hxxps://github[.]com/dpadGuy/UwUTools/releases/download/V1[.]4/UwUTools[.]exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
159	4140	msedge.exe
27	4140	msedge.exe

Executes dropped EXE 64 IoCs

pid	Process
2644	UwUTools.exe
1308	SystemInformer.exe
5112	Anydesk.exe
696	Anydesk.exe
5428	Anydesk.exe
3584	heroic.exe
3236	heroic.exe
1724	heroic.exe
1968	gogdl.exe
5072	heroic.exe
4844	gogdl.exe
2288	heroic.exe
5548	heroic.exe
5132	legendary.exe
2732	legendary.exe
2340	gogdl.exe
5316	nile.exe
2864	legendary.exe
2140	gogdl.exe
3924	nile.exe
5924	legendary.exe
2144	legendary.exe
5068	gogdl.exe
3580	nile.exe
5164	legendary.exe
5604	gogdl.exe
3520	nile.exe
1836	heroic.exe
1888	heroic.exe
2464	pwsh.exe
5792	WinXShell.exe
916	Arcade.exe
5488	nintendoswitch.exe
3708	explorer.exe
1860	wallpaperchanger.exe
4736	explorer.exe
3280	wallpaperchanger.exe
760	Galactic_Explorer.exe
3748	GalacticToolsV3.exe
1304	nintendoswitch.exe
4360	explorer.exe
2476	explorer.exe
388	explorer.exe
5980	explorer.exe
3712	Galactic Task Manager.exe
5728	Explorer++.exe
1272	runthis.exe
5556	fury.exe
4048	fury.exe
4564	fury.exe
4692	fury.exe
956	fury.exe
6744	Moonlight.exe
6472	fury.exe
3648	CloudForceUpdater.exe
1868	CloudForce-Stable.exe
1136	Lightcord.exe
6992	Lightcord.exe
4144	Lightcord.exe
6944	Lightcord.exe
4136	Lightcord.exe
6752	Lightcord.exe
4664	Lightcord.exe
3888	Lightcord.exe

Loads dropped DLL 64 IoCs

pid	Process
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
5428	Anydesk.exe
696	Anydesk.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3236	heroic.exe
3236	heroic.exe
3236	heroic.exe
3236	heroic.exe
3236	heroic.exe
1724	heroic.exe
5072	heroic.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
4844	gogdl.exe
2288	heroic.exe
5548	heroic.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe
2732	legendary.exe

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/3712-20340-0x0000000005A10000-0x0000000005C20000-memory.dmp	agile_net
behavioral1/memory/1868-26480-0x0000000008260000-0x000000000827C000-memory.dmp	agile_net
behavioral1/memory/1868-26481-0x0000000008570000-0x000000000858C000-memory.dmp	agile_net
behavioral1/memory/1868-26482-0x0000000008590000-0x00000000085B0000-memory.dmp	agile_net
behavioral1/memory/1868-26483-0x0000000008C60000-0x0000000008C80000-memory.dmp	agile_net
behavioral1/memory/1868-26486-0x0000000008C90000-0x0000000008C9E000-memory.dmp	agile_net
behavioral1/memory/1868-26485-0x0000000008DB0000-0x0000000008E1E000-memory.dmp	agile_net
behavioral1/memory/1868-26484-0x0000000008CE0000-0x0000000008D3A000-memory.dmp	agile_net
behavioral1/memory/1868-26487-0x0000000008CA0000-0x0000000008CAE000-memory.dmp	agile_net
behavioral1/memory/1868-26488-0x0000000008D40000-0x0000000008D58000-memory.dmp	agile_net
behavioral1/memory/1868-26489-0x0000000009070000-0x00000000091BA000-memory.dmp	agile_net

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000e00000002be64-26216.dat	vmprotect
behavioral1/memory/3648-26221-0x0000000000DF0000-0x0000000000E4A000-memory.dmp	vmprotect
behavioral1/files/0x000c00000002c08b-26376.dat	vmprotect
behavioral1/memory/1868-26382-0x0000000000C40000-0x00000000014EE000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fury.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	Galactic_Explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\D:	Explorer++.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
256	raw.githubusercontent.com
258	raw.githubusercontent.com
264	discord.com
266	discord.com
273	discord.com
192	raw.githubusercontent.com
261	raw.githubusercontent.com
272	discord.com
102	raw.githubusercontent.com
255	raw.githubusercontent.com

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1512	powershell.exe
6068	powershell.exe
2068	powershell.exe
4016	powershell.exe
4472	powershell.exe
2768	powershell.exe
400	powershell.exe
5908	powershell.exe
2732	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Desktop\Wallpaper = "%localappdata%\\Taskbar\\Default Wallpapers\\geforcefuturewallpaper.png"	wallpaperchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Desktop\Wallpaper = "C:\\Arcade\\WinXShell\\bin\\shell\\123.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Desktop\Wallpaper = "%localappdata%\\Taskbar\\Default Wallpapers\\geforcefuturewallpaper.png"	wallpaperchanger.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-shared-components\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\Wallet-Checkout\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\wallet-webui-101.079f5d74a18127cd9d6a.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1336619824\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1562416212\shoppingfre.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-ec\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-shared-components\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\wallet\wallet-checkout-eligible-sites-pre-stable.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\Wallet-BuyNow\wallet-buynow.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\wallet-webui-925.baa79171a74ad52b0a67.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\mn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-mobile-hub\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\vendor.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\offscreendocument_main.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\ur\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-ec\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-hub\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-hub\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-notification-shared\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-shared-components\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\Wallet-Checkout\wallet-drawer.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\bg\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-ec\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-hub\hu\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-notification\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\fr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1546422825\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-notification\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-notification\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1317086152\_platform_specific\win_x64\widevinecdm.dll.sig	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\lo\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3584_731305889\_platform_specific\win_x64\widevinecdm.dll	heroic.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\ne\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3584_624583798\manifest.json	heroic.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-ec\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\wallet.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\wallet_checkout_autofill_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_351481673\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1472474885\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\bnpl\bnpl.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-ec\hu\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-hub\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-notification\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\Notification\notification.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\runtime.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1562416212\product_page.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-mobile-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-notification\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-notification-shared\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-notification-shared\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-shared-components\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1874157905\_locales\hy\messages.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	heroic.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1546422825\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1763052515\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\i18n-ec\th\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\json\wallet\README.md	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_1182941524\Mini-Wallet\mini-wallet.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3584_731305889\manifest.json	heroic.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5632_350838420\deny_full_domains.list	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GalacticToolsV3.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GalacticToolsV3 (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\UwUTools.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Arcade.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Galactic_Explorer.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runthis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloudForceUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightcord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightcord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anydesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anydesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pwsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightcord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightcord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightcord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Arcade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galactic_Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galactic Task Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloudForce-Stable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightcord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anydesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GalacticToolsV3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightcord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lightcord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	heroic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	heroic.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	heroic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	fury.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	fury.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	fury.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	heroic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	heroic.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemInformer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Anydesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Anydesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	heroic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	heroic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	heroic.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	heroic.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fury.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemInformer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	heroic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	fury.exe

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	UwUTools.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	GalacticToolsV3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	UwUTools.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	UwUTools.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Arcade.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Arcade.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	GalacticToolsV3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Arcade.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	GalacticToolsV3.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
3716	taskkill.exe
5996	taskkill.exe
2220	taskkill.exe
4536	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Internet Explorer\TypedURLs	CloudForce-Stable.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Internet Explorer\TypedURLs	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876175109293545"	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinXShell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7346"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	WinXShell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100070000001400000050003a005c004e00650070006e00710072005c004a00760061004b00460075007200790079005c006f00760061005c0066006a00760067007000750072006500620062005c006100760061006700720061007100620066006a0076006700700075002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000e907030046006a00760067007000750072006500620062000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000000000000000000000000000000000000000000000000000000000005eb0bb3cad9fdb0100000000000000000000000046006a007600670070007500720065006200620000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050003a005c0048006a004800470062006200790066005c004e0061006c0071007200660078005c004e0061006c0071007200660078002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e90300000000000000000000e90703004e0061006c00510072006600780020002d002000650072006e0071006c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000000000000000000000000000000000000cd09f53ead9fdb010000000000000000000000004e0061006c00510072006600780020002d002000650072006e0071006c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e9070300420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000538159453e94db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e9070300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e9070300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e9070300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e9070300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13864"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	Galactic_Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Galactic_Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	WinXShell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WinXShell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	WinXShell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13996"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133863607605685520"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7342"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Galactic_Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	WinXShell.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "12646"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe!	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	Galactic_Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	WinXShell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "12454"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Galactic_Explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Galactic_Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	Galactic_Explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "3"	Galactic_Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WinXShell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	WinXShell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WinXShell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "264"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "12514"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Galactic_Explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 7e003100000000006d5ac08e13004465736b746f7000680009000400efbec55259617c5aee342e0000009f0500000000010000000000000000003e0000000000fff6be004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003900000016000000	Galactic_Explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Galactic_Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\heroic\URL Protocol	heroic.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	SystemInformer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	SystemInformer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	SystemInformer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	SystemInformer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	SystemInformer.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\UwUTools.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Arcade.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Galactic_Explorer.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GalacticToolsV3.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GalacticToolsV3 (1).exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6744	Moonlight.exe
6304	CBLauncher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe
5556	powershell.exe
5556	powershell.exe
5556	powershell.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
2768	powershell.exe
2768	powershell.exe
4472	powershell.exe
4472	powershell.exe
4016	powershell.exe
4016	powershell.exe
4472	powershell.exe
2768	powershell.exe
4016	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1584	explorer.exe
5980	explorer.exe
5728	Explorer++.exe
6744	Moonlight.exe
6304	CBLauncher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	UwUTools.exe
Token: SeDebugPrivilege	1308	SystemInformer.exe
Token: SeIncBasePriorityPrivilege	1308	SystemInformer.exe
Token: 33	1308	SystemInformer.exe
Token: SeLoadDriverPrivilege	1308	SystemInformer.exe
Token: SeProfSingleProcessPrivilege	1308	SystemInformer.exe
Token: SeBackupPrivilege	1308	SystemInformer.exe
Token: SeRestorePrivilege	1308	SystemInformer.exe
Token: SeShutdownPrivilege	1308	SystemInformer.exe
Token: SeTakeOwnershipPrivilege	1308	SystemInformer.exe
Token: SeSecurityPrivilege	1308	SystemInformer.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	6068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1320	powershell.exe
Token: SeSecurityPrivilege	1320	powershell.exe
Token: SeTakeOwnershipPrivilege	1320	powershell.exe
Token: SeLoadDriverPrivilege	1320	powershell.exe
Token: SeSystemProfilePrivilege	1320	powershell.exe
Token: SeSystemtimePrivilege	1320	powershell.exe
Token: SeProfSingleProcessPrivilege	1320	powershell.exe
Token: SeIncBasePriorityPrivilege	1320	powershell.exe
Token: SeCreatePagefilePrivilege	1320	powershell.exe
Token: SeBackupPrivilege	1320	powershell.exe
Token: SeRestorePrivilege	1320	powershell.exe
Token: SeShutdownPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeSystemEnvironmentPrivilege	1320	powershell.exe
Token: SeRemoteShutdownPrivilege	1320	powershell.exe
Token: SeUndockPrivilege	1320	powershell.exe
Token: SeManageVolumePrivilege	1320	powershell.exe
Token: 33	1320	powershell.exe
Token: 34	1320	powershell.exe
Token: 35	1320	powershell.exe
Token: 36	1320	powershell.exe
Token: SeShutdownPrivilege	3584	heroic.exe
Token: SeCreatePagefilePrivilege	3584	heroic.exe
Token: SeShutdownPrivilege	3584	heroic.exe
Token: SeCreatePagefilePrivilege	3584	heroic.exe
Token: SeShutdownPrivilege	3584	heroic.exe
Token: SeCreatePagefilePrivilege	3584	heroic.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeShutdownPrivilege	3584	heroic.exe
Token: SeCreatePagefilePrivilege	3584	heroic.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeShutdownPrivilege	3584	heroic.exe
Token: SeCreatePagefilePrivilege	3584	heroic.exe
Token: SeShutdownPrivilege	3584	heroic.exe
Token: SeCreatePagefilePrivilege	3584	heroic.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeIncreaseQuotaPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeTakeOwnershipPrivilege	2868	powershell.exe
Token: SeLoadDriverPrivilege	2868	powershell.exe
Token: SeSystemProfilePrivilege	2868	powershell.exe
Token: SeSystemtimePrivilege	2868	powershell.exe
Token: SeProfSingleProcessPrivilege	2868	powershell.exe
Token: SeIncBasePriorityPrivilege	2868	powershell.exe
Token: SeCreatePagefilePrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeRestorePrivilege	2868	powershell.exe
Token: SeShutdownPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeSystemEnvironmentPrivilege	2868	powershell.exe
Token: SeRemoteShutdownPrivilege	2868	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
5428	Anydesk.exe
5428	Anydesk.exe
5428	Anydesk.exe
5428	Anydesk.exe
5428	Anydesk.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
1308	SystemInformer.exe
5428	Anydesk.exe
5428	Anydesk.exe
5428	Anydesk.exe
5428	Anydesk.exe
5428	Anydesk.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
3584	heroic.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
5312	MiniSearchHost.exe
1664	explorer.exe
5064	SearchHost.exe
2840	StartMenuExperienceHost.exe
1664	explorer.exe
5792	WinXShell.exe
5792	WinXShell.exe
5488	nintendoswitch.exe
1584	explorer.exe
3916	SearchHost.exe
5232	StartMenuExperienceHost.exe
1584	explorer.exe
1584	explorer.exe
760	Galactic_Explorer.exe
760	Galactic_Explorer.exe
1584	explorer.exe
4048	fury.exe
6744	Moonlight.exe
6744	Moonlight.exe
6744	Moonlight.exe
6744	Moonlight.exe
6744	Moonlight.exe
6744	Moonlight.exe
6744	Moonlight.exe
6304	CBLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5632 wrote to memory of 4248	5632	msedge.exe	78
PID 5632 wrote to memory of 4248	5632	msedge.exe	78
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 4140	5632	msedge.exe	80
PID 5632 wrote to memory of 4140	5632	msedge.exe	80
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 5692	5632	msedge.exe	79
PID 5632 wrote to memory of 4636	5632	msedge.exe	81
PID 5632 wrote to memory of 4636	5632	msedge.exe	81
PID 5632 wrote to memory of 4636	5632	msedge.exe	81
PID 5632 wrote to memory of 4636	5632	msedge.exe	81
PID 5632 wrote to memory of 4636	5632	msedge.exe	81
PID 5632 wrote to memory of 4636	5632	msedge.exe	81
PID 5632 wrote to memory of 4636	5632	msedge.exe	81
PID 5632 wrote to memory of 4636	5632	msedge.exe	81
PID 5632 wrote to memory of 4636	5632	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/dpadGuy/UwUTools/releases/download/V1.4/UwUTools.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7fff591df208,0x7fff591df214,0x7fff591df220
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1872,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2392,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=2924 /prefetch:13
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3412,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3436,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4876,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:14
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4888,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:14
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5500,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:14
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5520,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:14
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6300,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:14
  2⤵
  PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1140
    3⤵
    PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6364,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:14
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6364,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:14
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3396 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6704,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6720 /prefetch:14
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6856 /prefetch:14
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=5928,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:2724
- C:\Users\Admin\Downloads\UwUTools.exe
  "C:\Users\Admin\Downloads\UwUTools.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- - C:\UwUTools\amd64\SystemInformer.exe
    "C:\UwUTools\amd64\SystemInformer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1308
- - C:\UwUTools\Anydesk\Anydesk.exe
    "C:\UwUTools\Anydesk\Anydesk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5112
  - - C:\UwUTools\Anydesk\Anydesk.exe
      "C:\UwUTools\Anydesk\Anydesk.exe" --local-service
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:696
  - - C:\UwUTools\Anydesk\Anydesk.exe
      "C:\UwUTools\Anydesk\Anydesk.exe" --local-control
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5428
- - C:\UwUTools\Heroic Launcher\heroic.exe
    "C:\UwUTools\Heroic Launcher\heroic.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3584
  - - C:\UwUTools\Heroic Launcher\heroic.exe
      "C:\UwUTools\Heroic Launcher\heroic.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\heroic" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1788 --field-trial-handle=1792,i,11283464791655917437,13960382050698976324,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-CimInstance -Class Win32_VideoController -Property AdapterCompatibility,DriverVersion,PnPDeviceID | Select-Object AdapterCompatibility,DriverVersion,PnPDeviceID | ConvertTo-Json -Compress
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1320
  - - C:\UwUTools\Heroic Launcher\heroic.exe
      "C:\UwUTools\Heroic Launcher\heroic.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\heroic" --mojo-platform-channel-handle=2176 --field-trial-handle=1792,i,11283464791655917437,13960382050698976324,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1724
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "\"`\"C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"--auth-config-path`\"\",\"`\"C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json`\"\",\"`\"auth`\"\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6068
    - - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl" "--auth-config-path" "C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json" "auth"
        5⤵
        Executes dropped EXE
        
        PID:1968
      - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl" "--auth-config-path" "C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json" "auth"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4844
  - - C:\UwUTools\Heroic Launcher\heroic.exe
      "C:\UwUTools\Heroic Launcher\heroic.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\heroic" --mojo-platform-channel-handle=2812 --field-trial-handle=1792,i,11283464791655917437,13960382050698976324,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5072
  - - C:\UwUTools\Heroic Launcher\heroic.exe
      "C:\UwUTools\Heroic Launcher\heroic.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\heroic" --mojo-platform-channel-handle=2764 --field-trial-handle=1792,i,11283464791655917437,13960382050698976324,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-ItemProperty HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*, HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName | Format-Table -AutoSize
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5556
  - - C:\UwUTools\Heroic Launcher\heroic.exe
      "C:\UwUTools\Heroic Launcher\heroic.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\heroic" --app-user-model-id="Heroic Games Launcher" --app-path="C:\UwUTools\Heroic Launcher\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1792,i,11283464791655917437,13960382050698976324,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "\"`\"C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"cleanup`\"\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
    - - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary" "cleanup"
        5⤵
        Executes dropped EXE
        
        PID:5132
      - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary" "cleanup"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:5208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-CimInstance -Class Win32_OperatingSystem -Property Caption,Version | Select-Object Caption,Version | ConvertTo-Json -Compress
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "which wine"
      4⤵
      PID:4240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "\"`\"C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"--version`\"\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4016
    - - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary" "--version"
        5⤵
        Executes dropped EXE
        
        PID:2864
      - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary" "--version"
        6⤵
        Executes dropped EXE
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:2732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "\"`\"C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"--auth-config-path`\"\",\"`\"C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json`\"\",\"`\"--version`\"\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4472
    - - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl" "--auth-config-path" "C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json" "--version"
        5⤵
        Executes dropped EXE
        
        PID:2340
      - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl" "--auth-config-path" "C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json" "--version"
        6⤵
        Executes dropped EXE
        
        PID:2140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "\"`\"C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"--version`\"\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2768
    - - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile" "--version"
        5⤵
        Executes dropped EXE
        
        PID:5316
      - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile" "--version"
        6⤵
        Executes dropped EXE
        
        PID:3924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-CimInstance -Class Win32_VideoController -Property AdapterCompatibility,DriverVersion,PnPDeviceID | Select-Object AdapterCompatibility,DriverVersion,PnPDeviceID | ConvertTo-Json -Compress
      4⤵
      PID:3120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-CimInstance -Class Win32_OperatingSystem -Property Caption,Version | Select-Object Caption,Version | ConvertTo-Json -Compress
      4⤵
      PID:3476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "\"`\"C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"--version`\"\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:400
    - - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary" "--version"
        5⤵
        Executes dropped EXE
        
        PID:2144
      - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\legendary" "--version"
        6⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:3832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "\"`\"C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"--auth-config-path`\"\",\"`\"C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json`\"\",\"`\"--version`\"\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2732
    - - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl" "--auth-config-path" "C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json" "--version"
        5⤵
        Executes dropped EXE
        
        PID:5068
      - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\gogdl" "--auth-config-path" "C:\Users\Admin\AppData\Roaming\heroic\gog_store\auth.json" "--version"
        6⤵
        Executes dropped EXE
        
        PID:5604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Process "\"`\"C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"--version`\"\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5908
    - - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile" "--version"
        5⤵
        Executes dropped EXE
        
        PID:3580
      - C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile.exe
        
        "C:\UwUTools\Heroic Launcher\resources\app.asar.unpacked\build\bin\win32\nile" "--version"
        6⤵
        Executes dropped EXE
        
        PID:3520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "chcp 65001|powershell -command "chcp 65001|Out-Null;Add-Type -AssemblyName PresentationCore;$families=[Windows.Media.Fonts]::SystemFontFamilies;foreach($family in $families){$name='';if(!$family.FamilyNames.TryGetValue([Windows.Markup.XmlLanguage]::GetLanguage('zh-cn'),[ref]$name)){$name=$family.FamilyNames[[Windows.Markup.XmlLanguage]::GetLanguage('en-us')]}echo $name}""
      4⤵
      PID:5844
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "chcp 65001|Out-Null;Add-Type -AssemblyName PresentationCore;$families=[Windows.Media.Fonts]::SystemFontFamilies;foreach($family in $families){$name='';if(!$family.FamilyNames.TryGetValue([Windows.Markup.XmlLanguage]::GetLanguage('zh-cn'),[ref]$name)){$name=$family.FamilyNames[[Windows.Markup.XmlLanguage]::GetLanguage('en-us')]}echo $name}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1512
      - C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        6⤵
        
        PID:2356
  - - C:\UwUTools\Heroic Launcher\heroic.exe
      "C:\UwUTools\Heroic Launcher\heroic.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\heroic" --app-user-model-id="Heroic Games Launcher" --app-path="C:\UwUTools\Heroic Launcher\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3676 --field-trial-handle=1792,i,11283464791655917437,13960382050698976324,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
      4⤵
      Executes dropped EXE
      PID:1888
  - - C:\UwUTools\Heroic Launcher\heroic.exe
      "C:\UwUTools\Heroic Launcher\heroic.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\heroic" --app-user-model-id="Heroic Games Launcher" --app-path="C:\UwUTools\Heroic Launcher\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3556 --field-trial-handle=1792,i,11283464791655917437,13960382050698976324,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
      4⤵
      Executes dropped EXE
      PID:1836
- - C:\UwUTools\PowerShell\pwsh.exe
    "C:\UwUTools\PowerShell\pwsh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\UwUTools\WinXShell_x64\WinXShell.exe
    "C:\UwUTools\WinXShell_x64\WinXShell.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:5792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c @dir /b .\lua_helper\*.lua
      4⤵
      PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4148,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:14
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6428,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:14
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6940,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6776 /prefetch:14
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5048,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:14
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6516,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:14
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7116,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=7140 /prefetch:14
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7156,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:10
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4892,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:14
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6544,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:14
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4732,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:14
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5244,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6552 /prefetch:14
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7132,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:14
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=5648,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=7036,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5460,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3692,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2032
- C:\Users\Admin\Downloads\Arcade.exe
  "C:\Users\Admin\Downloads\Arcade.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C title sex && del "C:\Users\kiosk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*.lnk" && del "C:\Users\kiosk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*.exe" && xcopy /s C:\\Arcade\\WinXShell\\Shortcuts \"C:\\Users\\kiosk\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\ && xcopy /s C:\\Arcade\\WinXShell\\DesktopShortcuts \"%USERPROFILE%\\Desktop\ && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v {374DE290-123F-4565-9164-39C4925E467B} /t REG_EXPAND_SZ /d "C:\Arcade"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
- - C:\Arcade\WinXShell\bin\switcheroo\nintendoswitch.exe
    "C:\Arcade\WinXShell\bin\switcheroo\nintendoswitch.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Arcade\WinXShell\bin\shell\123.jpg" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Arcade\WinXShell\bin\shell\123.jpg" /f
      4⤵
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      PID:4156
- - C:\Arcade\WinXShell\bin\shell\explorer.exe
    "C:\Arcade\WinXShell\bin\shell\explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:3708
- - C:\Arcade\WinXShell\bin\shell\wallpaperchanger.exe
    "C:\Arcade\WinXShell\bin\shell\wallpaperchanger.exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    PID:1860
- - C:\Arcade\WinXShell\bin\shell\explorer.exe
    "C:\Arcade\WinXShell\bin\shell\explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:4736
- - C:\Arcade\WinXShell\bin\shell\wallpaperchanger.exe
    "C:\Arcade\WinXShell\bin\shell\wallpaperchanger.exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    PID:3280
- - C:\Arcade\notepad.exe
    "C:\Arcade\notepad.exe"
    3⤵
    PID:4956
- - C:\Arcade\CBLauncher.exe
    "C:\Arcade\CBLauncher.exe"
    3⤵
    PID:5548
  - - C:\Arcade\CBLauncher.exe
      "C:\Arcade\CBLauncher.exe"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:6304
    - - C:\Arcade\CBLauncher.exe
        
        "C:\Arcade\CBLauncher.exe" "--multiprocessing-fork" "parent_pid=6304" "pipe_handle=1320"
        5⤵
        
        PID:6188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3704,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:14
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4268,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:14
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3680,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3432 /prefetch:14
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3492,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6928 /prefetch:14
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3632,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6868 /prefetch:14
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=5256,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4664,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3428,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:14
  2⤵
  PID:536
- C:\Users\Admin\Downloads\Galactic_Explorer.exe
  "C:\Users\Admin\Downloads\Galactic_Explorer.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=5660,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7044,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=3708,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3380,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4024
- C:\Users\Admin\Downloads\GalacticToolsV3.exe
  "C:\Users\Admin\Downloads\GalacticToolsV3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Galactic Launcher\WinXShell\start.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5916
  - - C:\Galactic Launcher\WinXShell\bin\switcheroo\nintendoswitch.exe
      "C:\Galactic Launcher\WinXShell\bin\switcheroo\nintendoswitch.exe"
      4⤵
      Executes dropped EXE
      PID:1304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im gfndesktop.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5996
  - - C:\Galactic Launcher\WinXShell\bin\shell\explorer.exe
      "C:\Galactic Launcher\WinXShell\bin\shell\explorer.exe"
      4⤵
      Executes dropped EXE
      PID:4360
    - - C:\Galactic Launcher\WinXShell\bin\shell\explorer++.exe
        
        "C:\Galactic Launcher\WinXShell\bin\shell\explorer++.exe"
        5⤵
        
        PID:1524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2220
  - - C:\Galactic Launcher\WinXShell\bin\shell\explorer.exe
      "C:\Galactic Launcher\WinXShell\bin\shell\explorer.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:2476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4536
  - - C:\Galactic Launcher\WinXShell\bin\shell\explorer.exe
      "C:\Galactic Launcher\WinXShell\bin\shell\explorer.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Modifies registry class
      PID:388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3716
  - - C:\Galactic Launcher\WinXShell\bin\shell\explorer.exe
      "C:\Galactic Launcher\WinXShell\bin\shell\explorer.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      PID:5980
- - C:\Galactic Launcher\Galactic Task Manager\Galactic Task Manager.exe
    "C:\Galactic Launcher\Galactic Task Manager\Galactic Task Manager.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3712
- - C:\Galactic Launcher\Explorer++.exe
    "C:\Galactic Launcher\Explorer++.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5728
- - C:\Galactic Launcher\Firefox\runthis.exe
    "C:\Galactic Launcher\Firefox\runthis.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1272
  - - C:\Galactic Launcher\Firefox\App\firefox64\fury.exe
      "C:\Galactic Launcher\Firefox\App\firefox64\fury.exe" -profile "C:\Galactic Launcher\Firefox\Data\profile"
      4⤵
      Executes dropped EXE
      PID:5556
    - - C:\Galactic Launcher\Firefox\App\firefox64\fury.exe
        
        "C:\Galactic Launcher\Firefox\App\firefox64\fury.exe" -profile "C:\Galactic Launcher\Firefox\Data\profile"
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4048
      - C:\Galactic Launcher\Firefox\App\Firefox64\fury.exe
        
        "C:\Galactic Launcher\Firefox\App\Firefox64\fury.exe" -contentproc --channel="4048.0.570988799\409335373" -parentBuildID 20191202093317 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 1 -prefMapSize 218192 -greomni "C:\Galactic Launcher\Firefox\App\Firefox64\omni.ja" -appomni "C:\Galactic Launcher\Firefox\App\Firefox64\browser\omni.ja" -appdir "C:\Galactic Launcher\Firefox\App\Firefox64\browser" - 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 1808 gpu
        6⤵
        Executes dropped EXE
        
        PID:4564
      - C:\Galactic Launcher\Firefox\App\Firefox64\fury.exe
        
        "C:\Galactic Launcher\Firefox\App\Firefox64\fury.exe" -contentproc --channel="4048.6.1867659377\1761349827" -childID 1 -isForBrowser -prefsHandle 2652 -prefMapHandle 2148 -prefsLen 602 -prefMapSize 218192 -parentBuildID 20191202093317 -greomni "C:\Galactic Launcher\Firefox\App\Firefox64\omni.ja" -appomni "C:\Galactic Launcher\Firefox\App\Firefox64\browser\omni.ja" -appdir "C:\Galactic Launcher\Firefox\App\Firefox64\browser" - 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 2684 tab
        6⤵
        Executes dropped EXE
        
        PID:4692
      - C:\Galactic Launcher\Firefox\App\Firefox64\fury.exe
        
        "C:\Galactic Launcher\Firefox\App\Firefox64\fury.exe" -contentproc --channel="4048.13.107615483\733361063" -childID 2 -isForBrowser -prefsHandle 3004 -prefMapHandle 3000 -prefsLen 602 -prefMapSize 218192 -parentBuildID 20191202093317 -greomni "C:\Galactic Launcher\Firefox\App\Firefox64\omni.ja" -appomni "C:\Galactic Launcher\Firefox\App\Firefox64\browser\omni.ja" -appdir "C:\Galactic Launcher\Firefox\App\Firefox64\browser" - 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 3016 tab
        6⤵
        Executes dropped EXE
        
        PID:956
      - C:\Galactic Launcher\Firefox\App\Firefox64\fury.exe
        
        "C:\Galactic Launcher\Firefox\App\Firefox64\fury.exe" -contentproc --channel="4048.20.855185505\310592742" -childID 3 -isForBrowser -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 7663 -prefMapSize 218192 -parentBuildID 20191202093317 -greomni "C:\Galactic Launcher\Firefox\App\Firefox64\omni.ja" -appomni "C:\Galactic Launcher\Firefox\App\Firefox64\browser\omni.ja" -appdir "C:\Galactic Launcher\Firefox\App\Firefox64\browser" - 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 4836 tab
        6⤵
        Executes dropped EXE
        
        PID:6472
- - C:\Galactic Launcher\MoonlightPortable-x64-3.1.1\Moonlight.exe
    "C:\Galactic Launcher\MoonlightPortable-x64-3.1.1\Moonlight.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:6744
- - C:\Galactic Launcher\CloudForceUpdater.exe
    "C:\Galactic Launcher\CloudForceUpdater.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3648
  - - C:\CloudForce\Runtime\Stable-Build\CloudForce-Stable.exe
      "C:\CloudForce\Runtime\Stable-Build\CloudForce-Stable.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:1868
- - C:\Galactic Launcher\Lightcord\Lightcord.exe
    "C:\Galactic Launcher\Lightcord\Lightcord.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1136
  - - C:\Galactic Launcher\Lightcord\Lightcord.exe
      "C:\Galactic Launcher\Lightcord\Lightcord.exe" --type=gpu-process --field-trial-handle=1532,17006921845043144089,14767512362492643332,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1516 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6992
  - - C:\Galactic Launcher\Lightcord\Lightcord.exe
      "C:\Galactic Launcher\Lightcord\Lightcord.exe" --type=utility --field-trial-handle=1532,17006921845043144089,14767512362492643332,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1952 /prefetch:8
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4144
  - - C:\Galactic Launcher\Lightcord\Lightcord.exe
      "C:\Galactic Launcher\Lightcord\Lightcord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1532,17006921845043144089,14767512362492643332,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=com.squirrel.Lightcord.Lightcord --app-path="C:\Galactic Launcher\Lightcord\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6944
  - - C:\Galactic Launcher\Lightcord\Lightcord.exe
      "C:\Galactic Launcher\Lightcord\Lightcord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1532,17006921845043144089,14767512362492643332,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=com.squirrel.Lightcord.Lightcord --app-path="C:\Galactic Launcher\Lightcord\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Galactic Launcher\Lightcord\resources\app.asar\modules\discord_desktop_core\core\app\mainScreenPreload.js" --enable-remote-module --background-color=#00ffffff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1 --enable-node-leakage-in-renderers
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4136
  - - C:\Galactic Launcher\Lightcord\Lightcord.exe
      "C:\Galactic Launcher\Lightcord\Lightcord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1532,17006921845043144089,14767512362492643332,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=com.squirrel.Lightcord.Lightcord --app-path="C:\Galactic Launcher\Lightcord\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Galactic Launcher\Lightcord\resources\app.asar\modules\discord_desktop_core\core\app\mainScreenPreload.js" --enable-remote-module --background-color=#00ffffff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1 --enable-node-leakage-in-renderers
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /q /d /s /c "C:\Program^ Files\NVIDIA^ Corporation\NVSMI\nvidia-smi.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6996
  - - C:\Galactic Launcher\Lightcord\Lightcord.exe
      "C:\Galactic Launcher\Lightcord\Lightcord.exe" --type=utility --field-trial-handle=1532,17006921845043144089,14767512362492643332,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2968 /prefetch:8
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4664
  - - C:\Galactic Launcher\Lightcord\Lightcord.exe
      "C:\Galactic Launcher\Lightcord\Lightcord.exe" --type=utility --field-trial-handle=1532,17006921845043144089,14767512362492643332,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3000 /prefetch:8
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/handoff?rpc=6463&key=8b96916d-0336-48e8-9625-0029542b93ac
      4⤵
      PID:4136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://discord.com/handoff?rpc=6463&key=8b96916d-0336-48e8-9625-0029542b93ac
        5⤵
        
        PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3432,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:14
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=4624,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:6604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=6016,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6780,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:14
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6920,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:12
  2⤵
  PID:6276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=5944,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=3624,i,6656180856124261491,14086693984331652349,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:6260

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5260

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5312

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:6124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004AC 0x00000000000004DC
1⤵
PID:5964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery