a5dc155fa98ab7edaa456de7fb437b5ba07ce3401416a25a92693a37df1c6300

Analysis

max time kernel
126s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2025, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MRPQTGv125.0.exe
Size

7.7MB
MD5

76d9bda14978cfb72485c6032c800fad
SHA1

29a8a065531bcfe7adb0d1a7b7adb78cd336e14c
SHA256

a5dc155fa98ab7edaa456de7fb437b5ba07ce3401416a25a92693a37df1c6300
SHA512

be4c21a721e0586fc15e780d956a80d78a8610180f9eddb7e308e64956bac7c1c121a7740f519b6b8bc5110b81f2237309b3fbbebefb17544d45cb81d6eaa65b
SSDEEP

98304:n4p/sbedo6JBrqU1TzhFc20tWsc20tWFc20tWtc20tWlHlCc20tWuiFmfpP4g:n6doe95FVuVPVHV3HlCVoDpP4g

Score

10^/10

defense_evasion discovery execution persistence privilege_escalation trojan upx

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\MRP_QT = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\GUI_QT = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4292	powershell.exe
744	powershell.exe
1532	powershell.exe
3320	powershell.exe
4636	powershell.exe
4504	powershell.exe
4036	powershell.exe
4384	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4808	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	reg.exe

Executes dropped EXE 36 IoCs

pid	Process
3176	ChkValid.exe
2424	ChkValid.exe
1204	ChkValid.exe
1876	ChkValid.exe
1580	ChkValid.exe
4072	ChkValid.exe
4396	ChkValid.exe
2872	ChkValid.exe
4384	ChkValid.exe
3664	MRP_VMDetect.Exe
1252	Generic.exe
3744	Generic.exe
2824	Generic.exe
4692	Generic.exe
3128	Generic.exe
1152	ChkValid.exe
4592	ChkValid.exe
2996	ChkValid.exe
404	Generic.exe
1352	Generic.exe
2756	Generic.exe
2824	ChkValid.exe
5072	ChkValid.exe
4760	ChkValid.exe
2104	ChkValid.exe
1464	ChkValid.exe
212	ChkValid.exe
3016	ChkValid.exe
1800	ChkValid.exe
2248	MBRGPT.exe
4732	Process not Found
2660	Process not Found
4276	Process not Found
2044	Process not Found
4280	Process not Found
32	Process not Found

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
4592	bcdedit.exe

Power Settings 1 TTPs 5 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
744	reg.exe
1152	powercfg.exe
1088	cmd.exe
2080	reg.exe
972	cmd.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023ce9-156.dat	autoit_exe
behavioral2/files/0x0008000000023ce7-231.dat	autoit_exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023ce3-170.dat	upx

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4428	sc.exe
3468	sc.exe
3952	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChkValid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1212	cmd.exe
4532	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	reg.exe

Delays execution with timeout.exe 27 IoCs

defense_evasion

pid	Process
4816	timeout.exe
3268	timeout.exe
1448	Process not Found
3332	timeout.exe
1580	timeout.exe
404	timeout.exe
2176	timeout.exe
816	Process not Found
2392	Process not Found
4996	timeout.exe
3192	timeout.exe
2940	timeout.exe
3936	timeout.exe
2344	timeout.exe
2604	Process not Found
2064	Process not Found
2392	timeout.exe
4180	timeout.exe
712	timeout.exe
388	timeout.exe
2336	Process not Found
2964	Process not Found
4564	timeout.exe
3592	timeout.exe
3176	timeout.exe
3620	timeout.exe
4052	timeout.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVersion	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVersion	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BiosVersion	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor	reg.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4116	systeminfo.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\MRP_QT\winmgmts:\root\CIMV2	MRP_VMDetect.Exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4292	powershell.exe
4292	powershell.exe
1532	powershell.exe
1532	powershell.exe
3320	powershell.exe
3320	powershell.exe
744	powershell.exe
744	powershell.exe
4636	powershell.exe
4636	powershell.exe
4504	powershell.exe
4504	powershell.exe
1800	powershell.exe
1800	powershell.exe
4036	powershell.exe
4036	powershell.exe
4384	powershell.exe
4384	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
32	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2060	WMIC.exe
Token: SeSecurityPrivilege	2060	WMIC.exe
Token: SeTakeOwnershipPrivilege	2060	WMIC.exe
Token: SeLoadDriverPrivilege	2060	WMIC.exe
Token: SeSystemProfilePrivilege	2060	WMIC.exe
Token: SeSystemtimePrivilege	2060	WMIC.exe
Token: SeProfSingleProcessPrivilege	2060	WMIC.exe
Token: SeIncBasePriorityPrivilege	2060	WMIC.exe
Token: SeCreatePagefilePrivilege	2060	WMIC.exe
Token: SeBackupPrivilege	2060	WMIC.exe
Token: SeRestorePrivilege	2060	WMIC.exe
Token: SeShutdownPrivilege	2060	WMIC.exe
Token: SeDebugPrivilege	2060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2060	WMIC.exe
Token: SeRemoteShutdownPrivilege	2060	WMIC.exe
Token: SeUndockPrivilege	2060	WMIC.exe
Token: SeManageVolumePrivilege	2060	WMIC.exe
Token: 33	2060	WMIC.exe
Token: 34	2060	WMIC.exe
Token: 35	2060	WMIC.exe
Token: 36	2060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2060	WMIC.exe
Token: SeSecurityPrivilege	2060	WMIC.exe
Token: SeTakeOwnershipPrivilege	2060	WMIC.exe
Token: SeLoadDriverPrivilege	2060	WMIC.exe
Token: SeSystemProfilePrivilege	2060	WMIC.exe
Token: SeSystemtimePrivilege	2060	WMIC.exe
Token: SeProfSingleProcessPrivilege	2060	WMIC.exe
Token: SeIncBasePriorityPrivilege	2060	WMIC.exe
Token: SeCreatePagefilePrivilege	2060	WMIC.exe
Token: SeBackupPrivilege	2060	WMIC.exe
Token: SeRestorePrivilege	2060	WMIC.exe
Token: SeShutdownPrivilege	2060	WMIC.exe
Token: SeDebugPrivilege	2060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2060	WMIC.exe
Token: SeRemoteShutdownPrivilege	2060	WMIC.exe
Token: SeUndockPrivilege	2060	WMIC.exe
Token: SeManageVolumePrivilege	2060	WMIC.exe
Token: 33	2060	WMIC.exe
Token: 34	2060	WMIC.exe
Token: 35	2060	WMIC.exe
Token: 36	2060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1208	WMIC.exe
Token: SeSecurityPrivilege	1208	WMIC.exe
Token: SeTakeOwnershipPrivilege	1208	WMIC.exe
Token: SeLoadDriverPrivilege	1208	WMIC.exe
Token: SeSystemProfilePrivilege	1208	WMIC.exe
Token: SeSystemtimePrivilege	1208	WMIC.exe
Token: SeProfSingleProcessPrivilege	1208	WMIC.exe
Token: SeIncBasePriorityPrivilege	1208	WMIC.exe
Token: SeCreatePagefilePrivilege	1208	WMIC.exe
Token: SeBackupPrivilege	1208	WMIC.exe
Token: SeRestorePrivilege	1208	WMIC.exe
Token: SeShutdownPrivilege	1208	WMIC.exe
Token: SeDebugPrivilege	1208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1208	WMIC.exe
Token: SeRemoteShutdownPrivilege	1208	WMIC.exe
Token: SeUndockPrivilege	1208	WMIC.exe
Token: SeManageVolumePrivilege	1208	WMIC.exe
Token: 33	1208	WMIC.exe
Token: 34	1208	WMIC.exe
Token: 35	1208	WMIC.exe
Token: 36	1208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1208	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4452	3472	MRPQTGv125.0.exe	87
PID 3472 wrote to memory of 4452	3472	MRPQTGv125.0.exe	87
PID 3472 wrote to memory of 4452	3472	MRPQTGv125.0.exe	87
PID 4452 wrote to memory of 2008	4452	cmd.exe	88
PID 4452 wrote to memory of 2008	4452	cmd.exe	88
PID 4452 wrote to memory of 2008	4452	cmd.exe	88
PID 4452 wrote to memory of 2984	4452	cmd.exe	89
PID 4452 wrote to memory of 2984	4452	cmd.exe	89
PID 4452 wrote to memory of 2984	4452	cmd.exe	89
PID 4452 wrote to memory of 3744	4452	cmd.exe	90
PID 4452 wrote to memory of 3744	4452	cmd.exe	90
PID 4452 wrote to memory of 2920	4452	cmd.exe	91
PID 4452 wrote to memory of 2920	4452	cmd.exe	91
PID 4452 wrote to memory of 3400	4452	cmd.exe	92
PID 4452 wrote to memory of 3400	4452	cmd.exe	92
PID 4452 wrote to memory of 3788	4452	cmd.exe	93
PID 4452 wrote to memory of 3788	4452	cmd.exe	93
PID 4452 wrote to memory of 804	4452	cmd.exe	94
PID 4452 wrote to memory of 804	4452	cmd.exe	94
PID 4452 wrote to memory of 2284	4452	cmd.exe	95
PID 4452 wrote to memory of 2284	4452	cmd.exe	95
PID 4452 wrote to memory of 468	4452	cmd.exe	96
PID 4452 wrote to memory of 468	4452	cmd.exe	96
PID 4452 wrote to memory of 468	4452	cmd.exe	96
PID 4452 wrote to memory of 4556	4452	cmd.exe	97
PID 4452 wrote to memory of 4556	4452	cmd.exe	97
PID 4452 wrote to memory of 4556	4452	cmd.exe	97
PID 4556 wrote to memory of 3176	4556	cmd.exe	98
PID 4556 wrote to memory of 3176	4556	cmd.exe	98
PID 4452 wrote to memory of 4296	4452	cmd.exe	100
PID 4452 wrote to memory of 4296	4452	cmd.exe	100
PID 4452 wrote to memory of 4296	4452	cmd.exe	100
PID 4296 wrote to memory of 1944	4296	cmd.exe	101
PID 4296 wrote to memory of 1944	4296	cmd.exe	101
PID 4452 wrote to memory of 4808	4452	cmd.exe	102
PID 4452 wrote to memory of 4808	4452	cmd.exe	102
PID 4452 wrote to memory of 2104	4452	cmd.exe	103
PID 4452 wrote to memory of 2104	4452	cmd.exe	103
PID 4452 wrote to memory of 2104	4452	cmd.exe	103
PID 4452 wrote to memory of 2060	4452	cmd.exe	104
PID 4452 wrote to memory of 2060	4452	cmd.exe	104
PID 4452 wrote to memory of 4472	4452	cmd.exe	105
PID 4452 wrote to memory of 4472	4452	cmd.exe	105
PID 4452 wrote to memory of 4996	4452	cmd.exe	106
PID 4452 wrote to memory of 4996	4452	cmd.exe	106
PID 4452 wrote to memory of 4516	4452	cmd.exe	110
PID 4452 wrote to memory of 4516	4452	cmd.exe	110
PID 4452 wrote to memory of 4516	4452	cmd.exe	110
PID 4516 wrote to memory of 1752	4516	cmd.exe	111
PID 4516 wrote to memory of 1752	4516	cmd.exe	111
PID 4452 wrote to memory of 1296	4452	cmd.exe	112
PID 4452 wrote to memory of 1296	4452	cmd.exe	112
PID 4452 wrote to memory of 1296	4452	cmd.exe	112
PID 1296 wrote to memory of 1208	1296	cmd.exe	113
PID 1296 wrote to memory of 1208	1296	cmd.exe	113
PID 4452 wrote to memory of 3320	4452	cmd.exe	114
PID 4452 wrote to memory of 3320	4452	cmd.exe	114
PID 4452 wrote to memory of 3320	4452	cmd.exe	114
PID 4452 wrote to memory of 4116	4452	cmd.exe	115
PID 4452 wrote to memory of 4116	4452	cmd.exe	115
PID 4452 wrote to memory of 3200	4452	cmd.exe	116
PID 4452 wrote to memory of 3200	4452	cmd.exe	116
PID 4452 wrote to memory of 3200	4452	cmd.exe	116
PID 4452 wrote to memory of 2404	4452	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\MRPQTGv125.0.exe
"C:\Users\Admin\AppData\Local\Temp\MRPQTGv125.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\mode.com
    mode con cols=90 lines=23
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Wow6432Node"
    3⤵
    PID:3744
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Wow6432Node\Microsoft\Windows Kits\Installed Roots" /v "KitsRoot81"
    3⤵
    PID:2920
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Kits\Installed Roots" /v "KitsRoot81"
    3⤵
    PID:3400
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Wow6432Node"
    3⤵
    PID:3788
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Wow6432Node\Microsoft\Windows Kits\Installed Roots" /v "KitsRoot10"
    3⤵
    PID:804
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Kits\Installed Roots" /v "KitsRoot10"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CALL "zfileVer.cmd" "dism.exe"
    3⤵
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CALL "zfileVer.cmd" "C:\Windows\System32\DISM.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\system32\cscript.exe
      cscript //nologo //e:jscript "C:\Users\Admin\AppData\Local\Temp\MRP_QT\zFileVer.cmd" /file:"C:\Windows\System32\Dism.exe"
      4⤵
      PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CALL "zfileVer.cmd" "C:\Windows\SysWOW64\DISM.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\cscript.exe
      cscript //nologo //e:jscript "C:\Users\Admin\AppData\Local\Temp\MRP_QT\zFileVer.cmd" /file:"C:\Windows\SysWOW64\Dism.exe"
      4⤵
      PID:1944
- - C:\Windows\system32\attrib.exe
    Attrib "C:\Users\Admin\AppData\Local\Temp\MRP_QT" +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2104
- - C:\Windows\system32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\system32\find.exe
    find /i "ComputerSystem"
    3⤵
    PID:4472
- - C:\Windows\system32\timeout.exe
    TIMEOUT /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "MRPDetectCPU.vbs" 2>Nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "MRPDetectCPU.vbs"
      4⤵
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS GET osarchitecture /value 2>nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS GET osarchitecture /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO "64-bit " "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3320
- - C:\Windows\system32\findstr.exe
    FindStr /i "64"
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO "64-bit " "
    3⤵
    PID:3200
- - C:\Windows\system32\findstr.exe
    FindStr /i "32"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" /v "ExecutionPolicy" 2>nul
    3⤵
    PID:5064
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" /v "ExecutionPolicy"
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy"
      4⤵
      PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PowerShellVersion" 2>nul | FindStr /I "PowerShellVersion" 2>nul
    3⤵
    PID:4316
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PowerShellVersion"
      4⤵
      PID:4428
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PowerShellVersion"
      4⤵
      PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PowerShellVersion" 2>nul | FindStr /I "PowerShellVersion" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:884
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PowerShellVersion"
      4⤵
      PID:4356
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PowerShellVersion"
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PSCompatibleVersion" 2>nul | FindStr /I "PSCompatibleVersion" 2>nul
    3⤵
    PID:4580
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PSCompatibleVersion"
      4⤵
      PID:5052
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PSCompatibleVersion"
      4⤵
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PSCompatibleVersion" 2>nul | FindStr /I "PSCompatibleVersion" 2>nul
    3⤵
    PID:1376
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PSCompatibleVersion"
      4⤵
      PID:4564
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PSCompatibleVersion"
      4⤵
      PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v "Install" 2>nul | FindStr /I "Install" 2>nul
    3⤵
    PID:1684
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v "Install"
      4⤵
      PID:1528
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Install"
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3" /v "Install" 2>nul | FindStr /I "Install" 2>nul
    3⤵
    PID:1996
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3" /v "Install"
      4⤵
      PID:3388
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Install"
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "1.0, 2.0, 3.0, 4.0, 5.0, 5.1 " "
    3⤵
    PID:2248
- - C:\Windows\system32\findstr.exe
    findstr /i "3."
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "1.0, 2.0, 3.0, 4.0, 5.0, 5.1 " "
    3⤵
    PID:4832
- - C:\Windows\system32\findstr.exe
    findstr /i "5."
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "5.1.19041.1 " "
    3⤵
    PID:2280
- - C:\Windows\system32\findstr.exe
    findstr /i "5."
    3⤵
    PID:712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\9.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:3328
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\9.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\9.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:3480
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\9.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:3776
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\10.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:1540
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\10.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\11.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:4712
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\11.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\11.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:816
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\11.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\12.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:3880
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\12.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\12.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\12.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\14.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:548
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\DevDiv\vc\Servicing\14.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\14.0\RuntimeAdditional" /v "Version" 2>nul
    3⤵
    PID:1944
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\WOW6432Node\Microsoft\DevDiv\vc\Servicing\14.0\RuntimeAdditional" /v "Version"
      4⤵
      PID:2380
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "CompUpTime2.vbs" 2>Nul
    3⤵
    PID:2424
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "CompUpTime2.vbs"
      4⤵
      PID:4744
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
    3⤵
    PID:4072
- - C:\Windows\system32\findstr.exe
    FindStr /I "C:\Users\Admin\AppData\Local\Temp\MRP_QT"
    3⤵
    PID:2756
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $A='HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths','preserve','S-1-1-0','','','';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd')-split':Own1\:.*')[1])
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4292
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Local\Temp\MRP_QT" /d "0" /t reg_dword /f
    3⤵
    - Windows security bypass
    PID:2452
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Local\Temp\GUI_QT" /d "0" /t reg_dword /f
    3⤵
    - Windows security bypass
    PID:956
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MRP_QT" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MRP_QT' -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3320
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $A='HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths','none','S-1-1-0','','','';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd')-split':Own1\:.*')[1])
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:744
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
    3⤵
    PID:2332
- - C:\Windows\system32\findstr.exe
    FindStr /I "C:\Users\Admin\AppData\Local\Temp\MRP_QT"
    3⤵
    PID:4580
- - C:\Windows\system32\timeout.exe
    timeout /t 2 /NoBreak
    3⤵
    - Delays execution with timeout.exe
    PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" 2>nul
    3⤵
    PID:2948
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled"
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "DisplayLogo" 2>nul
    3⤵
    PID:1048
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "DisplayLogo"
      4⤵
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "DisplayLogo" 2>nul
    3⤵
    PID:4056
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "DisplayLogo"
      4⤵
      PID:2496
- - C:\Windows\system32\Wbem\WMIC.exe
    WMIC /locale:ms_409 process get processid,parentprocessid,executablepath
    3⤵
    PID:2940
- - C:\Windows\system32\findstr.exe
    FindStr /I "Powershell"
    3⤵
    PID:4608
- - C:\Windows\system32\Wbem\WMIC.exe
    WMIC /locale:ms_409 process get processid,parentprocessid,executablepath
    3⤵
    PID:2864
- - C:\Windows\system32\findstr.exe
    FindStr /I "CMD"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" 2>nul
    3⤵
    PID:4528
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion"
      4⤵
      PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion"
      4⤵
      PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" 2>nul
    3⤵
    PID:4784
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion"
      4⤵
      PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Control" /v "DirtyShutdownCount" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Control" /v "DirtyShutdownCount"
      4⤵
      PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionVersion" /v "EditionBuildQfe" 2>nul
    3⤵
    PID:4496
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionVersion" /v "EditionBuildQfe"
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Control" /v "PEFirmwareType" 2>nul
    3⤵
    PID:4968
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Control" /v "PEFirmwareType"
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" 2>nul
    3⤵
    PID:2368
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection"
      4⤵
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TPExclusions" 2>nul
    3⤵
    PID:3656
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TPExclusions"
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" 2>nul
    3⤵
    PID:2116
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction"
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic os get LocalDateTime /value 2>nul
    3⤵
    PID:4472
  - - C:\Windows\system32\Wbem\WMIC.exe
      wmic os get LocalDateTime /value
      4⤵
      PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2>nul
    3⤵
    PID:3624
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity"
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "CompUpTime2.vbs" 2>Nul
    3⤵
    PID:772
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "CompUpTime2.vbs"
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1848
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection"
      4⤵
      PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TPExclusions" 2>nul
    3⤵
    PID:2172
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows Defender\Features" /v "TPExclusions"
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" 2>nul
    3⤵
    PID:2840
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction"
      4⤵
      PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE" /v "MRP_Version_Used" 2>nul
    3⤵
    PID:1160
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE" /v "MRP_Version_Used"
      4⤵
      PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\MRP3" /v "MRP_Version_Used" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1208
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\MRP3" /v "MRP_Version_Used"
      4⤵
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "FindTPM.vbs" 2>Nul
    3⤵
    PID:1204
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "FindTPM.vbs"
      4⤵
      PID:4844
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Powershell -executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive.ps1" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Powershell -executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive1.ps1" 2>nul
    3⤵
    PID:4620
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive1.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" 2>nul
    3⤵
    PID:3216
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck"
      4⤵
      PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" 2>nul
    3⤵
    PID:4792
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck"
      4⤵
      PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" 2>nul
    3⤵
    PID:3480
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck"
      4⤵
      PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU" 2>nul
    3⤵
    PID:2176
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU"
      4⤵
      PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\SYSTEM\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU" 2>nul
    3⤵
    PID:3348
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\SYSTEM\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU"
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionSubVersion" 2>NUL
    3⤵
    PID:5088
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionSubVersion"
      4⤵
      PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionSubString" 2>NUL
    3⤵
    PID:2396
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionSubString"
      4⤵
      PID:2760
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE" /v "MRP_Version_Used" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE" /v "MRP_Version_Used"
      4⤵
      PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\MRP3" /v "MRP_Version_Used" 2>nul
    3⤵
    PID:2380
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\MRP3" /v "MRP_Version_Used"
      4⤵
      PID:404
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId"
    3⤵
    PID:2392
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<EnterpriseEval\>"
    3⤵
    PID:2116
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId"
    3⤵
    PID:516
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<EnterpriseEvalN\>"
    3⤵
    PID:1464
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId"
    3⤵
    PID:4880
- - C:\Windows\system32\findstr.exe
    FindStr /I "Eval"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "Isw11.vbs" 2>Nul
    3⤵
    PID:3308
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "Isw11.vbs"
      4⤵
      PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" 2>nul
    3⤵
    PID:772
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType" 2>nul
    3⤵
    PID:1848
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"
      4⤵
      PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersion" 2>nul
    3⤵
    PID:2172
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersion"
      4⤵
      PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersionInfo" 2>nul
    3⤵
    PID:2840
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetReleaseVersionInfo"
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" 2>nul
    3⤵
    PID:1160
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork"
      4⤵
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" 2>nul
    3⤵
    PID:1208
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate"
      4⤵
      PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" 2>nul
    3⤵
    PID:4300
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled"
      4⤵
      PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "DestBuildNum" 2>nul
    3⤵
    PID:1204
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "DestBuildNum"
      4⤵
      PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "RedReason" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3332
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "RedReason"
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "UpgEx" 2>nul
    3⤵
    PID:1084
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "UpgEx"
      4⤵
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "UpgExU" 2>nul
    3⤵
    PID:3336
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "UpgExU"
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "DX12" 2>nul
    3⤵
    PID:4368
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "DX12"
      4⤵
      PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "Genuine" 2>nul
    3⤵
    PID:884
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "Genuine"
      4⤵
      PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "OEM" 2>nul
    3⤵
    PID:636
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "OEM"
      4⤵
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "Touch" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "Touch"
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser" /v "HaveUploadedForTarget" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser" /v "HaveUploadedForTarget"
      4⤵
      PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "SystemDriveTooFull" 2>nul
    3⤵
    PID:972
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2" /v "SystemDriveTooFull"
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" 2>nul
    3⤵
    PID:2832
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride"
      4⤵
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" 2>nul
    3⤵
    PID:4832
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask"
      4⤵
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" 2>NUL
    3⤵
    PID:2472
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
      4⤵
      PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CompositionEditionID" 2>NUL
    3⤵
    PID:4456
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CompositionEditionID"
      4⤵
      PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>NUL | FindStr /I "CurrentVersion" 2>nul
    3⤵
    PID:3328
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
      4⤵
      PID:2864
  - - C:\Windows\system32\findstr.exe
      FindStr /I "CurrentVersion"
      4⤵
      PID:3400
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288" /v "CurrentState"
    3⤵
    PID:4028
- - C:\Windows\system32\findstr.exe
    FindStr /I "0x70"
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ECHO "Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288"
    3⤵
    PID:1540
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.264" /v "CurrentState"
    3⤵
    PID:3348
- - C:\Windows\system32\findstr.exe
    FindStr /I "0x70"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE" 2>nul
    3⤵
    PID:5088
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
      4⤵
      PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId" 2>nul
    3⤵
    PID:4036
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionId"
      4⤵
      PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Servicing\CodeSigning\SHA2" /v "SHA2-Codesigning-Support" 2>nul
    3⤵
    PID:1876
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Servicing\CodeSigning\SHA2" /v "SHA2-Codesigning-Support"
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Servicing\CodeSigning\SHA2" /v "SHA2-Core-Codesigning-Support" 2>nul
    3⤵
    PID:3124
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Servicing\CodeSigning\SHA2" /v "SHA2-Core-Codesigning-Support"
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\BitlockerStatus" /v "BootStatus" 2>nul
    3⤵
    PID:2392
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\BitlockerStatus" /v "BootStatus"
      4⤵
      PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus" /v "BootStatus" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus" /v "BootStatus"
      4⤵
      PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "01" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "01"
      4⤵
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "32" 2>nul
    3⤵
    PID:4384
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "32"
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "512" 2>nul
    3⤵
    PID:3516
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "512"
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul
    3⤵
    PID:5108
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
      4⤵
      PID:772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\Control Panel\Desktop" /v "WallpaperStyle" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\Control Panel\Desktop" /v "WallpaperStyle"
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "InstallationType" 2>nul
    3⤵
    PID:4292
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"
      4⤵
      PID:2204
- - C:\Windows\system32\Wbem\WMIC.exe
    WMIC /locale:ms_409 /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
    3⤵
    PID:2576
- - C:\Windows\system32\findstr.exe
    FindStr /v /r /c:"^$" /c:"displayName"
    3⤵
    PID:1860
- - C:\Windows\system32\sort.exe
    sort "C:\Users\Admin\AppData\Local\Temp\MRP_QT\AvDummy.txt"
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Type "C:\Users\Admin\AppData\Local\Temp\MRP_QT\AvDummy.txt" 2>Nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query "MpsSvc" 2>nul
    3⤵
    PID:2304
  - - C:\Windows\system32\sc.exe
      sc query "MpsSvc"
      4⤵
      Launches sc.exe
      PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\MpsSvc" /v "Start" 2>nul
    3⤵
    PID:3320
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\MpsSvc" /v "Start"
      4⤵
      PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query "WinDefend" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
  - - C:\Windows\system32\sc.exe
      sc query "WinDefend"
      4⤵
      Launches sc.exe
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3976
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start"
      4⤵
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 ComputerSystem get HypervisorPresent /format:list" 2>nul
    3⤵
    PID:884
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 ComputerSystem get HypervisorPresent /format:list
      4⤵
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 ComputerSystem get PartOfDomain /format:list" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 ComputerSystem get PartOfDomain /format:list
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 ComputerSystem get DomainRole /format:list" 2>nul
    3⤵
    PID:4816
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 ComputerSystem get DomainRole /format:list
      4⤵
      PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 ComputerSystem get PCSystemType /format:list" 2>nul
    3⤵
    PID:1252
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 ComputerSystem get PCSystemType /format:list
      4⤵
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 logicaldisk where ^(caption="C:"^) get filesystem /value" 2>nul
    3⤵
    PID:4960
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 logicaldisk where (caption="C:") get filesystem /value
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "GetInstDate.vbs" 2>Nul
    3⤵
    PID:3684
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "GetInstDate.vbs"
      4⤵
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "QueryDisks.vbs" 2>Nul
    3⤵
    PID:3792
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "QueryDisks.vbs"
      4⤵
      PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "232138804165" 2
    3⤵
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "232138804165" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c PowerShell "Get-PhysicalDisk | Select MediaType, DeviceID" 2>nul
    3⤵
    PID:4760
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell "Get-PhysicalDisk | Select MediaType, DeviceID"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "WDC WDS100T2B0A" 2
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "WDC WDS100T2B0A" 2
      4⤵
      Executes dropped EXE
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query "defragsvc" 2>nul
    3⤵
    PID:4880
  - - C:\Windows\system32\sc.exe
      sc query "defragsvc"
      4⤵
      Launches sc.exe
      PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Services\DefragSvc" /v "Start" 2>nul
    3⤵
    PID:3624
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\System\CurrentControlSet\Services\DefragSvc" /v "Start"
      4⤵
      PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH 2>nul | findstr /I "Disabled" 2>nul
    3⤵
    PID:4612
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH
      4⤵
      PID:4240
  - - C:\Windows\system32\findstr.exe
      findstr /I "Disabled"
      4⤵
      PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH 2>nul | findstr /I "Ready" 2>nul
    3⤵
    PID:4380
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH
      4⤵
      PID:1352
  - - C:\Windows\system32\findstr.exe
      findstr /I "Ready"
      4⤵
      PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH 2>nul | findstr /I "Running" 2>nul
    3⤵
    PID:2172
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /NH
      4⤵
      PID:3096
  - - C:\Windows\system32\findstr.exe
      findstr /I "Running"
      4⤵
      PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /v /FO list /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" 2>nul | findstr /I /C:"Status:" 2>nul
    3⤵
    PID:3000
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /v /FO list /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"
      4⤵
      PID:1152
  - - C:\Windows\system32\findstr.exe
      findstr /I /C:"Status:"
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /Query /v /FO list /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" 2>nul | findstr /I /C:"Scheduled Task State:" 2>nul
    3⤵
    PID:2292
  - - C:\Windows\system32\schtasks.exe
      schtasks /Query /v /FO list /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"
      4⤵
      PID:1296
  - - C:\Windows\system32\findstr.exe
      findstr /I /C:"Scheduled Task State:"
      4⤵
      PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tzutil /g
    3⤵
    PID:3200
  - - C:\Windows\system32\tzutil.exe
      tzutil /g
      4⤵
      PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "UTC" 2
    3⤵
    PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "UTC" 2
      4⤵
      Executes dropped EXE
      PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "TimeZoneKeyName" 2>nul
    3⤵
    PID:4428
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "TimeZoneKeyName"
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "ActiveTimeBias" | FindStr /i "ActiveTimeBias" 2>nul
    3⤵
    PID:4356
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "ActiveTimeBias"
      4⤵
      PID:4016
  - - C:\Windows\system32\findstr.exe
      FindStr /i "ActiveTimeBias"
      4⤵
      PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo 0 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic useraccount where name='Admin' get sid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4316
  - - C:\Windows\system32\Wbem\WMIC.exe
      wmic useraccount where name='Admin' get sid
      4⤵
      PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International" /v "LocaleName" 2>nul
    3⤵
    PID:4884
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International" /v "LocaleName"
      4⤵
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International" /v "sCountry" 2>nul
    3⤵
    PID:4636
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International" /v "sCountry"
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\PowerCfg" /v "CurrentPowerPolicy" 2>nul
    3⤵
    - Power Settings
    PID:1088
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\PowerCfg" /v "CurrentPowerPolicy"
      4⤵
      Power Settings
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\PowerCfg\PowerPolicies\0" /v "Name" 2>nul
    3⤵
    - Power Settings
    PID:972
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKEY_USERS\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\PowerCfg\PowerPolicies\0" /v "Name"
      4⤵
      Power Settings
      PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get OSLanguage /format:list" 2>nul
    3⤵
    PID:4816
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get OSLanguage /format:list
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /ad /b "C:\Windows\*-*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\.DEFAULT\Control Panel\International\Geo" /v "Nation" | FindStr /i "Nation" 2>nul
    3⤵
    PID:4984
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\.DEFAULT\Control Panel\International\Geo" /v "Nation"
      4⤵
      PID:3216
  - - C:\Windows\system32\findstr.exe
      FindStr /i "Nation"
      4⤵
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKCU\Control Panel\International\Geo" /v "Nation" | FindStr /i "Nation" 2>nul
    3⤵
    PID:4960
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKCU\Control Panel\International\Geo" /v "Nation"
      4⤵
      PID:3400
  - - C:\Windows\system32\findstr.exe
      FindStr /i "Nation"
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS GET CAPTION /VALUE 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS GET CAPTION /VALUE
      4⤵
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS GET NumberOfLicensedUsers /value 2>nul
    3⤵
    PID:1564
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS GET NumberOfLicensedUsers /value
      4⤵
      PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS GET PortableOperatingSystem /value 2>nul
    3⤵
    PID:1468
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS GET PortableOperatingSystem /value
      4⤵
      PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_32BitApplications /format:list" 2>nul
    3⤵
    PID:1876
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_32BitApplications /format:list
      4⤵
      PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_Available /format:list" 2>nul
    3⤵
    PID:2924
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_Available /format:list
      4⤵
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_Drivers /format:list" 2>nul
    3⤵
    PID:3128
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_Drivers /format:list
      4⤵
      PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_SupportPolicy /format:list" 2>nul
    3⤵
    PID:4352
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH WIN32_OperatingSystem get DataExecutionPrevention_SupportPolicy /format:list
      4⤵
      PID:1464
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:2624
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<WINDOWS\>"
    3⤵
    PID:3712
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<INSIDER\>"
    3⤵
    PID:4180
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:3624
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<WINDOWS\>"
    3⤵
    PID:1620
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<PREVIEW\>"
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:4612
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<WINDOWS\>"
    3⤵
    PID:1272
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<10\>"
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" 2>nul
    3⤵
    PID:4744
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade"
      4⤵
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "DisableOSUpgrade" 2>nul
    3⤵
    PID:3628
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "DisableOSUpgrade"
      4⤵
      PID:1936
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKCR\PackagedCom\ClassIndex\{9F156763-7844-4DC4-B2B1-901F640F5155}"
    3⤵
    PID:2232
- - C:\Windows\system32\findstr.exe
    FindStr /I "WindowsTerminal"
    3⤵
    PID:2988
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe QUERY "HKCR\PackagedCom\Package\"
    3⤵
    PID:1208
- - C:\Windows\system32\findstr.exe
    FindStr /I "WindowsTerminal"
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup" /f "Source OS" /k | FindStr /I "Source" 2>nul
    3⤵
    PID:5112
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\Setup" /f "Source OS" /k
      4⤵
      PID:2188
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Source"
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" 2>NUL
    3⤵
    PID:4544
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves"
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "BranchReadinessLevel" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "BranchReadinessLevel"
      4⤵
      PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "BranchReadinessLevel" 2>nul
    3⤵
    PID:4304
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "BranchReadinessLevel"
      4⤵
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "BranchReadinessLevel" 2>nul
    3⤵
    PID:4424
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "BranchReadinessLevel"
      4⤵
      PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\PolicyManager\default\Update\BranchReadinessLevel" /v "Value" 2>nul
    3⤵
    PID:4408
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\PolicyManager\default\Update\BranchReadinessLevel" /v "Value"
      4⤵
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus" 2>nul
    3⤵
    PID:3968
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus"
      4⤵
      PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus" 2>nul
    3⤵
    PID:2208
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus"
      4⤵
      PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 CSPRODUCT GET NAME /format:list" 2>nul
    3⤵
    PID:4636
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 CSPRODUCT GET NAME /format:list
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 COMPUTERSYSTEM GET MODEL /format:list" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 COMPUTERSYSTEM GET MODEL /format:list
      4⤵
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BASEBOARD GET PRODUCT /format:list" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4832
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BASEBOARD GET PRODUCT /format:list
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 CSPRODUCT GET VENDOR /format:list" 2>nul
    3⤵
    PID:4868
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 CSPRODUCT GET VENDOR /format:list
      4⤵
      PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 COMPUTERSYSTEM GET MANUFACTURER /format:list" 2>nul
    3⤵
    PID:3568
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 COMPUTERSYSTEM GET MANUFACTURER /format:list
      4⤵
      PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BASEBOARD GET MANUFACTURER /format:list" 2>nul
    3⤵
    PID:4028
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BASEBOARD GET MANUFACTURER /format:list
      4⤵
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET VERSION /format:list" 2>nul
    3⤵
    PID:2760
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET VERSION /format:list
      4⤵
      PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS Get VERSION /Value" 2>nul
    3⤵
    PID:1944
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get VERSION /Value
      4⤵
      PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BXPC____" 2
    3⤵
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BXPC____" 2
      4⤵
      Executes dropped EXE
      PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS_" 2
    3⤵
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS_" 2
      4⤵
      Executes dropped EXE
      PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS" 2
    3⤵
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS" 2
      4⤵
      Executes dropped EXE
      PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:2928
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1352
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:3256
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:2720
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____ " "
    3⤵
    PID:1212
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____ " "
    3⤵
    PID:1860
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____ " "
    3⤵
    PID:3332
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____ " "
    3⤵
    PID:4860
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "N/A " "
    3⤵
    PID:4428
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "N/A " "
    3⤵
    PID:1952
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "N/A " "
    3⤵
    PID:4304
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "N/A " "
    3⤵
    PID:4424
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:4408
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:4436
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:2656
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:4580
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS_ " "
    3⤵
    PID:808
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS_ " "
    3⤵
    PID:4620
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS_ " "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS_ " "
    3⤵
    PID:2984
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:2284
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:804
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA " "
    3⤵
    PID:4528
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS " "
    3⤵
    PID:4588
- - C:\Windows\system32\findstr.exe
    FindStr /I "HP"
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS " "
    3⤵
    PID:1564
- - C:\Windows\system32\findstr.exe
    FindStr /I "COMPAQ"
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS " "
    3⤵
    PID:2064
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hewlett"
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BOCHS " "
    3⤵
    PID:4692
- - C:\Windows\system32\findstr.exe
    FindStr /I "Packard"
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files (x86)\" "
    3⤵
    PID:3620
- - C:\Windows\system32\findstr.exe
    findstr /irc:"NVIDIA Corporation"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:32
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2664
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -ExecutionPolicy Unrestricted -command "C:\Users\Admin\AppData\Local\Temp\MRP_QT\PSVid3.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path Win32_WinSAT get CPUScore, MemoryScore, D3DScore, GraphicsScore, DiskScore, WinSPRLevel, WinSATAssessmentState" /value 2>nul | FindStr "=" 2>Nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path Win32_WinSAT get CPUScore, MemoryScore, D3DScore, GraphicsScore, DiskScore, WinSPRLevel, WinSATAssessmentState" /value
      4⤵
      PID:3216
    - - C:\Windows\system32\Wbem\WMIC.exe
        
        WMIC /locale:ms_409 path Win32_WinSAT get CPUScore, MemoryScore, D3DScore, GraphicsScore, DiskScore, WinSPRLevel, WinSATAssessmentState /value
        5⤵
        
        PID:212
  - - C:\Windows\system32\findstr.exe
      FindStr "="
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "NETAdapt.vbs" 2>Nul
    3⤵
    PID:4016
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "NETAdapt.vbs"
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo 5E:35:9C:FC:57:96
    3⤵
    PID:2344
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 OS get OperatingSystemSKU /VALUE 2>nul
    3⤵
    PID:2864
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 OS get OperatingSystemSKU /VALUE
      4⤵
      PID:3788
- - C:\Windows\system32\cmd.exe
    cmd /c exit /b 48
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c MRP_VMDetect.exe
    3⤵
    PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP_VMDetect.Exe
      MRP_VMDetect.exe
      4⤵
      Executes dropped EXE
      NTFS ADS
      PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters\" /v "PhysicalHostNameFullyQualified" | FindStr /i "PhysicalHostNameFullyQualified" 2>nul
    3⤵
    PID:4692
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters\" /v "PhysicalHostNameFullyQualified"
      4⤵
      PID:1224
  - - C:\Windows\system32\findstr.exe
      FindStr /i "PhysicalHostNameFullyQualified"
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft Basic Display Adapter " "
    3⤵
    PID:4760
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hyper-V"
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo " " "
    3⤵
    PID:404
- - C:\Windows\system32\findstr.exe
    FindStr /I "Hyper-V"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET VERSION /format:list" 2>nul
    3⤵
    PID:2660
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET VERSION /format:list
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "SystemBiosVersion" 2>nul | FindStr /I "VRTUAL" 2>nul
    3⤵
    PID:1352
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "SystemBiosVersion"
      4⤵
      Checks BIOS information in registry
      PID:1936
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VRTUAL"
      4⤵
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:2624
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:2116
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3880
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:2404
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:4292
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:1860
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:4280
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:4860
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    PID:1700
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:4356
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3336
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:2908
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    PID:4752
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:2080
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    PID:3912
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:4132
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    PID:3628
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:2292
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    PID:4612
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:4384
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    PID:3592
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:1540
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    PID:2264
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:2864
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor" 2>nul | FindStr /I "VMWare" 2>nul
    3⤵
    PID:4028
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVendor"
      4⤵
      Enumerates system info in registry
      PID:4444
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWare"
      4⤵
      PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion" 2>nul | FindStr /I "VMWare" 2>nul
    3⤵
    PID:4816
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System\BIOS" /v "BiosVersion"
      4⤵
      Enumerates system info in registry
      PID:2284
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWare"
      4⤵
      PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion" 2>nul | FindStr /I "VirtualBox" 2>nul
    3⤵
    PID:3400
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion"
      4⤵
      Checks BIOS information in registry
      PID:4908
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VirtualBox"
      4⤵
      PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:1564
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion"
      4⤵
      Checks BIOS information in registry
      PID:512
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion" 2>nul | FindStr /I "XEN" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\Description\System" /v "VideoBiosVersion"
      4⤵
      Checks BIOS information in registry
      PID:2060
  - - C:\Windows\system32\findstr.exe
      FindStr /I "XEN"
      4⤵
      PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:3620
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2924
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:1580
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3312
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:4180
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:1196
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2744
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:3712
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:5112
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:4036
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:212
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:2172
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2188
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VBox" 2>nul
    3⤵
    PID:1096
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4544
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VBox"
      4⤵
      PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:3976
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4304
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:3732
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2344
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:1012
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3528
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:772
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:1212
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:3256
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4424
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:4792
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4868
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:1848
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3096
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "VMWARE" 2>nul
    3⤵
    PID:3772
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3592
  - - C:\Windows\system32\findstr.exe
      FindStr /I "VMWARE"
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:4528
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:2264
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:4984
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4028
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:1424
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:4816
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:4768
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:3400
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier" 2>nul | FindStr /I "QEMU" 2>nul
    3⤵
    PID:3192
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 1\Target Id 0\Logical Unit Id 0" /v "Identifier"
      4⤵
      PID:1564
  - - C:\Windows\system32\findstr.exe
      FindStr /I "QEMU"
      4⤵
      PID:5088
- - C:\Windows\system32\timeout.exe
    timeout /T 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3176
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:404
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3620
- - C:\Windows\system32\cmd.exe
    cmd /C exit 1033
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" 2>nul | FindStr /i "PreferredUILanguages" 2>nul
    3⤵
    PID:1580
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages"
      4⤵
      PID:1196
  - - C:\Windows\system32\findstr.exe
      FindStr /i "PreferredUILanguages"
      4⤵
      PID:4512
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | findstr /i "v2" 2>nul
    3⤵
    PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:1352
  - - C:\Windows\system32\findstr.exe
      findstr /i "v2"
      4⤵
      PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | findstr /i "v3.5" 2>nul
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:2624
  - - C:\Windows\system32\findstr.exe
      findstr /i "v3.5"
      4⤵
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | findstr /i "v4" 2>nul
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4808
  - - C:\Windows\system32\findstr.exe
      findstr /i "v4"
      4⤵
      PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Release" 2>nul
    3⤵
    PID:4292
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Release"
      4⤵
      PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Version" 2>nul
    3⤵
    PID:4116
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Version"
      4⤵
      PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | FindStr /i "v1" 2>nul
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:3224
  - - C:\Windows\system32\findstr.exe
      FindStr /i "v1"
      4⤵
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | FindStr /i "v2" 2>nul
    3⤵
    PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:3320
  - - C:\Windows\system32\findstr.exe
      FindStr /i "v2"
      4⤵
      PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup" /v "InstallSuccess" 2>nul
    3⤵
    PID:4752
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup" /v "InstallSuccess"
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup" /v "Version" 2>nul
    3⤵
    PID:2080
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup" /v "Version"
      4⤵
      PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" /v "Install" 2>nul
    3⤵
    PID:1212
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" /v "Install"
      4⤵
      PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" /v "Version" 2>nul
    3⤵
    PID:956
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" /v "Version"
      4⤵
      PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /B /A:D "C:\Windows\Microsoft.NET\Framework" | FindStr /i "v4" 2>nul
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir /B /A:D "C:\Windows\Microsoft.NET\Framework" "
      4⤵
      PID:2176
  - - C:\Windows\system32\findstr.exe
      FindStr /i "v4"
      4⤵
      PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 DataFile where "Name='C:\\Program Files\\DotNet\\Dotnet.exe'" get Version /VALUE 2>nul
    3⤵
    PID:4384
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 DataFile where "Name='C:\\Program Files\\DotNet\\Dotnet.exe'" get Version /VALUE
      4⤵
      PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Program Files\\DotNet\\Dotnet.exe'" GET Version /VALUE 2>nul
    3⤵
    PID:652
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Program Files\\DotNet\\Dotnet.exe'" GET Version /VALUE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3232
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "Generic.exe" /OS
    3⤵
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
      Generic.exe /OS
      4⤵
      Executes dropped EXE
      PID:1252
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4816
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    Generic.exe /SLIC
    3⤵
    - Executes dropped EXE
    PID:3744
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    Generic.exe /CERT
    3⤵
    - Executes dropped EXE
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    Generic.exe /KEY
    3⤵
    - Executes dropped EXE
    PID:4692
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3192
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    Generic.exe /MSDM
    3⤵
    - Executes dropped EXE
    PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PowerShellVersion" 2>nul | FindStr /I "PowerShellVersion" 2>nul
    3⤵
    PID:2452
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PowerShellVersion"
      4⤵
      PID:2368
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PowerShellVersion"
      4⤵
      PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PowerShellVersion" 2>nul | FindStr /I "PowerShellVersion" 2>nul
    3⤵
    PID:2432
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PowerShellVersion"
      4⤵
      PID:3176
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PowerShellVersion"
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PSCompatibleVersion" 2>nul | FindStr /I "PSCompatibleVersion" 2>nul
    3⤵
    PID:1716
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v "PSCompatibleVersion"
      4⤵
      PID:5092
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PSCompatibleVersion"
      4⤵
      PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PSCompatibleVersion" 2>nul | FindStr /I "PSCompatibleVersion" 2>nul
    3⤵
    PID:864
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v "PSCompatibleVersion"
      4⤵
      PID:2872
  - - C:\Windows\system32\findstr.exe
      FindStr /I "PSCompatibleVersion"
      4⤵
      PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v "Install" 2>nul | FindStr /I "Install" 2>nul
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v "Install"
      4⤵
      PID:1464
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Install"
      4⤵
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3" /v "Install" 2>nul | FindStr /I "Install" 2>nul
    3⤵
    PID:3308
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3" /v "Install"
      4⤵
      PID:3000
  - - C:\Windows\system32\findstr.exe
      FindStr /I "Install"
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "MRPCPUNum.vbs" 2>Nul
    3⤵
    PID:4500
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "MRPCPUNum.vbs"
      4⤵
      PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "DynamicDaylightTimeDisabled" 2>nul | FindStr /I "DynamicDaylightTimeDisabled" 2>nul
    3⤵
    PID:5112
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v "DynamicDaylightTimeDisabled"
      4⤵
      PID:2272
  - - C:\Windows\system32\findstr.exe
      FindStr /I "DynamicDaylightTimeDisabled"
      4⤵
      PID:4808
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2940
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SystemInfo 2>Nul | FindStr /I /B /C:"OS Name" 2>nul
    3⤵
    PID:4544
  - - C:\Windows\system32\systeminfo.exe
      SystemInfo
      4⤵
      Gathers system information
      PID:4116
  - - C:\Windows\system32\findstr.exe
      FindStr /I /B /C:"OS Name"
      4⤵
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\cbdhsvc" /v "Start" 2>nul
    3⤵
    PID:2248
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\cbdhsvc" /v "Start"
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\cbdhsvc" /v "DelayedAutoStart" 2>nul
    3⤵
    PID:1272
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\System\CurrentControlSet\Services\cbdhsvc" /v "DelayedAutoStart"
      4⤵
      PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Clipboard" /v "EnableClipboardHistory" 2>nul
    3⤵
    PID:2112
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Clipboard" /v "EnableClipboardHistory"
      4⤵
      PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" 2>nul
    3⤵
    PID:4424
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard"
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" 2>nul
    3⤵
    PID:4532
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory"
      4⤵
      PID:4708
- - C:\Windows\system32\bcdedit.exe
    bcdedit /enum {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4592
- - C:\Windows\system32\findstr.exe
    findstr /I /R /C:"^flightsigning *Yes$"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Powershell -NoProfile "(Get-AppxPackage -Name 'MicrosoftWindows.Client.CBS').Version" 2>nul
    3⤵
    PID:4792
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -NoProfile "(Get-AppxPackage -Name 'MicrosoftWindows.Client.CBS').Version"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "BIOSVersion" 2>nul
    3⤵
    PID:2984
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "BIOSVersion"
      4⤵
      PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "BIOSReleaseDate" 2>nul
    3⤵
    PID:816
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "BIOSReleaseDate"
      4⤵
      PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" 2>nul
    3⤵
    PID:3744
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
      4⤵
      PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType" 2>nul
    3⤵
    PID:548
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"
      4⤵
      PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "InstallationType" 2>nul
    3⤵
    PID:4692
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"
      4⤵
      PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CSDVersion" 2>nul
    3⤵
    PID:1924
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CSDVersion"
      4⤵
      PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion" 2>nul
    3⤵
    PID:3128
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion"
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BaseBuildRevisionNumber" 2>nul
    3⤵
    PID:3348
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BaseBuildRevisionNumber"
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildLabEx" 2>nul
    3⤵
    PID:1928
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildLabEx"
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildBranch" 2>nul
    3⤵
    PID:2432
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildBranch"
      4⤵
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" 2>nul
    3⤵
    PID:4324
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "UBR" 2>nul
    3⤵
    PID:4736
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "UBR"
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul
    3⤵
    PID:864
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
      4⤵
      PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ReleaseID" 2>nul
    3⤵
    PID:3696
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ReleaseID"
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo vb_release 2>nul
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID" 2>nul
    3⤵
    PID:4180
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID"
      4⤵
      PID:2424
- - C:\Windows\system32\cmd.exe
    cmd /C exit 003311
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 DataFile where "Name='C:\\Windows\\System32\\winver.exe'" get Version /VALUE 2>nul
    3⤵
    PID:208
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 DataFile where "Name='C:\\Windows\\System32\\winver.exe'" get Version /VALUE
      4⤵
      PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Windows\\System32\\winver.exe'" GET Version /VALUE 2>nul
    3⤵
    PID:3880
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Windows\\System32\\winver.exe'" GET Version /VALUE
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 DataFile where "Name='C:\\Windows\\System32\\attrib.exe'" get Version /VALUE 2>nul
    3⤵
    PID:4292
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 DataFile where "Name='C:\\Windows\\System32\\attrib.exe'" get Version /VALUE
      4⤵
      PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Windows\\System32\\attrib.exe'" GET Version /VALUE 2>nul
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe DATAFILE WHERE "name='C:\\Windows\\System32\\attrib.exe'" GET Version /VALUE
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMajorVersionNumber" 2>nul
    3⤵
    PID:4848
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMajorVersionNumber"
      4⤵
      PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMinorVersionNumber" 2>nul
    3⤵
    PID:2664
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMinorVersionNumber"
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>NUL WMIC /locale:ms_409 SystemEnclosure GET ChassisTypes 2>nul | FindStr /i "}" 2>nul
    3⤵
    PID:2336
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET ChassisTypes
      4⤵
      PID:4628
  - - C:\Windows\system32\findstr.exe
      FindStr /i "}"
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2112
- - C:\Windows\system32\powercfg.exe
    powercfg /list
    3⤵
    - Power Settings
    PID:1152
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:2176
- - C:\Windows\system32\findstr.exe
    FindStr /I "381b4222-f694-41f0-9685-ff5bb260df2e" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:4532
- - C:\Windows\system32\findstr.exe
    FindStr /I "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:3568
- - C:\Windows\system32\findstr.exe
    FindStr /I "a1841308-3541-4fab-bc81-f71556f20b4a" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:1044
- - C:\Windows\system32\findstr.exe
    FindStr /I "e9a42b02-d5df-448d-aa00-03f14749eb61" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:4052
- - C:\Windows\system32\findstr.exe
    FindStr /I "381b4222-f694-41f0-9685-ff5bb260df2e" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:4784
- - C:\Windows\system32\findstr.exe
    Findstr /I "*"
    3⤵
    PID:4592
- - C:\Windows\system32\findstr.exe
    FindStr /I "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:2396
- - C:\Windows\system32\findstr.exe
    Findstr /I "*"
    3⤵
    PID:3792
- - C:\Windows\system32\findstr.exe
    FindStr /I "a1841308-3541-4fab-bc81-f71556f20b4a" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:2864
- - C:\Windows\system32\findstr.exe
    Findstr /I "*"
    3⤵
    PID:1204
- - C:\Windows\system32\findstr.exe
    FindStr /I "e9a42b02-d5df-448d-aa00-03f14749eb61" "C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt"
    3⤵
    PID:5100
- - C:\Windows\system32\findstr.exe
    Findstr /I "*"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BaseBoard GET Manufacturer /Value 2>nul
    3⤵
    PID:4444
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BaseBoard GET Manufacturer /Value
      4⤵
      PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BaseBoard GET Model /Value 2>nul
    3⤵
    PID:816
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BaseBoard GET Model /Value
      4⤵
      PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BaseBoard GET Product /Value 2>nul
    3⤵
    PID:1524
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BaseBoard GET Product /Value
      4⤵
      PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BaseBoard GET SerialNumber /Value 2>nul
    3⤵
    PID:4700
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BaseBoard GET SerialNumber /Value
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 SystemEnclosure GET PartNumber /Value 2>nul
    3⤵
    PID:2368
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET PartNumber /Value
      4⤵
      PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 SystemEnclosure GET SecurityStatus /Value 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET SecurityStatus /Value
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 SystemEnclosure GET ServicePhilosophy /Value 2>nul
    3⤵
    PID:5076
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET ServicePhilosophy /Value
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 SystemEnclosure GET Version /Value 2>nul
    3⤵
    PID:3624
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 SystemEnclosure GET Version /Value
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "Name" | Findstr /I "Name" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "Name"
      4⤵
      PID:1620
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Name"
      4⤵
      PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "Vendor" | Findstr /I "Vendor" 2>nul
    3⤵
    PID:2424
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "Vendor"
      4⤵
      PID:3332
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Vendor"
      4⤵
      PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "UUID" | Findstr /I "UUID" 2>nul
    3⤵
    PID:4800
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystemProduct" "UUID"
      4⤵
      PID:2172
  - - C:\Windows\system32\findstr.exe
      Findstr /I "UUID"
      4⤵
      PID:516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystem" "Model" | Findstr /I "Model" 2>nul
    3⤵
    PID:4356
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystem" "Model"
      4⤵
      PID:3216
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Model"
      4⤵
      PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystem" "Manufacturer" | Findstr /I "Manufacturer" 2>nul
    3⤵
    PID:4876
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_ComputerSystem" "Manufacturer"
      4⤵
      PID:3976
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Manufacturer"
      4⤵
      PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Product" | Findstr /I "Product" 2>nul
    3⤵
    PID:1572
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Product"
      4⤵
      PID:1076
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Product"
      4⤵
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Manufacturer" | Findstr /I "Manufacturer" 2>nul
    3⤵
    PID:4560
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Manufacturer"
      4⤵
      PID:1000
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Manufacturer"
      4⤵
      PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Model" | Findstr /I "Model" 2>nul
    3⤵
    PID:2840
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Model"
      4⤵
      PID:4832
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Model"
      4⤵
      PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "SerialNumber" | Findstr /I "SerialNumber" 2>nul
    3⤵
    PID:1996
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "SerialNumber"
      4⤵
      PID:1188
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SerialNumber"
      4⤵
      PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Tag" | Findstr /I "Tag" 2>nul
    3⤵
    PID:3684
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BaseBoard" "Tag"
      4⤵
      PID:3756
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Tag"
      4⤵
      PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "SerialNumber" | Findstr /I "SerialNumber" 2>nul
    3⤵
    PID:4056
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "SerialNumber"
      4⤵
      PID:4612
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SerialNumber"
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "PartNumber" | Findstr /I "PartNumber" 2>nul
    3⤵
    PID:5108
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "PartNumber"
      4⤵
      PID:2736
  - - C:\Windows\system32\findstr.exe
      Findstr /I "PartNumber"
      4⤵
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "SecurityStatus" | Findstr /I "SecurityStatus" 2>nul
    3⤵
    PID:2844
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "SecurityStatus"
      4⤵
      PID:5088
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SecurityStatus"
      4⤵
      PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "ServicePhilosophy" | Findstr /I "ServicePhilosophy" 2>nul
    3⤵
    PID:4712
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "ServicePhilosophy"
      4⤵
      PID:4300
  - - C:\Windows\system32\findstr.exe
      Findstr /I "ServicePhilosophy"
      4⤵
      PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "Version" | Findstr /I "Version" 2>nul
    3⤵
    PID:2124
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_SystemEnclosure" "Version"
      4⤵
      PID:1928
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Version"
      4⤵
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SerialNumber" | Findstr /I "SerialNumber" 2>nul
    3⤵
    PID:1936
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SerialNumber"
      4⤵
      PID:3620
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SerialNumber"
      4⤵
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "Version" | Findstr /I "Version" 2>nul
    3⤵
    PID:2872
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "Version"
      4⤵
      PID:3624
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Version"
      4⤵
      PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "Version" | Findstr /I "Version" 2>nul
    3⤵
    PID:3696
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "Version"
      4⤵
      PID:864
  - - C:\Windows\system32\findstr.exe
      Findstr /I "Version"
      4⤵
      PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "manufacturer" | Findstr /I "manufacturer" 2>nul
    3⤵
    PID:2188
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "manufacturer"
      4⤵
      PID:3712
  - - C:\Windows\system32\findstr.exe
      Findstr /I "manufacturer"
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSBIOSVersion" | Findstr /I "SMBIOSBIOSVersion" 2>nul
    3⤵
    PID:2172
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSBIOSVersion"
      4⤵
      PID:2940
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SMBIOSBIOSVersion"
      4⤵
      PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSMajorVersion" | Findstr /I "SMBIOSMajorVersion" 2>nul
    3⤵
    PID:1200
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSMajorVersion"
      4⤵
      PID:3372
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SMBIOSMajorVersion"
      4⤵
      PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSMinorVersion" | Findstr /I "SMBIOSMinorVersion" 2>nul
    3⤵
    PID:3976
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "SMBIOSMinorVersion"
      4⤵
      PID:760
  - - C:\Windows\system32\findstr.exe
      Findstr /I "SMBIOSMinorVersion"
      4⤵
      PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "ReleaseDate" | Findstr /I "ReleaseDate" 2>nul
    3⤵
    PID:1076
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "ReleaseDate"
      4⤵
      PID:380
  - - C:\Windows\system32\findstr.exe
      Findstr /I "ReleaseDate"
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "PrimaryBIOS" | Findstr /I "PrimaryBIOS" 2>nul
    3⤵
    PID:2336
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo sppwmi.vbs "Win32_BIOS" "PrimaryBIOS"
      4⤵
      PID:1272
  - - C:\Windows\system32\findstr.exe
      Findstr /I "PrimaryBIOS"
      4⤵
      PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemProductName" 2>nul
    3⤵
    PID:2264
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemProductName"
      4⤵
      Enumerates system info in registry
      PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET VERSION /format:list" 2>nul
    3⤵
    PID:4984
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET VERSION /format:list
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get manufacturer /Value 2>nul
    3⤵
    PID:2280
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get manufacturer /Value
      4⤵
      PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get SMBIOSBIOSVERSION /Value 2>nul
    3⤵
    PID:2436
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get SMBIOSBIOSVERSION /Value
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get SMBIOSMajorVersion /Value 2>nul
    3⤵
    PID:4768
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get SMBIOSMajorVersion /Value
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get SMBIOSMinorVersion /Value 2>nul
    3⤵
    PID:4980
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get SMBIOSMinorVersion /Value
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get VERSION /Value 2>nul
    3⤵
    PID:1052
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get VERSION /Value
      4⤵
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 BIOS Get ReleaseDate /Value 2>nul
    3⤵
    PID:3128
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS Get ReleaseDate /Value
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET PrimaryBIOS /format:list" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET PrimaryBIOS /format:list
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS - 1" 2
    3⤵
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS - 1" 2
      4⤵
      Executes dropped EXE
      PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "Generic.exe" /OS
    3⤵
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
      Generic.exe /OS
      4⤵
      Executes dropped EXE
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe" /LDR
    3⤵
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
      C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe /LDR
      4⤵
      Executes dropped EXE
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe
    "C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic.exe" /SV
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Type "C:\Users\Admin\AppData\Local\Temp\MRP_QT\SLICv.txt" 2>nul
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path softwarelicensingservice get OA2xBiosMarkerStatus /value" 2>nul
    3⤵
    PID:3704
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 path softwarelicensingservice get OA2xBiosMarkerStatus /value
      4⤵
      PID:3552
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "Windows*.txt" 2>nul
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "SystemRam.vbs" 2>Nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "SystemRam.vbs"
      4⤵
      PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\CScript.exe //nologo "SystemRam.vbs" 2>Nul
    3⤵
    PID:4808
  - - C:\Windows\system32\cscript.exe
      C:\Windows\Sysnative\CScript.exe //nologo "SystemRam.vbs"
      4⤵
      PID:1084
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2
    3⤵
    - Delays execution with timeout.exe
    PID:2344
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v "Update Revision" /z 2>nul
    3⤵
    PID:1012
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v "Update Revision" /z
      4⤵
      Checks processor information in registry
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 computersystem get NumberOfProcessors /format:list 2>nul
    3⤵
    PID:4464
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 computersystem get NumberOfProcessors /format:list
      4⤵
      PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "12th Gen Intel{R} Core{TM} i5-12400 {Ref:NVR} " "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Windows\system32\findstr.exe
    FindStr /i "Intel"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "12th Gen Intel{R} Core{TM} i5-12400 {Ref:NVR} " "
    3⤵
    PID:636
- - C:\Windows\system32\findstr.exe
    FindStr /i "AMD"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Intel64 Family 6 Model 151 Stepping 2 " "
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4532
- - C:\Windows\system32\findstr.exe
    FindStr /i "Intel64"
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Intel64 Family 6 Model 151 Stepping 2 " "
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1212
- - C:\Windows\system32\findstr.exe
    FindStr /i "AMD64"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 CSPRODUCT GET NAME /format:list" 2>nul
    3⤵
    PID:3032
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 CSPRODUCT GET NAME /format:list
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 CSPRODUCT GET VENDOR /format:list" 2>nul
    3⤵
    PID:408
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 CSPRODUCT GET VENDOR /format:list
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 COMPUTERSYSTEM GET MODEL /format:list" 2>nul
    3⤵
    PID:2256
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 COMPUTERSYSTEM GET MODEL /format:list
      4⤵
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 COMPUTERSYSTEM GET MANUFACTURER /format:list" 2>nul
    3⤵
    PID:1996
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 COMPUTERSYSTEM GET MANUFACTURER /format:list
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BASEBOARD GET PRODUCT /format:list" 2>nul
    3⤵
    PID:3756
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BASEBOARD GET PRODUCT /format:list
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BASEBOARD GET MANUFACTURER /format:list" 2>nul
    3⤵
    PID:4028
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BASEBOARD GET MANUFACTURER /format:list
      4⤵
      PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 BIOS GET SERIALNUMBER /format:list" 2>nul
    3⤵
    PID:816
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 BIOS GET SERIALNUMBER /format:list
      4⤵
      PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC /locale:ms_409 csproduct get UUID /value 2>nul
    3⤵
    PID:468
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 csproduct get UUID /value
      4⤵
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "NA" 2
    3⤵
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "NA" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "NA" 2
    3⤵
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "NA" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BXPC____" 2
    3⤵
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BXPC____" 2
      4⤵
      Executes dropped EXE
      PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS_" 2
    3⤵
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS_" 2
      4⤵
      Executes dropped EXE
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "N/A" 2
    3⤵
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "N/A" 2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "NA" 2
    3⤵
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "NA" 2
      4⤵
      Executes dropped EXE
      PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "BOCHS" 2
    3⤵
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "BOCHS" 2
      4⤵
      Executes dropped EXE
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes" /v "CurrentTheme" 2>nul
    3⤵
    PID:2480
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes" /v "CurrentTheme"
      4⤵
      PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes" /v "CurrentTheme" 2>nul
    3⤵
    PID:3464
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes" /v "CurrentTheme"
      4⤵
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ChkValid.exe "aero.theme" 2
    3⤵
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe
      ChkValid.exe "aero.theme" 2
      4⤵
      Executes dropped EXE
      PID:1800
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "SystemManufacturer"
    3⤵
    PID:2972
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<VMware\>"
    3⤵
    PID:4192
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:4428
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<VirtualBox\>"
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    C:\Windows\Sysnative\reg.exe query "HKLM\SYSTEM\ControlSet001\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:2928
- - C:\Windows\system32\findstr.exe
    FindStr /I "\<Oracle\>"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:4292
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"AORUS"
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:884
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"Bell"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____" 2>nul"
    3⤵
    PID:4316
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"AORUS"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "BXPC____" 2>nul"
    3⤵
    PID:1084
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"Bell"
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:1628
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"AORUS"
    3⤵
    PID:396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:4356
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"Bell"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:1344
- - C:\Windows\system32\findstr.exe
    FindStr /I "AORUS"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "NA" 2>nul"
    3⤵
    PID:4132
- - C:\Windows\system32\findstr.exe
    FindStr /I /C:"Bell"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "QTOEMTest.ini" | FindStr /I "\<%INFO%\>" | FindStr /I /C:"NA" 2>nul
    3⤵
    PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "QTOEMTest.ini" "
      4⤵
      PID:2720
  - - C:\Windows\system32\findstr.exe
      FindStr /I "\<INFO\>"
      4⤵
      PID:4888
  - - C:\Windows\system32\findstr.exe
      FindStr /I /C:"NA"
      4⤵
      PID:4016
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "QTOEMTest.ini" | FindStr /I "\<%SLIC%\>" | FindStr /I "\<%BIOVER1234%\>" 2>nul
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "QTOEMTest.ini" "
      4⤵
      PID:636
  - - C:\Windows\system32\findstr.exe
      FindStr /I "\<SLIC\>"
      4⤵
      PID:2292
  - - C:\Windows\system32\findstr.exe
      FindStr /I "\<BOCHS\>"
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c MBRGPT.exe
    3⤵
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\MRP_QT\MBRGPT.exe
      MBRGPT.exe
      4⤵
      Executes dropped EXE
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 partition where (bootable='TRUE' and name like '%0,%') get type /value" 2>nul
    3⤵
    PID:3112
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 partition where (bootable='TRUE' and name like '%0,%') get type /value
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Unknown " "
    3⤵
    PID:4892
- - C:\Windows\system32\findstr.exe
    FindStr /i "GPT"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC scsicontroller get name /value" 2>nul
    3⤵
    PID:4336
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC scsicontroller get name /value
      4⤵
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC idecontroller get name /value" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC idecontroller get name /value
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft VHD Loopback Controller " "
    3⤵
    PID:4984
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"SCSI"
    3⤵
    PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft VHD Loopback Controller " "
    3⤵
    PID:4816
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"SAS"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft VHD Loopback Controller " "
    3⤵
    PID:3684
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"NVM"
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Microsoft VHD Loopback Controller " "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4516
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"eMM"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Standard SATA AHCI Controller " "
    3⤵
    PID:1480
- - C:\Windows\system32\findstr.exe
    findstr /I /C:"ahci"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" 2>&1 | FindStr /i "PreferredUILanguages" 2>nul
    3⤵
    PID:2392
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages"
      4⤵
      PID:4260
  - - C:\Windows\system32\findstr.exe
      FindStr /i "PreferredUILanguages"
      4⤵
      PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\International" /v "LocaleName" 2>&1 | FindStr /i "LocaleName" 2>nul
    3⤵
    PID:2824
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\International" /v "LocaleName"
      4⤵
      PID:3128
  - - C:\Windows\system32\findstr.exe
      FindStr /i "LocaleName"
      4⤵
      PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\International" /v "sLanguage" 2>&1 | FindStr /i "sLanguage" 2>nul
    3⤵
    PID:2692
  - - C:\Windows\system32\reg.exe
      C:\Windows\Sysnative\reg.exe query "HKEY_USERS\S-1-5-18\Control Panel\International" /v "sLanguage"
      4⤵
      PID:2452
  - - C:\Windows\system32\findstr.exe
      FindStr /i "sLanguage"
      4⤵
      PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name LIKE 'Windows%' and PartialProductKey is not null) get LicenseStatus /format:list" 2>nul
    3⤵
    PID:2356
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name LIKE 'Windows%' and PartialProductKey is not null) get LicenseStatus /format:list
      4⤵
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name LIKE 'Windows%' and PartialProductKey is not null) get LicenseStatusReason /format:list" 2>nul
    3⤵
    PID:3348
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name LIKE 'Windows%' and PartialProductKey is not null) get LicenseStatusReason /format:list
      4⤵
      PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET Description /value" 2>nul
    3⤵
    PID:1936
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET Description /value
      4⤵
      PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name like 'Windows%' and LicenseStatus='5') get name /value" 2>nul
    3⤵
    PID:4396
  - - C:\Windows\system32\Wbem\WMIC.exe
      WMIC /locale:ms_409 path SoftwareLicensingProduct where (Name like 'Windows%' and LicenseStatus='5') get name /value
      4⤵
      PID:4472
- - C:\Windows\system32\Wbem\WMIC.exe
    WMIC /locale:ms_409 path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' and LicenseStatus='1') get Name
    3⤵
    PID:2280
- - C:\Windows\system32\findstr.exe
    FindStr /i "Windows"
    3⤵
    PID:4188
- - C:\Windows\system32\cscript.exe
    C:\Windows\Sysnative\CScript.exe //NoLogo sppwmi.vbs "SoftwareLicensingProduct" "Description like '%KMSCLIENT%' and LicenseStatus='1'" "Name"
    3⤵
    PID:2428
- - C:\Windows\system32\findstr.exe
    FindStr /i "Windows"
    3⤵
    PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Generic.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac3bf9756600f6c31a15240716e6e7c6

SHA1
521aa76b55f74cafd1b579933dc0fae439acb0f5

SHA256
f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd

SHA512
96ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
571c6a07ffe6fbbb641ac3f182b8eba6

SHA1
63b39c606e1e06593270874a29864acefa52de08

SHA256
4f02e11630c35793ab192b0c2caf4c0c2c4f8926e52245f667fb4ba8dfdb0384

SHA512
861536287f735e61f13ad731cd825ba9268a16d956e8c2adeb16075bfb25f0e296e647eb1220369d4b48ed727413adfeebd27e0219c8c49bf8c16ef7120d0961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4523ceb4828ca26369952331457e45a6

SHA1
9a5424151d4fe4bd57da9e8f9dcc53d37db9fec8

SHA256
e19ec5763f8dd1b9f1fab1cfa6d905d12946807a059e1ab324cfcc2081278a91

SHA512
ddd6c9ddd3a18c352694f0b2aae4100cf44b09a57c8aaae7facc1006a64dcb4291574cb65b44fd9cf247d82778ad00fc741841dd77f04096ca526d7e9c4324dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69910abcc7474b1a67c81e5b6dd88ea2

SHA1
768839c9e1e19ddc33c8a84ac507848bece9846e

SHA256
180d3cdfe71ac1ad850b04f1070c853044736c9f030c2e69f9947f4e35a4f879

SHA512
943ec4ed9de56780ecfcc39fbfe0dcc9838b8ddf506eabdbde8d8683be61c7d074213b46e4172b14781ac5cfe4a954ada9fdd7636b24d1d3cf1b635ef623809b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
3KB

MD5
5ef7e0e73ec8c836d468a19ccd1c13c5

SHA1
a3c9d0fce5771c71732355b0808dbc8200e31c98

SHA256
b62414052430b6eb7460b4beb954e9160075e74e9c48b8c0f06301bfae4ba55e

SHA512
0fd28ae4a1b8b840202a19af288f3354cb7220c6d823211260dd3a869c843e8e17b52114b367ab2fe3d8d353bd909f471d8d8cc4867338ed41f6b4c63093f54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a68fcc3482ebb381cd7eb80d4dfc7ac9

SHA1
68f694b1b7999996678244d8ef9d95f520ec2e39

SHA256
1bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0

SHA512
a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3a1e249212d4af8ee7f335a5dfd075ba

SHA1
8ab2019e5d1376124bd79b822b9b1d4a794de076

SHA256
046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa

SHA512
8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1542328a8546914b4e2f1aef9cb42bea

SHA1
7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

SHA256
7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

SHA512
b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

Download Submit
C:\Users\Admin\AppData\Local\Temp\CurrentPowerPlans.txt

Filesize
294B

MD5
85aea682ac51e356b665b6dbce980860

SHA1
3e17f4df0920b06af041f0a2c920a560cc1fba79

SHA256
1fa495976ae913ff9adcfd5cffb46dc20a1fd506e35a3bd1142cfa76e58a82c8

SHA512
938800e51451f9f9339e085c2cd77289111261acd095bcd6a5e8742b455424b2f50e7d7200e9e2cb82fdaae5dc079de0e65e5643f34bd5083d241ced5bb0d14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\AvDummy.txt

Filesize
6B

MD5
fabc3596ed8cdc320e598a3edaeb4cac

SHA1
dfec7175a6a62757d83b93794df767d5acfadb82

SHA256
98151f3a6ba251eea70e602202c1c01eaa43d05f8677d9c9505e59e6ca4577c2

SHA512
56b2040c164339e838702ee793187e19154469eba23337df0005cc268344915d9beb6ac6b86b243dba46e158875745e26f3898099bc9112f253f67433313da30

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\BDTBT.exe

Filesize
443KB

MD5
1db1eab663363d484ef7c6c2f8edd7a6

SHA1
6ca71b66cf963a90391cd6c3de7b4babda03a53b

SHA256
9fd28b97864ebbaabbd3c3f9c5a46f8efc963ed5e90ebaaa2457afa8112807c4

SHA512
1836aecd18ae00358c0033b078776ddf697384aab77a8b536df88960715f287223707da2a73595dd7738b2fb5449000dfc427d0e756c70c486bace5026d9f926

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive.ps1

Filesize
657B

MD5
23c52f3043eaac0338b3e884c17789f0

SHA1
ef7b7dccc59806ae3eb2d54470d4da5d33cda199

SHA256
cb0ccbf5ad373f9fc1e1780f038af22a68e75a235c404ef54658819bdfa71cf5

SHA512
ff5cc6775f8254532361e164d6b841932ece1e91745fa29f206269aca55367bc9a4d19c073989ebf9b8c579e92c951aa8d769d5a851da0cd315750bc9486f5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkBLSDrive1.ps1

Filesize
510B

MD5
313b2f7171a5648f4e1ff8bce880181f

SHA1
a4a4f65b92f7dacee804ed10edcbcdd0c0dfbecb

SHA256
05d9321e248afb697f19f1df7f00c2362792042d9d10b2e2f1b1984e5dae8d20

SHA512
03a97008794ac7c00102d6500c6406f31723d7c51927a3ce80856f3b15ef412a4d16329ce42af8593e5ae99cc2a759b24c327a264da1153eb903b0d533d14359

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkValid.exe

Filesize
1.0MB

MD5
b80cea64819b96830ffbd93f5a98de31

SHA1
0d14c0ddfb91fda0422e3c1b429bda687fe9b94c

SHA256
8d7b0c58854cff4cf4e4935bdaf1fcf7c87e332be8865296da4f88ba61f92dd9

SHA512
dfe821abdad987736d8bf6c7c5a1e04c6163383d771a611aa4500dedd540a6d79e8825f1bce9d86e9d43a4c1afe1d594db8bda5e019b5c42be0e4f91965a3008

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\ChkVidAdaptrs.vbs

Filesize
3KB

MD5
30d9a18dab85c439328bf2e17316a0f3

SHA1
c52ada06e716b1155862fc6be6cc63f3c8c2e1a6

SHA256
6678845dd83b6f61a4aa29203645df46c647c315bb3fbb6ab41c6ff9218cfad8

SHA512
6786c7e0d76074a75ea5bf64332aaf917b2468fca3586887bb8a69bf9c37c5bd7011faf40b57004392d7d56e4400b369102103cb00b8cd84e5e20bdbe4e0bc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\CompUpTime2.vbs

Filesize
971B

MD5
cd62371dcadf7b88c5a7cf4f7725de2c

SHA1
89ec895b9f527f26d2270994c133849eede93bef

SHA256
a7b3e7895a1ab3a8dfe0fde979beb5b653f8ccef8a0422a13b55e01f315ccdec

SHA512
2a74286c2cb08578a666a7342479a9378670c744492f4848d30a4325b48913bd6b0c748c52477c5a9467f5caa36244f83fed698713bc5ade5e8a39a730b1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\DiskModelNameW7.vbs

Filesize
957B

MD5
d356b4f84c635cb2f301c8cc23442bc0

SHA1
4bf8c4d79c15545a465ce6097b2b6d5de6fb9cea

SHA256
a359cda306e3a4cb4007a9cf8083a232daafc53cfc2ba5e912b14e7c717638c9

SHA512
b66189203b8a51a76fc9afadebcb3cfa41f32f5e45216dfc96703c71ee17d64db7df5c92cc3876eeeef3a9e64ad0581b9c247a441812024153556a552bf2f6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\FindDuplicates.cmd

Filesize
629B

MD5
44e07d6090d7b5eb77921bf4d09eb83e

SHA1
039107a06871cec8685bee0706260c43858e8814

SHA256
7f1ccfeced3c668f0a70aab8ea29452909f5247c5f58bfe980078aa835cdbf8b

SHA512
634d825fd58c99dd7bd0942d3f50cf92721cd704f616f9eeef5085cd9f3969dfe7b6899be01b98323c77d498ab93b89fc10ea86acb0b7091aaea207750707dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\FindTPM.vbs

Filesize
3KB

MD5
8986ecd2f91299f588b4bb89ef600789

SHA1
8da57741ce6e3f7a4ffcbdec8c0b13ee6bd31e4d

SHA256
b438afe08b9d277f13b1ea491b5e36f0852344002bbe558a7daf75f8d3a4826f

SHA512
e383fd5cdd43f403aab9fc7b7a44ffbf40111e438c2abe7e3111823fc04208729a83f4ee29b3313a57e85cc08ad6aa84fe19e248c613116b71733500d36e05c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic_2.exe

Filesize
25KB

MD5
99022b783ef7c73c93c1dfa1ac630cac

SHA1
ec79d766c9586029a12d5265b2ba0be9d1428111

SHA256
78c8ccb562ee0290c63a91c48107cb79ab5cd1d7f6d058688338d1e6190f0e58

SHA512
5a91ba7523eae2f89d138f7b523999d4deefe2f3a6ff0849705a7d8f559ff7d379c390e9c724486aa9b7daefe07819c27a67f781f4d8dec6c284c64e91420aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Generic_4.exe

Filesize
25KB

MD5
9feb2b5e667b34d220db3e774a31946d

SHA1
bf157e7f0e8895ceac6a0cf80edeca90aa29f6b7

SHA256
617b441c97bd97aeb01ff0c6d8f8dc4b3626716f0b75f889f620e2b2e95cb750

SHA512
dc2c442f4caab3989fbe33f9f1e239760d6b10d589c364e97764a9d44909db778d16a4cefde9aef4667cabba04ca8dfdc7e028aa9272d51180ecd78b1955a6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\GetInstDate.vbs

Filesize
738B

MD5
f38f65a23011e28666f0b57867361f36

SHA1
25aa6fc298a5623c2f98d0354232200ac6347187

SHA256
10459b8096990d5fadf286002803e81fd66dd188fb525eee783de2ad196b3b70

SHA512
89b4a03ecae04b7c9a6533680206813f71d177d186d65756d7c76c9f63d90fa79218016fc8e3aa1222b85c45ffb7f47846173af5ef07d601730314146db422cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Isw11.vbs

Filesize
409B

MD5
b05c0a8b0098da8a286bf68daf2bd7ac

SHA1
aa4bc8e4ac85e65fb4a397ddeaf3950c33737cb8

SHA256
fa45531a0f1e8339b64e26bf031f770901c8d80b2aa9e8af7c65211c67e2e2e4

SHA512
45db1a714453caa6bd774da48096da07c474b375c4f7b4ce11e91d7893e81ac1c6cdefc721f9365cc63a6650ae191f6f4316916b6457c1ffbea9d62b243428cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd

Filesize
528KB

MD5
29f9ddb88e68613402e57b551ca048fe

SHA1
5b6538e9ae86a6bd07946007f2624c14689f83f0

SHA256
8d3cf66be6e89bf1c208fe01b920df681c50bb2e21d1cbe82052d4d6aa7eeb6e

SHA512
9fc9158d3f780830df1720f8ad73afa91221756fc21568bee6d81c0e9ca8bacbc60ea9c07562d05f51b888b0079989c5f76df7ea04a9cfc63aece263936850a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRPCPUNum.vbs

Filesize
794B

MD5
53e2eabc0a45a0c27cd3801d764c321c

SHA1
cfd7d62480204e3ecc58f4c447d97decc9371b0b

SHA256
321a2ef1ab98d95285d15abf3bb90156b67b7031696687792926f9e2cafd92e2

SHA512
16dc42d4a2af380d0d1b896bcc1ae8622885a251d13cad9a938b8480f349f7c86be903197d627489a83d9ee2937ff4688178ac0491a4cb4d4329edef47b5d6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRPDetectCPU.vbs

Filesize
2KB

MD5
bce8298bc2d9bc9c9157394f1a395fa9

SHA1
a278c3431e14073cec181f6646a04e5deb5b90dd

SHA256
ad1702bcdf3e2bfda254ee92904305d4c2aa4a0c1355f45e7ea549203587646f

SHA512
0996f5c719e2e2016883bdbef9382d3d0af1e057b733f64c7e1217d8ab52785a6bb2c2955dd11096dc40b3106c68c2ce7de2f531fae58cb441d22ae09d671aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\MRP_VMDetect.Exe

Filesize
859KB

MD5
9b43bedc285ba2fc192075f5d2ad252a

SHA1
c9d82eb15a7df309f9dff0a88f2f03359d0f08c8

SHA256
3d609970dc1a1be3314684dbecc3e9274a540187545d9c95dac3d3dbc95ff0e8

SHA512
967943a29c80b61c279e9cd425a4bb7ed63f55b2056b397fdc8280e949fc76b80e1472a1cc4564a2f50b3c4c77e6181b4524d75a489e8c6a4c2e40e8b702a332

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\NETAdapt.vbs

Filesize
317B

MD5
b24f7b29cb0b5d4d99634e6ae35cfab0

SHA1
834f8b913d105320d9d7116f951d00f693aba31b

SHA256
83ab14a3451626d2ce59b2c98faad04c35d958aa45c6d8486a30034a29a508e4

SHA512
749c9e8e38a2ed77fba4a9ec4f221886acb71458f0b4a6f27820a97c75b9b51e7819c8a85f740cbc5a9ed5c8ce5277585911e9557d08cdf5af5ff3a9bb2ae492

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\NewSKU.ini

Filesize
3KB

MD5
3c2add1c0a2d9624853b2b245c1bd33c

SHA1
764d71aa4d1c0e625f04dd54f21e78c15510c900

SHA256
ce7dc8c3aa00737a1ec81e1d98c58c0ea6d50990eac40ae2098baacc3d976ad3

SHA512
373472cd53b8dd075499ccc18e5da12ce58e65a563542d791b97db7f763f30ce271dc85625cace788ec99502f7c8fe71d9cd3e38fc99f0fb73ca025de8e549f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\OldSKU.ini

Filesize
3KB

MD5
57f76f5b28e083e3d8661f4bb6ed2383

SHA1
85edab3847047a5699ddd2e4065be68feb280201

SHA256
30dab473b21c387e0a77a0eabac7beb428b7292d5307a8088a85dfd64f7693fd

SHA512
34b91f473cf9a51d514ddf41de71cd2d9f90d2b16c7d2a47dd61f056a027c7efc40c8185282d6c78bca83da98ffd1b66854642158a6184c28a91b6bb38a8a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\PSVid3.ps1

Filesize
1KB

MD5
10cddd18a87c323addc4556495230f72

SHA1
aff5315ae7bd1223b259961f1c92b0e7cca83376

SHA256
6ca5dc620e424f9f4688212e281e4018fb75e0ae0a762477619ce5bd0ffb7c81

SHA512
c365ee4138b7579b1982ed2f0a07a1757e845bce8b9ed26dab77b3e30c5468c7558b1daf77c8d21348023623b1bb03d145189b1608d9a02f41ed77fbcac3601a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\QueryDisks.vbs

Filesize
573B

MD5
ff24c47d2781c69c91d7508851ab5cac

SHA1
d9de6ea4ef2d7dca893d69e2d3b4157258c1cbce

SHA256
9dc81d360d86d64a842d36c0b720dd4331adf396bde95b1c6491c4330ba3e1f4

SHA512
b92e26c844ec621167c42fc2c966f5b5d0b23d7418e3c42f40f8f5cac62e7c0f590388739398cc7355810cdb9d5b3f4f8156b6b522bd67cb4eab9e2eea7a3e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\SLICv.txt

Filesize
9B

MD5
3e8fb09e71357a305daaffcb73d7ad46

SHA1
472ff7ae05e592c289df0ba97b8881422be3921e

SHA256
b652c559cac3cf2e78cb6cf68b87d943a8a2e4baa336afefd83fdbb2c921b435

SHA512
188825521049af97b3a99c43b73e32b59cd06348f89d1bbc696add94ff35865c71e822b37934421c4ec9a2edbe175ad7cdb57539ae0510a2b79318c2fadcc2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\SystemRam.vbs

Filesize
751B

MD5
da03c0e4f915c31147ee2adeb775958d

SHA1
c062096f40559dab4be04a5ebea7991696729069

SHA256
d8039cc11688243feb184db7a83d12440cefcbf7db7e35d541c759f74095761f

SHA512
985a325af8d4d3e3499ccf3d53f1362ae028d598bcef6270268f1df52808e43c029cff9d1c7fb8add50430b4b747594ecd8c90a64ace95556029c57ee345f309

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\UnixDateToDate.vbs

Filesize
424B

MD5
05b1670272d8cdf794d6b3cd8fe3aaa6

SHA1
fb5cb15b462643cfaa1d386e7073e620939f919c

SHA256
ab0ea82d4d3b9b90900f1c719058f92c658aad1cb327e5d318f36d076be53e24

SHA512
28995b257e65f73383e05e24e1155f074427b9e2b7b4c63528c9c2986ae6b442c33cebc02c0321728227c9ddca151cc8ffd60ab4dd14fdb8ef71375e43b7acfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Video.txt

Filesize
1KB

MD5
070aa8bc65699b1e3787ffab29280d66

SHA1
a940ce676181efcd0c665e019b4c988b9c41c967

SHA256
bc1b5704627792c48ed6256b670565cddcc00a96b70cb86bcc332bf6aac58b4e

SHA512
36f5ed79d2412afa77f64020ff113106e68dfb0129828c74643af9675a81a3371db5aa62a9b7daf2ecc3aba2a9d085e630e9dee2ff37bd6c549023eec423e0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\Windows 10 Pro.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\no1.txt

Filesize
4KB

MD5
dd19e7b17e33cb0caa62cf4cf4f575e1

SHA1
d298620b08f3d0d8c0c26caa276f40a5012baad8

SHA256
d755caed088835e4851961eb1742afda59a4bdfd48914c180fee4c8fa1183a09

SHA512
b9c1a7a8bd490089aa6de92d6f9f9d9b0ad2f892fe0d9bdd7ef26ba37886a2a6f4ca6f1356aa51c71f63695de7d07cf95fa9b64894b240a3cdfc62dd5cb503a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\no1.txt

Filesize
4KB

MD5
fa39dd5699055e1a4e1ba326a7ee5793

SHA1
3929be8ce23596a0936c0c9f91c821d27cea60c1

SHA256
2041a72bbe37e4eb0513e88b03749b8b272f06ebbc6018988c6f4471652082ac

SHA512
e1772f09824493679287c9069fa8b102f29c1fe5f3784cb2f43a72d7a4ef2994975798ff74440115ce940eee80fbb76e3c5c6625dca4f80b45ce3e923f2bcc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\sppwmi.vbs

Filesize
568B

MD5
d7aa084ac8c798ad8442fa5068ef10f9

SHA1
78b2d1b46115c37e6399153b7836288f33032cf3

SHA256
b63e5339170389020ff96fbb250a77632d9e0e2ca7cda6e0bd391ee1171a2183

SHA512
1d675fc0b035f0e4c2fe09143fb129ae61824ee18901af178f32aa5572f872b88f583b4b331b186bbbee6eddd7fb7a3c41730d2157182ca97fb087b5b8cea7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRP_QT\zFileVer.cmd

Filesize
623B

MD5
f9e9be7fe8fba17f6640d38d999a2a75

SHA1
9f0b5be8bf088dd2c2b0489d96647db1915ceeb8

SHA256
29de72c08983500798a15f58a27fc0c45e412cbc6cf0c1b3da0eb5a4e817496e

SHA512
7767d272012f9aa46853321bf18838e6267c32c013db4784f57a3f7a4a765eca471e516774d9e09bf60b906f120aea6579be969f1b18e8063c0426ab6dd41997

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTLog.log

Filesize
4KB

MD5
b3614cec9a2de7ec599f42f926fa79b2

SHA1
f114465c1eee85cbe35a4b535f02f91a69430cc7

SHA256
bccfddecab204ee083928238e0564a7139d2c867838467b9db90bb9023680596

SHA512
36ce534f1c6389354f0faba3ffe988275221b5844293ac83b4feac33a9ccb39b526db377f72ee259c22260d6e0d2751486bb6298579aa1dc3f7adeef523c93c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03ch4mvm.edv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1252-242-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/4036-203-0x000001E1BFDC0000-0x000001E1BFE36000-memory.dmp

Filesize
472KB

Download
memory/4036-204-0x000001E1BFBC0000-0x000001E1BFBDE000-memory.dmp

Filesize
120KB

Download
memory/4292-48-0x00000288C2220000-0x00000288C2242000-memory.dmp

Filesize
136KB

Download
memory/4384-273-0x000002C2DC070000-0x000002C2DC096000-memory.dmp

Filesize
152KB

Download
memory/4384-272-0x000002C2C3B80000-0x000002C2C3B8A000-memory.dmp

Filesize
40KB

Download
memory/4384-271-0x000002C2C3B60000-0x000002C2C3B76000-memory.dmp

Filesize
88KB

Download
memory/4504-121-0x000001B1371E0000-0x000001B1371EA000-memory.dmp

Filesize
40KB

Download
memory/4504-123-0x000001B137280000-0x000001B1372A4000-memory.dmp

Filesize
144KB

Download
memory/4504-122-0x000001B137280000-0x000001B1372AA000-memory.dmp

Filesize
168KB

Download
memory/4732-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4732-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download