /I "SerialNumber" 2>nul
    3⤵
    PID:4672
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SerialNumber"
      4⤵
      PID:2952
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SerialNumber"
      4⤵
      PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "Version" | Findstr /I "Version" 2>nul
    3⤵
    PID:3892
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "Version"
      4⤵
      PID:8
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Version"
      4⤵
      PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "Version" | Findstr /I "Version" 2>nul
    3⤵
    PID:4076
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "Version"
      4⤵
      PID:4088
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Version"
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "manufacturer" | Findstr /I "manufacturer" 2>nul
    3⤵
    PID:3056
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "manufacturer"
      4⤵
      PID:1108
  - - C:\Windows\system32\findstr.exe
      Findstr /I "manufacturer"
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSBIOSVersion" | Findstr /I "SMBIOSBIOSVersion" 2>nul
    3⤵
    PID:4644
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSBIOSVersion"
      4⤵
      PID:4704
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SMBIOSBIOSVersion"
      4⤵
      PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSMajorVersion" | Findstr /I "SMBIOSMajorVersion" 2>nul
    3⤵
    PID:324
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSMajorVersion"
      4⤵
      PID:1532
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SMBIOSMajorVersion"
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSMinorVersion" | Findstr /I "SMBIOSMinorVersion" 2>nul
    3⤵
    PID:4524
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSMinorVersion"
      4⤵
      PID:3632
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SMBIOSMinorVersion"
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "ReleaseDate" | Findstr /I "ReleaseDate" 2>nul
    3⤵
    PID:3764
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "ReleaseDate"
      4⤵
      PID:2620
  - - C:\Windows\system32\findstr.exe
      Findstr /I "ReleaseDate"
      4⤵
      PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "PrimaryBIOS" | Findstr /I "PrimaryBIOS" 2>nul
    3⤵
    PID:4920
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "PrimaryBIOS"
      4⤵
      PID:4792
  - - C:\Windows\system32\findstr.exe
      Findstr /I "PrimaryBIOS"
      4⤵
      PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemProductName" 2>nul
    3⤵
    PID:2108
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemProductName"
      4⤵
      Enumerates system info in registry
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET VERSION /format:list" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET VERSION /format:list
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get manufacturer /Value 2>nul
    3⤵
    PID:4732
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get manufacturer /Value
      4⤵
      PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get SMBIOSBIOSVERSION /Value 2>nul
    3⤵
    PID:4424
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get SMBIOSBIOSVERSION /Value
      4⤵
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get SMBIOSMajorVersion /Value 2>nul
    3⤵
    PID:4000
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get SMBIOSMajorVersion /Value
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get SMBIOSMinorVersion /Value 2>nul
    3⤵
    PID:4160
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get SMBIOSMinorVersion /Value
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get VERSION /Value 2>nul
    3⤵
    PID:3652
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get VERSION /Value
      4⤵
      PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get ReleaseDate /Value 2>nul
    3⤵
    PID:1464
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get ReleaseDate /Value
      4⤵
      PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET PrimaryBIOS /format:list" 2>nul
    3⤵
    PID:2508
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET PrimaryBIOS /format:list
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS - 1" 2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS - 1" 2
      4⤵
      Executes dropped EXE
      PID:116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "Generic.exe" /OS
    3⤵
    PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
      Generic.exe /OS
      4⤵
      Executes dropped EXE
      PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe" /LDR
    3⤵
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
      C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe /LDR
      4⤵
      Executes dropped EXE
      PID:64
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    "C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe" /SV
    3⤵
    - Executes dropped EXE
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Type "C:\Users\Admin\AppData\Local\Temp\MRP_QT\SLICv.txt" 2>nul
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path softwarelicensingservice get OA2xBiosMarkerStatus /value" 2>nul
    3⤵
    PID:4708
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 path softwarelicensingservice get OA2xBiosMarkerStatus /value
      4⤵
      PID:1984
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "Windows*.txt" 2>nul
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "SystemRam.vbs" 2>Nul
    3⤵
    PID:1508
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "SystemRam.vbs"
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "SystemRam.vbs" 2>Nul
    3⤵
    PID:3052
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "SystemRam.vbs"
      4⤵
      PID:2492
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2
    3⤵
    - Delays execution with timeout.exe
    PID:1988
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v "Update Revision" /z 2>nul
    3⤵
    PID:3304
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v "Update Revision" /z
      4⤵
      Checks processor information in registry
      PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 computersystem get NumberOfProcessors /format:list 2>nul
    3⤵
    PID:1392
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 computersystem get NumberOfProcessors /format:list
      4⤵
      PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "12th Gen Intel{R} Core{TM} i5-12400 {Ref:NVR} " "
    3⤵
    PID:2460
- - C:\Windows\system32\findstr.exe
    FindStr /i "Intel"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "12th Gen Intel{R} Core{TM} i5-12400 {Ref:NVR} " "
    3⤵
    PID:4088
- - C:\Windows\system32\findstr.exe
    FindStr /i "AMD"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Intel64 Family 6 Model 151 Stepping 2 " "
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3088
- - C:\Windows\system32\findstr.exe
    FindStr /i "Intel64"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Intel64 Family 6 Model 151 Stepping 2 " "
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:412
- - C:\Windows\system32\findstr.exe
    FindStr /i "AMD64"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 CSPRODUCT GET NAME /format:list" 2>nul
    3⤵
    PID:3056
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 CSPRODUCT GET NAME /format:list
      4⤵
      PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 CSPRODUCT GET VENDOR /format:list" 2>nul
    3⤵
    PID:1196
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 CSPRODUCT GET VENDOR /format:list
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 COMPUTERSYSTEM GET MODEL /format:list" 2>nul
    3⤵
    PID:5024
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 COMPUTERSYSTEM GET MODEL /format:list
      4⤵
      PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 COMPUTERSYSTEM GET MANUFACTURER /format:list" 2>nul
    3⤵
    PID:324
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 COMPUTERSYSTEM GET MANUFACTURER /format:list
      4⤵
      PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BASEBOARD GET PRODUCT /format:list" 2>nul
    3⤵
    PID:3632
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BASEBOARD GET PRODUCT /format:list
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BASEBOARD GET MANUFACTURER /format:list" 2>nul
    3⤵
    PID:3228
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BASEBOARD GET MANUFACTURER /format:list
      4⤵
      PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET SERIALNUMBER /format:list" 2>nul
    3⤵
    PID:3764
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET SERIALNUMBER /format:list
      4⤵
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 csproduct get UUID /value 2>nul
    3⤵
    PID:4792
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 csproduct get UUID /value
      4⤵
      PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "NA" 2
    3⤵
    PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "NA" 2
      4⤵
      Executes dropped EXE
      PID:464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "NA" 2
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "NA" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BXPC____" 2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BXPC____" 2
      4⤵
      Executes dropped EXE
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS_" 2
    3⤵
    PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS_" 2
      4⤵
      Executes dropped EXE
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "NA" 2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "NA" 2
      4⤵
      Executes dropped EXE
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS" 2
    3⤵
    PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes" /v "CurrentTheme" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4652
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes" /v "CurrentTheme"
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes" /v "CurrentTheme" 2>nul
    3⤵
    PID:4408
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes" /v "CurrentTheme"
      4⤵
      PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "aero.theme" 2
    3⤵
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "aero.theme" 2
      4⤵
      Executes dropped EXE
      PID:2584
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "SystemManufacturer"
    3⤵
    PID:4068
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<VMware\>"
    3⤵
    PID:3636
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:3652
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<VirtualBox\>"
    3⤵
    PID:4288
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:4784
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<Oracle\>"
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:344
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"AORUS"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:2508
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"Bell"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____" 2>nul"
    3⤵
    PID:116
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"AORUS"
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____" 2>nul"
    3⤵
    PID:1960
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"Bell"
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:2092
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"AORUS"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:3448
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"Bell"
    3⤵
    PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:1020
- - C:\Windows\system32\findstr.exe
    FindStr /I "AORUS"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:5068
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"Bell"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "QTOEMTest.ini" | FindStr /I "\<%INFO%\>" | FindStr /I /C:"NA" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "QTOEMTest.ini" "
      4⤵
      PID:4344
  - - C:\Windows\system32\findstr.exe
      FindStr /I "\<INFO\>"
      4⤵
      PID:3672
  - - C:\Windows\system32\findstr.exe
      FindStr /I /C:"NA"
      4⤵
      PID:4176
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "QTOEMTest.ini" | FindStr /I "\<%SLIC%\>" | FindStr /I "\<%BIOVER1234%\>" 2>nul
    3⤵
    PID:3408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "QTOEMTest.ini" "
      4⤵
      PID:1648
  - - C:\Windows\system32\findstr.exe
      FindStr /I "\<SLIC\>"
      4⤵
      PID:4224
  - - C:\Windows\system32\findstr.exe
      FindStr /I "\<BOCHS\>"
      4⤵
      PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c MBRGPT.exe
    3⤵
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\MBRGPT.exe
      MBRGPT.exe
      4⤵
      Executes dropped EXE
      PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 partition where (bootable='TRUE' and name like '%0,%') get type /value" 2>nul
    3⤵
    PID:4908
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 partition where (bootable='TRUE' and name like '%0,%') get type /value
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Unknown " "
    3⤵
    PID:2332
- - C:\Windows\system32\findstr.exe
    FindStr /i "GPT"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC scsicontroller get name /value" 2>nul
    3⤵
    PID:4496
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC scsicontroller get name /value
      4⤵
      PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC idecontroller get name /value" 2>nul
    3⤵
    PID:3736
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC idecontroller get name /value
      4⤵
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft VHD Loopback Controller " "
    3⤵
    PID:2384
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"SCSI"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft VHD Loopback Controller " "
    3⤵
    PID:4076
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"SAS"
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft VHD Loopback Controller " "
    3⤵
    PID:1708
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"NVM"
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft VHD Loopback Controller " "
    3⤵
    PID:4716
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"eMM"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Standard SATA AHCI Controller " "
    3⤵
    PID:1564
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"ahci"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" 2>&1 | FindStr /i "PreferredUILanguages" 2>nul
    3⤵
    PID:3056
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages"
      4⤵
      PID:4728
  - - C:\Windows\system32\findstr.exe
      FindStr /i "PreferredUILanguages"
      4⤵
      PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\International" /v "LocaleName" 2>&1 | FindStr /i "LocaleName" 2>nul
    3⤵
    PID:4704
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\International" /v "LocaleName"
      4⤵
      PID:1532
  - - C:\Windows\system32\findstr.exe
      FindStr /i "LocaleName"
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\International" /v "sLanguage" 2>&1 | FindStr /i "sLanguage" 2>nul
    3⤵
    PID:2768
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\International" /v "sLanguage"
      4⤵
      PID:1048
  - - C:\Windows\system32\findstr.exe
      FindStr /i "sLanguage"
      4⤵
      PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name LIKE 'Windows%' and PartialProductKey is not null) get LicenseStatus /format:list" 2>nul
    3⤵
    PID:1028
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name LIKE 'Windows%' and PartialProductKey is not null) get LicenseStatus /format:list
      4⤵
      PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name LIKE 'Windows%' and PartialProductKey is not null) get LicenseStatusReason /format:list" 2>nul
    3⤵
    PID:2844
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name LIKE 'Windows%' and PartialProductKey is not null) get LicenseStatusReason /format:list
      4⤵
      PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET Description /value" 2>nul
    3⤵
    PID:1304
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET Description /value
      4⤵
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name like 'Windows%' and LicenseStatus='5') get name /value" 2>nul
    3⤵
    PID:1560
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name like 'Windows%' and LicenseStatus='5') get name /value
      4⤵
      PID:4640
- - C:\Windows\system32\Wbem\WMIC.exe
    WMIC /locale:ms_409 path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' and LicenseStatus='1') get Name
    3⤵
    PID:1736
- - C:\Windows\system32\findstr.exe
    FindStr /i "Windows"
    3⤵
    PID:2924
- - C:\Windows\system32\cscript.exe
    C:\Windows\Sysnative\CScript.exe //NoLogo sppwmi.vbs "SoftwareLicensingProduct" "Description like '%KMSCLIENT%' and LicenseStatus='1'" "Name"
    3⤵
    PID:2064
- - C:\Windows\system32\findstr.exe
    FindStr /i "Windows"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET EvaluationEndDate,GenuineStatus,GracePeriodRemaining,IsKeyManagementServiceMachine,KeyManagementServiceMachine,DiscoveredKeyManagementServiceMachineIpAddress,KeyManagementServicePort,LicenseIsAddon,VLActivationType,VLActivationInterval,VLActivationTypeEnabled,VLRenewalInterval,LicenseStatus,ProductKeyChannel /VALUE" 2>nul | FindStr /I =
    3⤵
    PID:2208
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET EvaluationEndDate,GenuineStatus,GracePeriodRemaining,IsKeyManagementServiceMachine,KeyManagementServiceMachine,DiscoveredKeyManagementServiceMachineIpAddress,KeyManagementServicePort,LicenseIsAddon,VLActivationType,VLActivationInterval,VLActivationTypeEnabled,VLRenewalInterval,LicenseStatus,ProductKeyChannel /VALUE
      4⤵
      PID:1072
  - - C:\Windows\system32\findstr.exe
      FindStr /I =
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Description like '%KMSCLIENT%') GET name" 2>nul
    3⤵
    PID:3032
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC PATH SoftwareLicensingProduct WHERE (Description like '%KMSCLIENT%') GET name
      4⤵
      PID:4424

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Generic.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9b68f89a54b90dd9c4723e872460f258

SHA1
8364383c703d268afd6e66e8ce0f2122cdf15ac6

SHA256
76113ea9f13e1f5e6f206b17b080abb0d62842c5c526e382d033ea3bae217f3c

SHA512
ab0e84c3a5ac970e47ecf6aa73fa831bcba23b262386f60d6dd99b5e35dc711c4808e9fcccdd0c575a3da9ee70d33c2ba1a88390496b7f3c77846f7feebb6965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc6058a3fa7160b441b9d6c33fe9e923

SHA1
3d68f4c287b599e4ec3605be3dc42b6b0edb2091

SHA256
68e3f29e47120dc467828199844da771477265d49d87523c20362a4f02827fad

SHA512
ca06725cb790f23b9530a136d8e0ce6dea819964456f4d8337a1a69e8273e060732b4e1796a00528b0da76b70074cf4a16a5f71fbe43054caf83491e5b4b3e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b5d1ca1951c72bbd2ddab90725aed5f

SHA1
f5992dec0746501b6f191ada4da8fe061c29e990

SHA256
be14118b41fe5fd05b1f8b2c5bbb69a65bf178e40df10da803b31920f6c47314

SHA512
1a53763ea97f0817dabd494c4e421a121310a01d17c169ff937ef8478865c724ce61db3630be71cf9bd63a549b43e02e861218f1edac6d9ccc45e9650e3f75ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17dda5cd45fc30a6bb675b4992da81c1

SHA1
96d42c4810ccd8962ccb63b0b874fe65fa8ada40

SHA256
6b82e65fc91f328bd086a0402cd9c762db8dbd39fd4e70c6e61359d6e5efade5

SHA512
f01e82bd403d68a58e5f370b6bbd00a78d9176918e7543dd1ffab4c14dfaadeddb794a98b36b0d9cb0244cdd75f2464709446f99465fdf038659e3fb8b43c3ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5d17cb503ec1f882ccd004e28933ff3

SHA1
248cdec1bcfc1e31b035ae59363e68d942fc9150

SHA256
1c667cf042656bbbdd7cf2f435d5a5339058f82f1fac366fcce61f5006e72770

SHA512
658b471319d8393cce268611b8ccd58c7419916a10be6fcccdda4f3bd4e9b445b19ea0ace2acc951aabb67ea50e51d846239e09934344a1ea04e84843fe91f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
3KB

MD5
2adde2343cfac069557e5f0d7194e35c

SHA1
36fe01e9a82b51c5c6d82674b70a1f49052fed5e

SHA256
0d6d7628b833d5d9153643974bfa1a01b18639ad6274572d4837ae5882836438

SHA512
962f00751f2c41031c778cfd55e46f70307e746050d689381706d1e47c5a543a66f4688095e352ae40107a8fb327b3e4677b497dfe3e5d5eefc1ac6e55047160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4bb49571ba31b80bb935fd7cb310a2ac

SHA1
f61475be1965266499a62559f256fba3522b5232

SHA256
9fcc2ce0f969a37502e1bc2c69a1e353a3518e8e08508c40a52c61f5173c1b2b

SHA512
d44bacc8da5cf86e13ac7922e8e2af213620d6836e0730386bad59191673c8d453530da5204cdc4a7bde1f6af23efe1e346dbe36d3340ce5da6d7f1504e4d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4fae1b07562af18cdae56fecdacf547f

SHA1
c8283f9f2186fccdde60675d8417e74eea168b78

SHA256
ece435634a79696c7620b9636feca499a0a83419c16dcb4d5adfddb878566106

SHA512
b49385b96fb3a21902a1caad269a10a37ad5a9348beba1bf6fda644a4b9a705936ce21380578119a78f277b5861a11dc04bbb7013862b12840f1ba09ecca29a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5db744a7a1a21d32c917275589fb024

SHA1
59e69fc859481b7ebb7c71aa8dbc86c75e8bf0d3

SHA256
a54911fbd5cb8ef21bcdb0774aee6e924143e011591252ebae8e2d4ac2e1e2dc

SHA512
98dfdb44f2f664c37be799925d3fc1beb431473c34f13f92c1ba2d82b5dea0f2c9eb54177a1e328f296b53d685b92ccb3eb3fe8ecc020382c75ebf7098262573

Download Submit
C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt

Filesize
375B

MD5
a37b09fb52739b9b40e51ea353019ef2

SHA1
ffd4840d8b3d7a915c0c5e681900dc52c48661f8

SHA256
9e82fc9a78369807c2f3ce69097a3689a4a1ce885d0ab6408f4730b0c35bd272

SHA512
fcbaa68725bdf18e0f897f3fc80a95f1a417601bfeb689365fc129d448cc94b80ec84b5c4fee62639fd49fcf5bdc1e92a557c209b3168c3fbda4b56efa50f5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\AvDummy.txt

Filesize
6B

MD5
fabc3596ed8cdc320e598a3edaeb4cac

SHA1
dfec7175a6a62757d83b93794df767d5acfadb82

SHA256
98151f3a6ba251eea70e602202c1c01eaa43d05f8677d9c9505e59e6ca4577c2

SHA512
56b2040c164339e838702ee793187e19154469eba23337df0005cc268344915d9beb6ac6b86b243dba46e158875745e26f3898099bc9112f253f67433313da30

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\BDTBT.exe

Filesize
443KB

MD5
1db1eab663363d484ef7c6c2f8edd7a6

SHA1
6ca71b66cf963a90391cd6c3de7b4babda03a53b

SHA256
9fd28b97864ebbaabbd3c3f9c5a46f8efc963ed5e90ebaaa2457afa8112807c4

SHA512
1836aecd18ae00358c0033b078776ddf697384aab77a8b536df88960715f287223707da2a73595dd7738b2fb5449000dfc427d0e756c70c486bace5026d9f926

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive.ps1

Filesize
657B

MD5
23c52f3043eaac0338b3e884c17789f0

SHA1
ef7b7dccc59806ae3eb2d54470d4da5d33cda199

SHA256
cb0ccbf5ad373f9fc1e1780f038af22a68e75a235c404ef54658819bdfa71cf5

SHA512
ff5cc6775f8254532361e164d6b841932ece1e91745fa29f206269aca55367bc9a4d19c073989ebf9b8c579e92c951aa8d769d5a851da0cd315750bc9486f5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive1.ps1

Filesize
510B

MD5
313b2f7171a5648f4e1ff8bce880181f

SHA1
a4a4f65b92f7dacee804ed10edcbcdd0c0dfbecb

SHA256
05d9321e248afb697f19f1df7f00c2362792042d9d10b2e2f1b1984e5dae8d20

SHA512
03a97008794ac7c00102d6500c6406f31723d7c51927a3ce80856f3b15ef412a4d16329ce42af8593e5ae99cc2a759b24c327a264da1153eb903b0d533d14359

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe

Filesize
1.0MB

MD5
b80cea64819b96830ffbd93f5a98de31

SHA1
0d14c0ddfb91fda0422e3c1b429bda687fe9b94c

SHA256
8d7b0c58854cff4cf4e4935bdaf1fcf7c87e332be8865296da4f88ba61f92dd9

SHA512
dfe821abdad987736d8bf6c7c5a1e04c6163383d771a611aa4500dedd540a6d79e8825f1bce9d86e9d43a4c1afe1d594db8bda5e019b5c42be0e4f91965a3008

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkVidAdaptrs.vbs

Filesize
3KB

MD5
30d9a18dab85c439328bf2e17316a0f3

SHA1
c52ada06e716b1155862fc6be6cc63f3c8c2e1a6

SHA256
6678845dd83b6f61a4aa29203645df46c647c315bb3fbb6ab41c6ff9218cfad8

SHA512
6786c7e0d76074a75ea5bf64332aaf917b2468fca3586887bb8a69bf9c37c5bd7011faf40b57004392d7d56e4400b369102103cb00b8cd84e5e20bdbe4e0bc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\CompUpTime2.vbs

Filesize
971B

MD5
cd62371dcadf7b88c5a7cf4f7725de2c

SHA1
89ec895b9f527f26d2270994c133849eede93bef

SHA256
a7b3e7895a1ab3a8dfe0fde979beb5b653f8ccef8a0422a13b55e01f315ccdec

SHA512
2a74286c2cb08578a666a7342479a9378670c744492f4848d30a4325b48913bd6b0c748c52477c5a9467f5caa36244f83fed698713bc5ade5e8a39a730b1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\DiskModelNameW7.vbs

Filesize
957B

MD5
d356b4f84c635cb2f301c8cc23442bc0

SHA1
4bf8c4d79c15545a465ce6097b2b6d5de6fb9cea

SHA256
a359cda306e3a4cb4007a9cf8083a232daafc53cfc2ba5e912b14e7c717638c9

SHA512
b66189203b8a51a76fc9afadebcb3cfa41f32f5e45216dfc96703c71ee17d64db7df5c92cc3876eeeef3a9e64ad0581b9c247a441812024153556a552bf2f6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\FindDuplicates.cmd

Filesize
629B

MD5
44e07d6090d7b5eb77921bf4d09eb83e

SHA1
039107a06871cec8685bee0706260c43858e8814

SHA256
7f1ccfeced3c668f0a70aab8ea29452909f5247c5f58bfe980078aa835cdbf8b

SHA512
634d825fd58c99dd7bd0942d3f50cf92721cd704f616f9eeef5085cd9f3969dfe7b6899be01b98323c77d498ab93b89fc10ea86acb0b7091aaea207750707dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\FindTPM.vbs

Filesize
3KB

MD5
8986ecd2f91299f588b4bb89ef600789

SHA1
8da57741ce6e3f7a4ffcbdec8c0b13ee6bd31e4d

SHA256
b438afe08b9d277f13b1ea491b5e36f0852344002bbe558a7daf75f8d3a4826f

SHA512
e383fd5cdd43f403aab9fc7b7a44ffbf40111e438c2abe7e3111823fc04208729a83f4ee29b3313a57e85cc08ad6aa84fe19e248c613116b71733500d36e05c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic_2.exe

Filesize
25KB

MD5
99022b783ef7c73c93c1dfa1ac630cac

SHA1
ec79d766c9586029a12d5265b2ba0be9d1428111

SHA256
78c8ccb562ee0290c63a91c48107cb79ab5cd1d7f6d058688338d1e6190f0e58

SHA512
5a91ba7523eae2f89d138f7b523999d4deefe2f3a6ff0849705a7d8f559ff7d379c390e9c724486aa9b7daefe07819c27a67f781f4d8dec6c284c64e91420aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic_4.exe

Filesize
25KB

MD5
9feb2b5e667b34d220db3e774a31946d

SHA1
bf157e7f0e8895ceac6a0cf80edeca90aa29f6b7

SHA256
617b441c97bd97aeb01ff0c6d8f8dc4b3626716f0b75f889f620e2b2e95cb750

SHA512
dc2c442f4caab3989fbe33f9f1e239760d6b10d589c364e97764a9d44909db778d16a4cefde9aef4667cabba04ca8dfdc7e028aa9272d51180ecd78b1955a6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\GetInstDate.vbs

Filesize
738B

MD5
f38f65a23011e28666f0b57867361f36

SHA1
25aa6fc298a5623c2f98d0354232200ac6347187

SHA256
10459b8096990d5fadf286002803e81fd66dd188fb525eee783de2ad196b3b70

SHA512
89b4a03ecae04b7c9a6533680206813f71d177d186d65756d7c76c9f63d90fa79218016fc8e3aa1222b85c45ffb7f47846173af5ef07d601730314146db422cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Isw11.vbs

Filesize
409B

MD5
b05c0a8b0098da8a286bf68daf2bd7ac

SHA1
aa4bc8e4ac85e65fb4a397ddeaf3950c33737cb8

SHA256
fa45531a0f1e8339b64e26bf031f770901c8d80b2aa9e8af7c65211c67e2e2e4

SHA512
45db1a714453caa6bd774da48096da07c474b375c4f7b4ce11e91d7893e81ac1c6cdefc721f9365cc63a6650ae191f6f4316916b6457c1ffbea9d62b243428cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd

Filesize
528KB

MD5
29f9ddb88e68613402e57b551ca048fe

SHA1
5b6538e9ae86a6bd07946007f2624c14689f83f0

SHA256
8d3cf66be6e89bf1c208fe01b920df681c50bb2e21d1cbe82052d4d6aa7eeb6e

SHA512
9fc9158d3f780830df1720f8ad73afa91221756fc21568bee6d81c0e9ca8bacbc60ea9c07562d05f51b888b0079989c5f76df7ea04a9cfc63aece263936850a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRPCPUNum.vbs

Filesize
794B

MD5
53e2eabc0a45a0c27cd3801d764c321c

SHA1
cfd7d62480204e3ecc58f4c447d97decc9371b0b

SHA256
321a2ef1ab98d95285d15abf3bb90156b67b7031696687792926f9e2cafd92e2

SHA512
16dc42d4a2af380d0d1b896bcc1ae8622885a251d13cad9a938b8480f349f7c86be903197d627489a83d9ee2937ff4688178ac0491a4cb4d4329edef47b5d6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRPDetectCPU.vbs

Filesize
2KB

MD5
bce8298bc2d9bc9c9157394f1a395fa9

SHA1
a278c3431e14073cec181f6646a04e5deb5b90dd

SHA256
ad1702bcdf3e2bfda254ee92904305d4c2aa4a0c1355f45e7ea549203587646f

SHA512
0996f5c719e2e2016883bdbef9382d3d0af1e057b733f64c7e1217d8ab52785a6bb2c2955dd11096dc40b3106c68c2ce7de2f531fae58cb441d22ae09d671aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP_VMDetect.Exe

Filesize
859KB

MD5
9b43bedc285ba2fc192075f5d2ad252a

SHA1
c9d82eb15a7df309f9dff0a88f2f03359d0f08c8

SHA256
3d609970dc1a1be3314684dbecc3e9274a540187545d9c95dac3d3dbc95ff0e8

SHA512
967943a29c80b61c279e9cd425a4bb7ed63f55b2056b397fdc8280e949fc76b80e1472a1cc4564a2f50b3c4c77e6181b4524d75a489e8c6a4c2e40e8b702a332

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\NETAdapt.vbs

Filesize
317B

MD5
b24f7b29cb0b5d4d99634e6ae35cfab0

SHA1
834f8b913d105320d9d7116f951d00f693aba31b

SHA256
83ab14a3451626d2ce59b2c98faad04c35d958aa45c6d8486a30034a29a508e4

SHA512
749c9e8e38a2ed77fba4a9ec4f221886acb71458f0b4a6f27820a97c75b9b51e7819c8a85f740cbc5a9ed5c8ce5277585911e9557d08cdf5af5ff3a9bb2ae492

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\NewSKU.ini

Filesize
3KB

MD5
3c2add1c0a2d9624853b2b245c1bd33c

SHA1
764d71aa4d1c0e625f04dd54f21e78c15510c900

SHA256
ce7dc8c3aa00737a1ec81e1d98c58c0ea6d50990eac40ae2098baacc3d976ad3

SHA512
373472cd53b8dd075499ccc18e5da12ce58e65a563542d791b97db7f763f30ce271dc85625cace788ec99502f7c8fe71d9cd3e38fc99f0fb73ca025de8e549f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\OldSKU.ini

Filesize
3KB

MD5
57f76f5b28e083e3d8661f4bb6ed2383

SHA1
85edab3847047a5699ddd2e4065be68feb280201

SHA256
30dab473b21c387e0a77a0eabac7beb428b7292d5307a8088a85dfd64f7693fd

SHA512
34b91f473cf9a51d514ddf41de71cd2d9f90d2b16c7d2a47dd61f056a027c7efc40c8185282d6c78bca83da98ffd1b66854642158a6184c28a91b6bb38a8a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\PSVid3.ps1

Filesize
1KB

MD5
10cddd18a87c323addc4556495230f72

SHA1
aff5315ae7bd1223b259961f1c92b0e7cca83376

SHA256
6ca5dc620e424f9f4688212e281e4018fb75e0ae0a762477619ce5bd0ffb7c81

SHA512
c365ee4138b7579b1982ed2f0a07a1757e845bce8b9ed26dab77b3e30c5468c7558b1daf77c8d21348023623b1bb03d145189b1608d9a02f41ed77fbcac3601a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\QueryDisks.vbs

Filesize
573B

MD5
ff24c47d2781c69c91d7508851ab5cac

SHA1
d9de6ea4ef2d7dca893d69e2d3b4157258c1cbce

SHA256
9dc81d360d86d64a842d36c0b720dd4331adf396bde95b1c6491c4330ba3e1f4

SHA512
b92e26c844ec621167c42fc2c966f5b5d0b23d7418e3c42f40f8f5cac62e7c0f590388739398cc7355810cdb9d5b3f4f8156b6b522bd67cb4eab9e2eea7a3e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\SLICv.txt

Filesize
9B

MD5
3e8fb09e71357a305daaffcb73d7ad46

SHA1
472ff7ae05e592c289df0ba97b8881422be3921e

SHA256
b652c559cac3cf2e78cb6cf68b87d943a8a2e4baa336afefd83fdbb2c921b435

SHA512
188825521049af97b3a99c43b73e32b59cd06348f89d1bbc696add94ff35865c71e822b37934421c4ec9a2edbe175ad7cdb57539ae0510a2b79318c2fadcc2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\SystemRam.vbs

Filesize
751B

MD5
da03c0e4f915c31147ee2adeb775958d

SHA1
c062096f40559dab4be04a5ebea7991696729069

SHA256
d8039cc11688243feb184db7a83d12440cefcbf7db7e35d541c759f74095761f

SHA512
985a325af8d4d3e3499ccf3d53f1362ae028d598bcef6270268f1df52808e43c029cff9d1c7fb8add50430b4b747594ecd8c90a64ace95556029c57ee345f309

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\UnixDateToDate.vbs

Filesize
424B

MD5
05b1670272d8cdf794d6b3cd8fe3aaa6

SHA1
fb5cb15b462643cfaa1d386e7073e620939f919c

SHA256
ab0ea82d4d3b9b90900f1c719058f92c658aad1cb327e5d318f36d076be53e24

SHA512
28995b257e65f73383e05e24e1155f074427b9e2b7b4c63528c9c2986ae6b442c33cebc02c0321728227c9ddca151cc8ffd60ab4dd14fdb8ef71375e43b7acfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Video.txt

Filesize
1KB

MD5
3e8d7a1bbea8c03ed36084d6a25b424b

SHA1
9b1bf13421a9e7613ed2f8dc3c7b9f56b1e75c2d

SHA256
dc64c52d16922df82d10697fe63f507d1e008f571091570d9923a84b01972929

SHA512
f4cefd7982cd809308996d0796b59c6ab09f070d3a6038780f4e0c6fc8c5259b20c5e1269605d2cc60fcf3055098fb60aff463452cec9aa7ea9c3e172aefa41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Windows 10 Enterprise LTSC 2021.txt

Filesize
29B

MD5
99f6d2bb21787807753c364f127cc9d7

SHA1
8c51232f94cc6507913dd898a224e823e879b95e

SHA256
a35720e3555f25da224fe50e7b4faa53d7003190f556d121f02e4cb119d56a9c

SHA512
e0c76103b51064f0a7c215dac2e9dafa421c608880c96cc5a7bf842a764a5c3202b48d4d71716eca4d6d9b3f55117e82b9a53bae9d6db7d4dc9087971d8bdf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\no1.txt

Filesize
4KB

MD5
27dab6b2e8c8b29dd25382f31671e7ff

SHA1
8428ee7cb0c91f04dea7ba21e50b335530f10015

SHA256
3322e36dc518fed84e5ede0835a696b05ed888a990f47cce65b0c2b17f26452d

SHA512
48904fce83c1d36ef11f69dc12a28a12b826e2f8361a25ab9ec7ee05bd6e0f1026c428a4fd7c524115c9735271123e62938977232bce764ce6a59e98135ad03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\no1.txt

Filesize
1KB

MD5
ab7145842a3d5cd257ca5aa109d5bee6

SHA1
8955e5a7f91acf7b31fcf4224b294cf85157c169

SHA256
84baa7ed4ca2803653cd7a02479c16223ac585d339a856b80accc00c093dce47

SHA512
fb9ba37680b79456ea9a8f28360c6da68ef085d3ca036e824dd2be4559b9ef90f3f24dcc75a0e9b063b3601ade77a4a816c7b8c29fb9a05ade4b7cf0e03de93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\no1.txt

Filesize
4KB

MD5
37da85302355e1e551247dafcf169376

SHA1
033c60555f4a223ef1503c630e0494ee9e894344

SHA256
e59eb3054101beae0724dd64339c63e96c7eff35f0649b1b4155cbe4d1ffa0f9

SHA512
76eb57a932faf7b267e1658313945d3a675df0f4572f4e57db985449ef82357ee649e402db789530889aa3521a8eab92468c78cfe158c961eebf58fedfc18587

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\sppwmi.vbs

Filesize
568B

MD5
d7aa084ac8c798ad8442fa5068ef10f9

SHA1
78b2d1b46115c37e6399153b7836288f33032cf3

SHA256
b63e5339170389020ff96fbb250a77632d9e0e2ca7cda6e0bd391ee1171a2183

SHA512
1d675fc0b035f0e4c2fe09143fb129ae61824ee18901af178f32aa5572f872b88f583b4b331b186bbbee6eddd7fb7a3c41730d2157182ca97fb087b5b8cea7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\zFileVer.cmd

Filesize
623B

MD5
f9e9be7fe8fba17f6640d38d999a2a75

SHA1
9f0b5be8bf088dd2c2b0489d96647db1915ceeb8

SHA256
29de72c08983500798a15f58a27fc0c45e412cbc6cf0c1b3da0eb5a4e817496e

SHA512
7767d272012f9aa46853321bf18838e6267c32c013db4784f57a3f7a4a765eca471e516774d9e09bf60b906f120aea6579be969f1b18e8063c0426ab6dd41997

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTLog.log

Filesize
4KB

MD5
e8259790a17e12bcd41523be9a5c6014

SHA1
57ddf6ca7e28fbd8147cb91ea77d51e70d5c1f5a

SHA256
f71949481a0edaa61557f35ae46680f97e05f64088f9e3fce1c8908e7f064a1e

SHA512
d8568ff060b40acd7c1016c0b1dbed967ce86f6798fe89cd9d31a608b99c7a52672c2817237a6cd714542aea191fc2132a1d4794ded062aabadfb27b80e0e00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tvbuc05r.hb0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2108-242-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/2644-204-0x0000014764420000-0x000001476443E000-memory.dmp

Filesize
120KB

Download
memory/2644-203-0x0000014764630000-0x00000147646A6000-memory.dmp

Filesize
472KB

Download
memory/3440-273-0x000001ADAB040000-0x000001ADAB066000-memory.dmp

Filesize
152KB

Download
memory/3440-272-0x000001ADAAFB0000-0x000001ADAAFBA000-memory.dmp

Filesize
40KB

Download
memory/3440-271-0x000001ADAAFD0000-0x000001ADAAFE6000-memory.dmp

Filesize
88KB

Download
memory/4144-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4144-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4840-121-0x000001A75B160000-0x000001A75B16A000-memory.dmp

Filesize
40KB

Download
memory/4840-123-0x000001A775CB0000-0x000001A775CD4000-memory.dmp

Filesize
144KB

Download
memory/4840-122-0x000001A775CB0000-0x000001A775CDA000-memory.dmp

Filesize
168KB

Download
memory/4916-52-0x000002B0F8300000-0x000002B0F8322000-memory.dmp

Filesize
136KB

Download