Resubmissions
02-09-2022 02:49
220902-dbgmjafabp 1002-09-2022 02:36
220902-c3scnshbc7 1012-08-2022 07:02
220812-httr2aceh7 10Analysis
-
max time kernel
732s -
max time network
760s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 02:36
Static task
static1
Behavioral task
behavioral1
Sample
csrss.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
csrss.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
csrss.exe
-
Size
4.5MB
-
MD5
2f29ebdaf7b3395ebdadb13f453177c7
-
SHA1
20913d2d3c145adf43af7f13108cd1eb974862ca
-
SHA256
5d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
-
SHA512
27c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
SSDEEP
98304:477X24Nev1+NrGJ4FSBiD+Fon/wpCmreluztZi3:kX243NrGk+F+/wYmt
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba payload 8 IoCs
Processes:
resource yara_rule behavioral2/memory/2436-133-0x0000000003500000-0x0000000003E26000-memory.dmp family_glupteba behavioral2/memory/2436-134-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/2436-136-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/2272-137-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/2272-138-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/2272-144-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/4552-149-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/4552-152-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
OfficeC2RClient.exeOfficeC2RClient.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 5988 2484 OfficeC2RClient.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3944 2484 OfficeC2RClient.exe WINWORD.EXE -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 4984 created 2436 4984 svchost.exe csrss.exe PID 4984 created 4552 4984 svchost.exe csrss.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 94 2436 powershell.exe 95 2436 powershell.exe 305 2436 powershell.exe 306 2436 powershell.exe -
Executes dropped EXE 7 IoCs
Processes:
csrss.exeinjector.exegatherosstatemodified.exedismhost.exedismhost.exegatherosstatemodified.exegatherosstatemodified.exepid process 4552 csrss.exe 1264 injector.exe 1532 gatherosstatemodified.exe 5368 dismhost.exe 5324 dismhost.exe 5384 gatherosstatemodified.exe 308 gatherosstatemodified.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 38 IoCs
Processes:
dismhost.exedismhost.exepid process 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5368 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe 5324 dismhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
csrss.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EmptySmoke = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
DeviceCensus.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast DeviceCensus.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 339 ipinfo.io 346 ipinfo.io -
Drops file in System32 directory 16 IoCs
Processes:
csrss.exeDeviceCensus.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache csrss.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData csrss.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A csrss.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock DeviceCensus.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CC718356-C84F-4E67-9E19-B84857F274C3}.catalogItem svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 csrss.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 csrss.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A csrss.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D9833791-3F90-4F92-9E29-8A152A47724A}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{84640E7E-8C75-4DCF-B53F-A1DE56C2C0B6}.catalogItem svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache DeviceCensus.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft csrss.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content csrss.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{669307E9-E35F-4701-B6FE-417DEC7EB996}.catalogItem svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val DeviceCensus.exe -
Drops file in Windows directory 12 IoCs
Processes:
expand.execsrss.exeexpand.exedismhost.exeDism.exeDism.exedismhost.exeexpand.exedescription ioc process File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\rss csrss.exe File created C:\Windows\rss\csrss.exe csrss.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe -
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 5400 sc.exe 4172 sc.exe 4848 sc.exe 5080 sc.exe 6124 sc.exe 4732 sc.exe 3908 sc.exe 664 sc.exe 5704 sc.exe 5668 sc.exe 4592 sc.exe 5528 sc.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3200 2436 WerFault.exe csrss.exe 4856 3892 WerFault.exe -
Checks SCSI registry key(s) 3 TTPs 57 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
gatherosstatemodified.exeClipup.exegatherosstatemodified.execlipup.exeClipup.execlipup.execlipup.exegatherosstatemodified.exeClipup.exeDeviceCensus.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags gatherosstatemodified.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID gatherosstatemodified.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 gatherosstatemodified.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DeviceCensus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 gatherosstatemodified.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DeviceCensus.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags gatherosstatemodified.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exeDeviceCensus.exeWINWORD.EXEexplorer.exeexplorer.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 21 IoCs
Processes:
svchost.exemsedge.exeDeviceCensus.exemsedge.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Processes:
explorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
csrss.execsrss.exeLogonUI.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates csrss.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" csrss.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" csrss.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.execontrol.execontrol.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings control.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings control.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe -
Modifies registry key 1 TTPs 48 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3152 reg.exe 5816 reg.exe 5196 reg.exe 3500 reg.exe 5440 reg.exe 2256 reg.exe 4304 reg.exe 1052 reg.exe 5536 reg.exe 4384 reg.exe 2216 reg.exe 5404 reg.exe 664 reg.exe 5348 reg.exe 3020 reg.exe 2676 reg.exe 5752 reg.exe 5212 reg.exe 5300 reg.exe 5992 reg.exe 5892 reg.exe 5344 reg.exe 6008 reg.exe 5572 reg.exe 2788 reg.exe 5228 reg.exe 4184 reg.exe 216 reg.exe 5256 reg.exe 444 reg.exe 6080 reg.exe 3916 reg.exe 592 reg.exe 3844 reg.exe 5404 reg.exe 1392 reg.exe 5956 reg.exe 728 reg.exe 5764 reg.exe 3028 reg.exe 5756 reg.exe 2248 reg.exe 3816 reg.exe 5704 reg.exe 3872 reg.exe 5328 reg.exe 1620 reg.exe 1256 reg.exe -
Processes:
csrss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 csrss.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 5 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeWINWORD.EXEpid process 692 explorer.exe 4468 explorer.exe 5528 explorer.exe 2484 WINWORD.EXE 2484 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
csrss.execsrss.exepowershell.execsrss.exeinjector.exepid process 2436 csrss.exe 2436 csrss.exe 2272 csrss.exe 2272 csrss.exe 2436 powershell.exe 2436 powershell.exe 2436 powershell.exe 4552 csrss.exe 4552 csrss.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe 1264 injector.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs
Processes:
msedge.exepid process 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
csrss.exesvchost.execsrss.exepowershell.execsrss.execontrol.exeexplorer.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2436 csrss.exe Token: SeImpersonatePrivilege 2436 csrss.exe Token: SeTcbPrivilege 4984 svchost.exe Token: SeTcbPrivilege 4984 svchost.exe Token: SeSystemEnvironmentPrivilege 2272 csrss.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeBackupPrivilege 4984 svchost.exe Token: SeRestorePrivilege 4984 svchost.exe Token: SeBackupPrivilege 4984 svchost.exe Token: SeRestorePrivilege 4984 svchost.exe Token: SeSystemEnvironmentPrivilege 4552 csrss.exe Token: SeShutdownPrivilege 1192 control.exe Token: SeCreatePagefilePrivilege 1192 control.exe Token: SeShutdownPrivilege 692 explorer.exe Token: SeCreatePagefilePrivilege 692 explorer.exe Token: SeIncreaseQuotaPrivilege 3656 WMIC.exe Token: SeSecurityPrivilege 3656 WMIC.exe Token: SeTakeOwnershipPrivilege 3656 WMIC.exe Token: SeLoadDriverPrivilege 3656 WMIC.exe Token: SeSystemProfilePrivilege 3656 WMIC.exe Token: SeSystemtimePrivilege 3656 WMIC.exe Token: SeProfSingleProcessPrivilege 3656 WMIC.exe Token: SeIncBasePriorityPrivilege 3656 WMIC.exe Token: SeCreatePagefilePrivilege 3656 WMIC.exe Token: SeBackupPrivilege 3656 WMIC.exe Token: SeRestorePrivilege 3656 WMIC.exe Token: SeShutdownPrivilege 3656 WMIC.exe Token: SeDebugPrivilege 3656 WMIC.exe Token: SeSystemEnvironmentPrivilege 3656 WMIC.exe Token: SeRemoteShutdownPrivilege 3656 WMIC.exe Token: SeUndockPrivilege 3656 WMIC.exe Token: SeManageVolumePrivilege 3656 WMIC.exe Token: 33 3656 WMIC.exe Token: 34 3656 WMIC.exe Token: 35 3656 WMIC.exe Token: 36 3656 WMIC.exe Token: SeIncreaseQuotaPrivilege 3656 WMIC.exe Token: SeSecurityPrivilege 3656 WMIC.exe Token: SeTakeOwnershipPrivilege 3656 WMIC.exe Token: SeLoadDriverPrivilege 3656 WMIC.exe Token: SeSystemProfilePrivilege 3656 WMIC.exe Token: SeSystemtimePrivilege 3656 WMIC.exe Token: SeProfSingleProcessPrivilege 3656 WMIC.exe Token: SeIncBasePriorityPrivilege 3656 WMIC.exe Token: SeCreatePagefilePrivilege 3656 WMIC.exe Token: SeBackupPrivilege 3656 WMIC.exe Token: SeRestorePrivilege 3656 WMIC.exe Token: SeShutdownPrivilege 3656 WMIC.exe Token: SeDebugPrivilege 3656 WMIC.exe Token: SeSystemEnvironmentPrivilege 3656 WMIC.exe Token: SeRemoteShutdownPrivilege 3656 WMIC.exe Token: SeUndockPrivilege 3656 WMIC.exe Token: SeManageVolumePrivilege 3656 WMIC.exe Token: 33 3656 WMIC.exe Token: 34 3656 WMIC.exe Token: 35 3656 WMIC.exe Token: 36 3656 WMIC.exe Token: SeIncreaseQuotaPrivilege 5780 WMIC.exe Token: SeSecurityPrivilege 5780 WMIC.exe Token: SeTakeOwnershipPrivilege 5780 WMIC.exe Token: SeLoadDriverPrivilege 5780 WMIC.exe Token: SeSystemProfilePrivilege 5780 WMIC.exe Token: SeSystemtimePrivilege 5780 WMIC.exe Token: SeProfSingleProcessPrivilege 5780 WMIC.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
explorer.exemsedge.exeexplorer.exeexplorer.exemsedge.exepid process 692 explorer.exe 4084 msedge.exe 4468 explorer.exe 5528 explorer.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEOfficeC2RClient.exeOfficeC2RClient.exeLogonUI.exepid process 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 5988 OfficeC2RClient.exe 3944 OfficeC2RClient.exe 7080 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
svchost.execsrss.execmd.execsrss.exepowershell.execmd.execmd.execmd.exemsedge.exedescription pid process target process PID 4984 wrote to memory of 2272 4984 svchost.exe csrss.exe PID 4984 wrote to memory of 2272 4984 svchost.exe csrss.exe PID 4984 wrote to memory of 2272 4984 svchost.exe csrss.exe PID 2272 wrote to memory of 3048 2272 csrss.exe cmd.exe PID 2272 wrote to memory of 3048 2272 csrss.exe cmd.exe PID 3048 wrote to memory of 2164 3048 cmd.exe netsh.exe PID 3048 wrote to memory of 2164 3048 cmd.exe netsh.exe PID 2272 wrote to memory of 4552 2272 csrss.exe csrss.exe PID 2272 wrote to memory of 4552 2272 csrss.exe csrss.exe PID 2272 wrote to memory of 4552 2272 csrss.exe csrss.exe PID 4984 wrote to memory of 948 4984 svchost.exe schtasks.exe PID 4984 wrote to memory of 948 4984 svchost.exe schtasks.exe PID 4552 wrote to memory of 1264 4552 csrss.exe injector.exe PID 4552 wrote to memory of 1264 4552 csrss.exe injector.exe PID 2436 wrote to memory of 3708 2436 powershell.exe cmd.exe PID 2436 wrote to memory of 3708 2436 powershell.exe cmd.exe PID 3708 wrote to memory of 4236 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 4236 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 3056 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 3056 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 1852 3708 cmd.exe reg.exe PID 3708 wrote to memory of 1852 3708 cmd.exe reg.exe PID 3708 wrote to memory of 3412 3708 cmd.exe find.exe PID 3708 wrote to memory of 3412 3708 cmd.exe find.exe PID 3708 wrote to memory of 3784 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 3784 3708 cmd.exe cmd.exe PID 3784 wrote to memory of 4172 3784 cmd.exe cmd.exe PID 3784 wrote to memory of 4172 3784 cmd.exe cmd.exe PID 3784 wrote to memory of 1944 3784 cmd.exe cmd.exe PID 3784 wrote to memory of 1944 3784 cmd.exe cmd.exe PID 3708 wrote to memory of 1164 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 1164 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 4676 3708 cmd.exe find.exe PID 3708 wrote to memory of 4676 3708 cmd.exe find.exe PID 3708 wrote to memory of 4732 3708 cmd.exe reg.exe PID 3708 wrote to memory of 4732 3708 cmd.exe reg.exe PID 3708 wrote to memory of 3536 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 3536 3708 cmd.exe cmd.exe PID 3536 wrote to memory of 1908 3536 cmd.exe reg.exe PID 3536 wrote to memory of 1908 3536 cmd.exe reg.exe PID 3708 wrote to memory of 860 3708 cmd.exe mode.com PID 3708 wrote to memory of 860 3708 cmd.exe mode.com PID 3708 wrote to memory of 1056 3708 cmd.exe choice.exe PID 3708 wrote to memory of 1056 3708 cmd.exe choice.exe PID 4084 wrote to memory of 2600 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2600 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe PID 4084 wrote to memory of 2676 4084 msedge.exe msedge.exe
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4752
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2164 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:948 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 9042⤵
- Program crash
PID:3200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2436 -ip 24361⤵PID:1256
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵PID:4236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:3056
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:1852
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:3412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\System32\cmd.execmd4⤵PID:1944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:4172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵PID:1164
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵PID:4676
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵PID:4732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵PID:1908
-
C:\Windows\System32\mode.commode 76, 303⤵PID:860
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵PID:1056
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵PID:4296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:3844
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:4152
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵PID:4204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:5328
-
C:\Windows\System32\cmd.execmd4⤵PID:5380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵PID:5472
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵PID:5496
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵PID:5520
-
C:\Windows\System32\mode.commode 102, 343⤵PID:5540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start 2>nul3⤵PID:5680
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start4⤵
- Modifies registry key
PID:5212 -
C:\Windows\System32\sc.exesc start WinMgmt3⤵
- Launches sc.exe
PID:3908 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵PID:3948
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
PID:5404 -
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
PID:5400 -
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656 -
C:\Windows\System32\find.exefind /i "computersystem"3⤵PID:1840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵PID:3456
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5780 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:1852
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵PID:1808
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\on5bnpf4\on5bnpf4.cmdline"5⤵PID:5836
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC6C.tmp" "c:\Users\Admin\AppData\Local\Temp\on5bnpf4\CSC5C9FD00F3D23453785393C0794026AE.TMP"6⤵PID:6076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵PID:2608
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:5124
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵PID:4168
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵PID:2908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵PID:5840
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵PID:5168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵PID:5284
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵PID:5252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵PID:4256
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵PID:4928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "3⤵PID:4656
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"3⤵PID:3776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵PID:1444
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵PID:5340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 licensing.mp.microsoft.com3⤵PID:2596
-
C:\Windows\System32\PING.EXEping -n 1 licensing.mp.microsoft.com4⤵
- Runs ping.exe
PID:5896 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start3⤵
- Modifies registry key
PID:5300 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start 2>nul3⤵PID:5928
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start4⤵
- Modifies registry key
PID:6008 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start3⤵
- Modifies registry key
PID:5992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start 2>nul3⤵PID:6004
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start4⤵
- Modifies registry key
PID:6080 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
- Modifies registry key
PID:5892 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵PID:6128
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
PID:5816 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start3⤵
- Modifies registry key
PID:5196 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start 2>nul3⤵PID:5128
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start4⤵
- Modifies registry key
PID:5344 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
PID:3916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start 2>nul3⤵PID:3040
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start4⤵
- Modifies registry key
PID:664 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start3⤵
- Modifies registry key
PID:5704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start 2>nul3⤵PID:4040
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start4⤵
- Modifies registry key
PID:592 -
C:\Windows\System32\sc.exesc config wuauserv start= demand3⤵
- Launches sc.exe
PID:4172 -
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"3⤵PID:5452
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:3920
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵PID:3056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵PID:3872
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵PID:5440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$b=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd')-split'[:]batfile[:].*';iex $b[1]; B 1"3⤵PID:2468
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\zpjkrj4f\zpjkrj4f.cmdline"4⤵PID:4200
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES262C.tmp" "c:\Windows\Temp\zpjkrj4f\CSC97CDE1E45BA04913B28CDE86983A7C12.TMP"5⤵PID:5368
-
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
PID:4204 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA1|findstr /i /v CertUtil3⤵PID:5532
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA14⤵PID:5528
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵PID:5520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd') -split ':hex\:.*';iex ($f[1]);"3⤵PID:5412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA1|findstr /i /v CertUtil3⤵PID:5400
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵PID:4528
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA14⤵PID:4356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵PID:3316
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵PID:3656
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exe"C:\Windows\Temp\_Temp/gatherosstatemodified.exe" Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;DownlevelGenuineState=13⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1532 -
C:\Windows\System32\net.exenet stop ClipSVC /y3⤵PID:4512
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ClipSVC /y4⤵PID:912
-
C:\Windows\System32\net.exenet start ClipSVC /y3⤵PID:3876
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start ClipSVC /y4⤵PID:6012
-
C:\Windows\System32\ClipUp.execlipup -v -o -altto C:\Windows\Temp\_Temp\3⤵PID:2232
-
C:\Windows\System32\clipup.execlipup -v -o -altto C:\Windows\Temp\_Temp\ -ppl C:\Users\Admin\AppData\Local\Temp\tem44B0.tmp4⤵
- Checks SCSI registry key(s)
PID:5232 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:5972
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵PID:4928
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\byeaw3dm\byeaw3dm.cmdline"5⤵PID:4808
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4898.tmp" "c:\Users\Admin\AppData\Local\Temp\byeaw3dm\CSC19AFD72FBC9047C98B6154CD3A45FC34.TMP"6⤵PID:3700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵PID:2296
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:5896
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate3⤵PID:5300
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:5992
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵PID:3912
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵PID:6036
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵PID:6080
-
C:\Windows\System32\mode.commode 76, 303⤵PID:4024
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵PID:5848
-
C:\Windows\System32\mode.commode con cols=100 lines=323⤵PID:3976
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵PID:1788
-
C:\Windows\System32\net.exenet start sppsvc /y3⤵PID:4632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵PID:5704
-
C:\Windows\System32\cscript.execscript //nologo slmgr.vbs /dli3⤵PID:5076
-
C:\Windows\System32\cscript.execscript //nologo slmgr.vbs /xpr3⤵PID:388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵PID:5048
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5348 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵PID:2256
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:3872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵PID:5304
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5328 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵PID:1640
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:4304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵PID:5208
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵PID:1056
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:3844 -
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath3⤵
- Modifies registry key
PID:2676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵PID:4268
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:5572 -
C:\Windows\System32\cscript.execscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:5668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵PID:5720
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:5404 -
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
- Modifies registry key
PID:5764 -
C:\Windows\System32\mode.commode 76, 303⤵PID:3848
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵PID:2216
-
C:\Windows\System32\mode.commode con cols=100 lines=323⤵PID:2380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵PID:2364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:5132
-
C:\Windows\System32\find.exefind /i "ComputerSystem"3⤵PID:5260
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵PID:5152
-
C:\Windows\System32\sc.exesc query osppsvc3⤵
- Launches sc.exe
PID:4848 -
C:\Windows\System32\net.exenet start sppsvc /y3⤵PID:5856
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵PID:5216
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value3⤵PID:5896
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:1644
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value3⤵PID:4888
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:6004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"3⤵PID:3288
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value4⤵PID:1164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:592
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:1860
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:1620
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:1788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵PID:5936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵PID:3232
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:4632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵PID:180
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:1348
-
C:\Windows\System32\cmd.execmd /c exit /b 10740664333⤵PID:504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"3⤵PID:3056
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value4⤵PID:5456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:3412
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:3556
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:1800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:5304
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:5508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:1640
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:1944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:556
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:4944
-
C:\Windows\System32\cmd.execmd /c exit /b 10740654723⤵PID:3844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell "$([DateTime]::Now.addMinutes(229408)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul3⤵PID:2676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$([DateTime]::Now.addMinutes(229408)).ToString('yyyy-MM-dd HH:mm:ss')"4⤵PID:5728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵PID:5520
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵PID:4068
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil5⤵PID:5456
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA15⤵PID:2256
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:3948
-
C:\Windows\System32\mode.commode 76, 303⤵PID:3848
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵PID:4980
-
C:\Windows\System32\mode.commode 76, 303⤵PID:6004
-
C:\Windows\System32\choice.exechoice /C:12345 /N3⤵PID:5952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:392
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:5920
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:5168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵PID:5848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:2836
-
C:\Windows\System32\cmd.execmd4⤵PID:1740
-
C:\Windows\System32\mode.commode 98, 303⤵PID:4548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start 2>nul3⤵PID:3836
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start4⤵
- Modifies registry key
PID:3028 -
C:\Windows\System32\sc.exesc start WinMgmt3⤵
- Launches sc.exe
PID:664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵PID:2936
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
PID:1620 -
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
PID:5704 -
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵PID:4376
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵PID:3744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵PID:5096
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵PID:372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DISM /English /Online /Get-CurrentEdition 2>nul | find /i "Current Edition :"3⤵PID:2440
-
C:\Windows\System32\Dism.exeDISM /English /Online /Get-CurrentEdition4⤵
- Drops file in Windows directory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\dismhost.exeC:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\dismhost.exe {681D46E5-5C8B-4918-831F-9AE0F9E7FEA4}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5368 -
C:\Windows\System32\find.exefind /i "Current Edition :"4⤵PID:1152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:5756
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵PID:5100
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2h0jf1hq\2h0jf1hq.cmdline"5⤵PID:1484
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB382.tmp" "c:\Users\Admin\AppData\Local\Temp\2h0jf1hq\CSCCE1722809C4B47B0834C796AA463C2FD.TMP"6⤵PID:5808
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:5256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵PID:5992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵PID:4320
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $ExecutionContext.SessionState.LanguageMode3⤵PID:2680
-
C:\Windows\System32\find.exefind /i "Full"3⤵PID:4620
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /dlv3⤵PID:5804
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:3744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dism /online /english /Get-TargetEditions | findstr /i /c:"Target Edition : "3⤵PID:3364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProfessionalEducation "3⤵PID:5252
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵PID:2264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProfessionalWorkstation "3⤵PID:5140
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵PID:5512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Education "3⤵PID:3776
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵PID:5860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProfessionalCountrySpecific "3⤵PID:2608
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵PID:5664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProfessionalSingleLanguage "3⤵PID:1800
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵PID:4696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ServerRdsh "3⤵PID:5436
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵PID:804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo IoTEnterprise "3⤵PID:5728
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵PID:1636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Enterprise "3⤵PID:2684
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵PID:5544
-
C:\Windows\System32\mode.commode 98, 303⤵PID:2484
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="DXG7C-N36C4-C4HTG-X4T3X-2YV77"3⤵PID:5420
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:344
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵PID:3960
-
C:\Windows\System32\mode.commode 76, 303⤵PID:1252
-
C:\Windows\System32\choice.exechoice /C:12345 /N3⤵PID:4320
-
C:\Windows\System32\mode.commode 76, 303⤵PID:4708
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵PID:5652
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵PID:4740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:1072
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:3080
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:5232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵PID:4620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:5396
-
C:\Windows\System32\cmd.execmd4⤵PID:5404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵PID:5516
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵PID:5520
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵PID:2740
-
C:\Windows\System32\mode.commode 102, 343⤵PID:1888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start 2>nul3⤵PID:1848
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start4⤵
- Modifies registry key
PID:1052 -
C:\Windows\System32\sc.exesc start WinMgmt3⤵
- Launches sc.exe
PID:5668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵PID:5364
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
PID:1256 -
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
PID:5080 -
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵PID:5804
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵PID:5356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵PID:2836
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵PID:1620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:4376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵PID:2224
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vju1wjci\vju1wjci.cmdline"5⤵PID:5304
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B52.tmp" "c:\Users\Admin\AppData\Local\Temp\vju1wjci\CSC38087004DFB0494BAB80A4AE19D99977.TMP"6⤵PID:5324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro for Workstations" "3⤵PID:5280
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:5480
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵PID:2460
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵PID:1832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵PID:4472
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵PID:5528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵PID:5156
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵PID:5836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵PID:3876
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵PID:5540
-
C:\Windows\System32\find.exefind /i "eb6d346f-1c60-4643-b960-40ec31596c45"3⤵PID:1800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "3⤵PID:3872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵PID:5368
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵PID:4580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 licensing.mp.microsoft.com3⤵PID:6068
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start3⤵
- Modifies registry key
PID:5752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start 2>nul3⤵PID:4252
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start4⤵
- Modifies registry key
PID:5536 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start3⤵
- Modifies registry key
PID:216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start 2>nul3⤵PID:4608
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start4⤵
- Modifies registry key
PID:4384 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
- Modifies registry key
PID:3500 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵PID:5428
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
PID:5440 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start3⤵
- Modifies registry key
PID:2256 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start 2>nul3⤵PID:4328
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start4⤵
- Modifies registry key
PID:2788 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
PID:3020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start 2>nul3⤵PID:4628
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start4⤵
- Modifies registry key
PID:5756 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start3⤵
- Modifies registry key
PID:5256 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start 2>nul3⤵PID:5052
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start4⤵
- Modifies registry key
PID:2216 -
C:\Windows\System32\sc.exesc config wuauserv start= demand3⤵
- Launches sc.exe
PID:4592 -
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="DXG7C-N36C4-C4HTG-X4T3X-2YV77"3⤵PID:3772
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:5928
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵PID:6084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵PID:5660
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵PID:6028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$b=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd')-split'[:]batfile[:].*';iex $b[1]; B 1"3⤵PID:3908
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\f2frke3i\f2frke3i.cmdline"4⤵PID:2180
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES5C94.tmp" "c:\Windows\Temp\f2frke3i\CSC57858E7FE824431F848DECBF8A58A8E.TMP"5⤵PID:2760
-
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
PID:2188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA1|findstr /i /v CertUtil3⤵PID:600
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA14⤵PID:5936
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵PID:4172
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd') -split ':hex\:.*';iex ($f[1]);"3⤵PID:4232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA1|findstr /i /v CertUtil3⤵PID:3412
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵PID:4268
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA14⤵PID:3784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵PID:4368
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵PID:4256
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exe"C:\Windows\Temp\_Temp/gatherosstatemodified.exe" Pfn=Microsoft.Windows.161.X21-43626_8wekyb3d8bbwe;DownlevelGenuineState=13⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5384 -
C:\Windows\System32\net.exenet stop ClipSVC /y3⤵PID:2232
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ClipSVC /y4⤵PID:4376
-
C:\Windows\System32\net.exenet start ClipSVC /y3⤵PID:5280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start ClipSVC /y4⤵PID:180
-
C:\Windows\System32\ClipUp.execlipup -v -o -altto C:\Windows\Temp\_Temp\3⤵PID:3876
-
C:\Windows\System32\clipup.execlipup -v -o -altto C:\Windows\Temp\_Temp\ -ppl C:\Users\Admin\AppData\Local\Temp\tem75B9.tmp4⤵
- Checks SCSI registry key(s)
PID:1420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:1636
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵PID:4012
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xhxzf42c\xhxzf42c.cmdline"5⤵PID:5408
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78E6.tmp" "c:\Users\Admin\AppData\Local\Temp\xhxzf42c\CSC95E2E59CF1CC490787ADEA73C7E25DE.TMP"6⤵PID:2744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro for Workstations" "3⤵PID:5432
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:5476
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate3⤵PID:3960
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:3020
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵PID:5776
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵PID:5756
-
C:\Windows\System32\mode.commode 76, 303⤵PID:5724
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵PID:5952
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵PID:5288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:5804
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:32
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:1620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:3412
-
C:\Windows\System32\cmd.execmd4⤵PID:4268
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵PID:4368
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵PID:4292
-
C:\Windows\System32\mode.commode 76, 253⤵PID:3556
-
C:\Windows\System32\choice.exechoice /C:1234 /N3⤵PID:1268
-
C:\Windows\System32\choice.exechoice /C:12 /N /M "> [1] Continue [2] Go back : "3⤵PID:5140
-
C:\Windows\System32\mode.commode 102, 343⤵PID:5156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start 2>nul3⤵PID:5512
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start4⤵
- Modifies registry key
PID:5228 -
C:\Windows\System32\sc.exesc start WinMgmt3⤵
- Launches sc.exe
PID:6124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵PID:5824
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
PID:2248 -
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
PID:5528 -
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵PID:5860
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵PID:3028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵PID:5468
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵PID:3832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:4580
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵PID:4696
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b0nuj2oy\b0nuj2oy.cmdline"5⤵PID:6068
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F18.tmp" "c:\Users\Admin\AppData\Local\Temp\b0nuj2oy\CSC5E274B54BDB945D4B65374BC254C2D75.TMP"6⤵PID:5192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro for Workstations" "3⤵PID:216
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:5408
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵PID:1636
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵PID:4012
-
C:\Windows\System32\choice.exechoice /C:12 /N /M "> [1] Activate [2] Go back : "3⤵PID:3500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵PID:5360
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵PID:3280
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵PID:5908
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵PID:5716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵PID:3420
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵PID:5756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "3⤵PID:5340
-
C:\Windows\System32\find.exefind /i "82bbc092-bc50-4e16-8e18-b74fc486aec3"3⤵PID:3044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵PID:5352
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵PID:5684
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start3⤵
- Modifies registry key
PID:5956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start 2>nul3⤵PID:2392
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start4⤵
- Modifies registry key
PID:3816 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
- Modifies registry key
PID:444 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵PID:4044
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
PID:1392 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
PID:3152 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start 2>nul3⤵PID:3112
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start4⤵
- Modifies registry key
PID:4184 -
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="NRG8B-VKK3Q-CXVCJ-9G2XF-6Q84J"3⤵PID:2052
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:5764
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵PID:5856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get ID /VALUE" 2>nul3⤵PID:1232
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get ID /VALUE4⤵PID:5548
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f3⤵PID:32
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f3⤵PID:4632
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"3⤵PID:5784
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\82bbc092-bc50-4e16-8e18-b74fc486aec3" /f /v KeyManagementServiceName /t REG_SZ /d "127.0.0.2"3⤵PID:5508
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\82bbc092-bc50-4e16-8e18-b74fc486aec3" /f /v KeyManagementServicePort /t REG_SZ /d "1688"3⤵PID:4156
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$b=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd')-split'[:]batfile[:].*';iex $b[1]; B 1"3⤵PID:592
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\lyfghkbh\lyfghkbh.cmdline"4⤵PID:5228
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES6D87.tmp" "c:\Windows\Temp\lyfghkbh\CSC762429CE9F9D46CEB7B92548D523FFF4.TMP"5⤵PID:596
-
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
PID:180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA1|findstr /i /v CertUtil3⤵PID:5424
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵PID:5056
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA14⤵PID:3896
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd') -split ':hex\:.*';iex ($f[1]);"3⤵PID:4580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA1|findstr /i /v CertUtil3⤵PID:4068
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exe"C:\Windows\Temp\_Temp/gatherosstatemodified.exe" GVLKExp=2038-01-19T03:14:07Z;DownlevelGenuineState=13⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:308 -
C:\Windows\System32\net.exenet stop sppsvc /y3⤵PID:5908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sppsvc /y4⤵PID:1724
-
C:\Windows\System32\sc.exesc stop sppsvc3⤵
- Launches sc.exe
PID:4732 -
C:\Windows\System32\ClipUp.execlipup -v -o -altto C:\Windows\Temp\_Temp\3⤵PID:3816
-
C:\Windows\System32\clipup.execlipup -v -o -altto C:\Windows\Temp\_Temp\ -ppl C:\Users\Admin\AppData\Local\Temp\tem840C.tmp4⤵
- Checks SCSI registry key(s)
PID:444 -
C:\Windows\System32\net.exenet stop ClipSVC /y3⤵PID:4184
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ClipSVC /y4⤵PID:4424
-
C:\Windows\System32\net.exenet start ClipSVC /y3⤵PID:5048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start ClipSVC /y4⤵PID:2180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:3140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵PID:3244
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awrwx5va\awrwx5va.cmdline"5⤵PID:6048
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B3E.tmp" "c:\Users\Admin\AppData\Local\Temp\awrwx5va\CSC82661CCA90B2403DB9A5C276E7D8BB70.TMP"6⤵PID:4232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro for Workstations" "3⤵PID:1140
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:5548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /VALUE" 2>nul3⤵PID:1620
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /VALUE4⤵PID:4692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$([DateTime]::Now.addMinutes(8089390)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul3⤵PID:5512
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$([DateTime]::Now.addMinutes(8089390)).ToString('yyyy-MM-dd HH:mm:ss')"4⤵PID:5824
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $A='HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f','','S-1-5-32-544','','Deny','SetValue,Delete';iex(([io.file]::ReadAllText($env:0)-split':Own1\:.*')[1])3⤵PID:3556
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f3⤵PID:3912
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"3⤵PID:4572
-
C:\Windows\System32\mode.commode 76, 303⤵PID:5684
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵PID:3152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "2⤵PID:2920
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵PID:2152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:3596
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:3044
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:5352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵PID:5028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:5840
-
C:\Windows\System32\cmd.execmd4⤵PID:5340
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵PID:2396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵PID:3576
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵PID:5416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵PID:3572
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵PID:5956
-
C:\Windows\System32\mode.commode 76, 303⤵PID:5252
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵PID:3284
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3892 -ip 38921⤵PID:392
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3892 -s 8601⤵
- Program crash
PID:4856
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2232
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultded56bd8h7303h4cbchaa0eh34efe2fffc421⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa060446f8,0x7ffa06044708,0x7ffa060447182⤵PID:2600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,3714111735257564862,9043394802423864,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵PID:2676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,3714111735257564862,9043394802423864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵PID:556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,3714111735257564862,9043394802423864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 /prefetch:82⤵PID:5280
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:5580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6be75dcbh1239h47f9h92cfhde274cd4aca31⤵PID:5812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa060446f8,0x7ffa06044708,0x7ffa060447182⤵PID:5828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17063526308423671223,11834150051933312868,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:6036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17063526308423671223,11834150051933312868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:82⤵PID:6084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17063526308423671223,11834150051933312868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:32⤵PID:6068
-
C:\Windows\System32\PING.EXEping -n 1 licensing.mp.microsoft.com3⤵
- Runs ping.exe
PID:5728
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4052
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵PID:2100
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem3CC1.tmp2⤵
- Checks SCSI registry key(s)
PID:2184
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:6032
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn1⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\94927D95-095E-48A4-A99A-0C4DA9AFB852\dismhost.exeC:\Users\Admin\AppData\Local\Temp\94927D95-095E-48A4-A99A-0C4DA9AFB852\dismhost.exe {773ED874-169C-4653-82AA-1B2B33001EAB}1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5324
-
C:\Windows\System32\findstr.exefindstr /i /c:"Target Edition : "1⤵PID:3920
-
C:\Windows\System32\Dism.exedism /online /english /Get-TargetEditions1⤵
- Drops file in Windows directory
PID:1284
-
C:\Windows\system32\DeviceCensus.exeC:\Windows\system32\DeviceCensus.exe1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:388
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵PID:4080
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem6E18.tmp2⤵
- Checks SCSI registry key(s)
PID:3776
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Modifies registry class
PID:4784
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:5404
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:4468
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵PID:720
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem8FF3.tmp2⤵
- Checks SCSI registry key(s)
PID:4436
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Modifies registry class
PID:3500
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:5900
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:5528
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2484 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /ChangeSetting updatesEnabled=True 162⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:5988 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /ChangeSetting updatesEnabled=False 162⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:3944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa060446f8,0x7ffa06044708,0x7ffa060447182⤵PID:5600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:4792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵PID:5476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵PID:5084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵PID:5820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:12⤵PID:1944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵PID:5200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5140 /prefetch:82⤵PID:4468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5508 /prefetch:82⤵PID:388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:3672
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵PID:2608
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵PID:4360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:12⤵PID:5492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵PID:4148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:5916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵PID:4388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:12⤵PID:4280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:5248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:6108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6656 /prefetch:82⤵PID:2164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:12⤵PID:3472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:3068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:12⤵PID:5212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵PID:6124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:12⤵PID:5540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵PID:5048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:5512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵PID:5344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:12⤵PID:2180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:12⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:12⤵PID:4816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:12⤵PID:1632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:12⤵PID:5432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:12⤵PID:4696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:12⤵PID:4572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:12⤵PID:2256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:12⤵PID:5392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:12⤵PID:3908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:12⤵PID:5744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9012 /prefetch:12⤵PID:4204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9628 /prefetch:22⤵PID:1444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9132 /prefetch:82⤵PID:3856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵PID:4152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7892 /prefetch:82⤵PID:456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:12⤵PID:6220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:12⤵PID:6316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵PID:6420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6788 /prefetch:82⤵PID:6500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9552 /prefetch:82⤵PID:6636
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3fa1855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:7080
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Impair Defenses
1Install Root Certificate
1Modify Registry
4Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\ClipSvc\GenuineTicket\GenuineTicket.xmlFilesize
1KB
MD5652a56b106f16db440e06153a6f54c27
SHA1409805f97a5a5212dadb7d0cdb27a41220a14a84
SHA2564e60b41c213680ab2a962a39d623fbaeab89bfc66ea1182b9d902deddc43c854
SHA512342b8524536933ff2f90672751166d76cb3ab73e37c2dd485822b3769a6facf1b9870b2690f93606a92405d1a34defefbd5b750eb82da49c0ba66c2a963b154c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
3KB
MD548421f0e1f6821c9b6478da6f0bc9820
SHA1cd17e517fd219e2665eeefeaa88e042233fcbc21
SHA2567659042867197af28f9b6a6d412be2c3b1ed0dc1e9f75bf01006d980e62448b4
SHA512bc34720fd0b3826cc4ea4af2eeacd02f6d9ea74c53e0d463f6ae2ba8617188969a225ad76e388a00610fae626dba42dbabc85b2b75b83416ec8d90d6774eeb3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5560a2502dde75fec74de22b903d93ec2
SHA1e6f7af6dd8cbeeb38114587e0672de73462c82a2
SHA25641fd9e065ebdf6a510cd279a8669a080075ec406911cb5d7bf21913dc9117cf5
SHA512f8e420aa7f1c617f9a5ef63add8e5d356cdcf5dfc9a724b70534087d2723a28b303cad7bb611811035e77d0dc9a0cba6f8303c4bc0a982ee65cf9f6df442cb51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD583a7045cacc9daf48ebff4f2ecc9e5e2
SHA11e7fd8fbcc90bf69f7d5ae42aab814c8d9ee00e2
SHA256c3e56ed416df1de5a67d241489c778e2841d0791e86f4eecce2da76cde3bf059
SHA5121a2983b9992817031ae4dd4d1b3ae1b790f394b638915d1902cde5f4210233b0ba6f31722238908fe83bb9dff7704e1ecc69fb90095287b8938ecc78ef2a6dcb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
3KB
MD503cbc96ae454cfd8d9c4f62b32493235
SHA13384fc9d4cfaecdea3f93e2f658f22f44320d99e
SHA2566ed0f581124a90e8c5ee5fddeecc3c7a7e313573895955669a5f9bd511fb69b8
SHA5120e6deacb72d52a3bfcdf0986c9ca73a504f8930c29458290f873fc4ba2633a3edf5fbc196dcc8ec57f2beb43bb933064ed56eff9c0b7907c17fcd0aa035a0292
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ef5ef35c3059825861b16409862d0e3d
SHA1cde5311765478b1bcf309219c1a86a0238612099
SHA25653df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b
SHA5123c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD537448333923114cfe038f85c04b87175
SHA1325970da7764916e40ae025d5a70541d44b2185b
SHA256ff8242c314415438f56ac8273584d397f871a1b9f6899536510377ba6e567466
SHA512651d77fc097381812b07eed940e952c12ed6135fba4cfb19f6e4e2b0c9afff02f78f5558e75a6ccfade5415562ebf6ce6141335c4b95d5fc538fa5a84cb6ac03
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fc28168b916bf9744961653d503e1164
SHA171deadab13b81a414582f931e9af010152463644
SHA256a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9
SHA51208d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56f3ec531d9232f4a9ff1e0d9a1a0eec3
SHA1d34256535b5ba7ce88f3546856bb6afba61e2dc2
SHA256d27a54c6c57bce9006bd291b87e4a1e5bcfe8c950b5a6c99d92543e7c182530b
SHA512eb259fe12551144eafc85c8552dee0fed49320de7431b41c2689efbff66940372d8ea50f448212b3da7a0a0482085924e5ec2c5ab511838009bf6390a8cfd284
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD543fa7c1a39a72ed005902ff119d9c9b9
SHA10e8f1335d4d0ed4d6f60e99c1de87f468010021f
SHA25653075b5e1f235c4beefc339d664390213712f0c3ff9063f8e65998c15d828785
SHA512328099faad3ca2ff661bd2ce756bf8e521bf4cc4a16c23db6993112dde2172c1415297a9c5b3721ec04699123d0c0289e5abfe6dc75d9c368911bbdec9fc4e8f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52ad33642f863ae14ee53bc6853ee330e
SHA1ca81cc7d8c33a46ebe97bc1d3db55e41a813029e
SHA25617c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19
SHA51252c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\AppxProvider.dllFilesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\CbsProvider.dllFilesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\CbsProvider.dllFilesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\DismCorePS.dllFilesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\DismCorePS.dllFilesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\DismHost.exeFilesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\DismProv.dllFilesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\LogProvider.dllFilesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\LogProvider.dllFilesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\OSProvider.dllFilesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\OSProvider.dllFilesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\dismprov.dllFilesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
C:\Users\Admin\AppData\Local\Temp\MAS.cmdFilesize
568KB
MD51a3c418a19dec8b84aaf0201e0eaeaca
SHA105073108beec6f35374cbdde14dba327011889b6
SHA2568e94eefe902028aabf791aeacd0f021c08b8298f1fc845fbbebe460f66a8d4cb
SHA5126fafa36c2092ed11a65cb38ab64e6c6aa6c3cd9e91b3685cd666a77b301f088ba1fabe1e7e8501d8033e173786d471913fff2a6abee905cb154a5aa1dd3f0047
-
C:\Users\Admin\AppData\Local\Temp\RES4898.tmpFilesize
1KB
MD53c177e4276e84c481d6de8d829109573
SHA1537151f52ce0f20704b8121b74fa445eba34f71c
SHA25695d700ed4db35c440ef4873aa7156c6c81433403746daa330bd67ae3556cddfc
SHA512fef86e2104092f35364925f74684c564b04767816901794f81fcf180198d211dad12664d5f28af650f5053906d1de118dfb134f135778bb9b8f5838da3d8917b
-
C:\Users\Admin\AppData\Local\Temp\RESFC6C.tmpFilesize
1KB
MD5a142acb15e323e1dd97ea11c95914736
SHA19d2012a82ecb5d4282702331bec3b08d40c3ae8d
SHA2565406120aa8d4c79ceb66cc2d5fb410120f4a5a0f3d81258d2d2b1e61d397d367
SHA5121239ec86e18e5d1f915c6c5edb651ac98103408971634068202866d5ba4d11fd2c7fa99fec466766280562a32c9604a6ef919bbe9a1b23e3ffd9832769f4448e
-
C:\Users\Admin\AppData\Local\Temp\byeaw3dm\byeaw3dm.dllFilesize
3KB
MD5b45bc7eec81b96b703068fd70a2e10d4
SHA153994f0975fdde14b6ce465dd3d65844faf16239
SHA2567bbd2b32303ae8d9b26a6d5888e64c4fbc32df1eaab5b96dbc85f21f98795c62
SHA5123e6b6f99935cbbcc78a8e17e379998e2fb4dbd6033ee677c29c01608cf9341dd198776a0da4c827d6ec6a7ea768e483c8ea874203333d1207cf7aeb7216d6424
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\on5bnpf4\on5bnpf4.dllFilesize
3KB
MD587b7798dde12c82015aac1f893c0cbd4
SHA13bd8bfdd4cd82db9ca9eedeb8fc9e1ac1e09a9de
SHA2568a03bcc8567f4f84708178898e099db397d839e9f7debe922032855aff5bbe08
SHA512b6a34a494e4c2f139ce17aa628aac60f573c6e4e181f1028469813dc93f53cc755df6696467d7fba4a5f7baffd2d64acfacdf448dcaa7c2554747528f320ba63
-
C:\Users\Admin\AppData\Local\Temp\slmgr.vbsFilesize
139KB
MD53903bcab32a4a853dfa54962112d4d02
SHA1ba6433fba48797cd43463441358004ac81b76a8b
SHA25695fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816
SHA512db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a
-
C:\Users\Admin\AppData\Local\Temp\tem44B0.tmpFilesize
582B
MD52422816ec81a765f182844814023b7f8
SHA10598b43c2503dc2689b1e79be4eb259d11f4a415
SHA25618b8a74337da97ac449034d016770e0d068e2e3e65ac075c2ccd7f6e4ea94aae
SHA512dd1792aed7377dffff2c3dfd5b1af7af5d44e0d5a0f3f9afca64177fe0b5a3f1d7e606e141214caac4cf1bb57fbe5f357bc1d3528538c5ce8090a7e72b1708e3
-
C:\Windows\Logs\DISM\dism.logFilesize
190KB
MD581a1da9690c900dd951f164e2d7ddd1b
SHA180c0e8542fa678b7f45b03198ef5b78afd814923
SHA2562913e250b3c465013eed8b940f9fe618998a0b0aad9d01d8c18a0975b5e635b2
SHA512769f4922dca9ceac8908282b2b065d952e9c550e71a42fe45d84870c2983bf8c7d8608920860fdc8c9165ac61af08e8f8597b0965eebc460d8c05aeb08db5ef1
-
C:\Windows\TEMP\tem3CC1.tmpFilesize
206B
MD5b13af738aa8be55154b2752979d76827
SHA164a5f927720af02a367c105c65c1f5da639b7a93
SHA256663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b
SHA512cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4
-
C:\Windows\Temp\RES262C.tmpFilesize
1KB
MD562869b753537e8f47dc35bf4fd7514b7
SHA1485e66946ee06656afc81f21d9f88e4dcd09d283
SHA256781eb97d320ff93f4c3e74684c70111d5ce32f7963424ea53438b5ebfb28e406
SHA512d2a2493fd80951fe91bd9f931e907997c3a1636b2d70f32394840edd8864da218799af78c38b64a82e5a7e620ac49e8d00f3cb34993dac421e46ee51e66ea8fa
-
C:\Windows\Temp\_Temp\1Filesize
163KB
MD55e292f7adc1325ff1939720eeee7e084
SHA1add8d84766814d242cd4a18e68221ab1c0aa8c2b
SHA256f0b5aea982431d2ab5f1af9531e673c2255e574001cc405a36deb453f685f046
SHA51278fa465e048ac9cd906bc023f585d1504b09cddb57f2859de39660de9e0bf47f6fcfad65528d8f54b22efe16d19133a9344eb597952a33f69bee7a4c38aa4d27
-
C:\Windows\Temp\_Temp\GenuineTicket.xmlFilesize
1KB
MD5652a56b106f16db440e06153a6f54c27
SHA1409805f97a5a5212dadb7d0cdb27a41220a14a84
SHA2564e60b41c213680ab2a962a39d623fbaeab89bfc66ea1182b9d902deddc43c854
SHA512342b8524536933ff2f90672751166d76cb3ab73e37c2dd485822b3769a6facf1b9870b2690f93606a92405d1a34defefbd5b750eb82da49c0ba66c2a963b154c
-
C:\Windows\Temp\_Temp\gatherosstate.exeFilesize
330KB
MD515ce0753a16dd4f9b9f0f9926dd37c4e
SHA1fabb5a0fc1e6a372219711152291339af36ed0b5
SHA256028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d
SHA5124e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exeFilesize
330KB
MD5892fae48577e46eabd9fbbc4107d924c
SHA13fccb9c359edb9527c9f5688683f8b3c5910e75d
SHA2565b8d76ee9a57fa2592f480f1c5035d45946304cae7899279857126cd48f601d7
SHA51249f9237657b77b789edc54563b6500787905429673ffa3797a4a2d50ae25eaab3c684890847a0a790361ef3c525c432712cc4e00e98de3912ff13a0c3d5c252d
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exeFilesize
330KB
MD5892fae48577e46eabd9fbbc4107d924c
SHA13fccb9c359edb9527c9f5688683f8b3c5910e75d
SHA2565b8d76ee9a57fa2592f480f1c5035d45946304cae7899279857126cd48f601d7
SHA51249f9237657b77b789edc54563b6500787905429673ffa3797a4a2d50ae25eaab3c684890847a0a790361ef3c525c432712cc4e00e98de3912ff13a0c3d5c252d
-
C:\Windows\Temp\zpjkrj4f\zpjkrj4f.dllFilesize
3KB
MD5d6e3848d9245ec37fec4956075afb63b
SHA15fba3912006d1f1e618f4d0e97049d88e686a350
SHA256313502db57676d5dca897288d8cb83e34c8e909b17c5a205c4020ee5c3c1cbda
SHA512fba7cbc0c8497693ca566d2affacbda351c27df6a8f3d74b8f4872ffe69cdeeba45baa3186fcd087bc2c1b1ee5a4dc495d4fd53fb39ff30ffcd364064023b972
-
C:\Windows\rss\csrss.exeFilesize
4.5MB
MD52f29ebdaf7b3395ebdadb13f453177c7
SHA120913d2d3c145adf43af7f13108cd1eb974862ca
SHA2565d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
SHA51227c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
C:\Windows\rss\csrss.exeFilesize
4.5MB
MD52f29ebdaf7b3395ebdadb13f453177c7
SHA120913d2d3c145adf43af7f13108cd1eb974862ca
SHA2565d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
SHA51227c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
\??\c:\Users\Admin\AppData\Local\Temp\byeaw3dm\CSC19AFD72FBC9047C98B6154CD3A45FC34.TMPFilesize
652B
MD5d6d383b96a777dbb487ed2fb438ebe00
SHA1009987b279ba9946a160c8d43de82b0bffe19e7e
SHA2562f1232a001abfbbb7b881b35a5014ba01af8444b8d74563c0971949070a8b0a7
SHA51262d0b91fd35576649c57bf7a15a5059b261512072f59a46980ebb81e186c8be15d9532f928b2da4dbd522893cb21e29b13651fc14b5739d0e0e129a19a0e7c1f
-
\??\c:\Users\Admin\AppData\Local\Temp\byeaw3dm\byeaw3dm.0.csFilesize
272B
MD5188a35f3c29c637f10acb64368535fdf
SHA1284ef2a0dbcfff8ee45d709037a200bc064e19bf
SHA25610965c488921948f6a22135f6aa84bc4e6464343f6703516f62d126cecd9097b
SHA5120026ee29515799302293231e264262f9bd2c6144ad8871d6b1efa303f81e4a80c6d611cd9a7aefd3efe8e15d6b7c462f71713b5100807009673dcfd6ee4b0b94
-
\??\c:\Users\Admin\AppData\Local\Temp\byeaw3dm\byeaw3dm.cmdlineFilesize
369B
MD5dcb1509bc8439f98079e44c158ec943d
SHA1abaa0db37109239ec87d09ee78f383b3034b403e
SHA25629ec969b00c4469604e0785943ac4113ed6d658e79b39ce9e43a38a6b9dd3622
SHA512f8e0fc31eeec58aa29cbb46922c7d48a3602173127420dd535bf62fdef4fb888b23c9f03a15409801e3b876ba31270a7b88e398fa460259fcfedc517db853942
-
\??\c:\Users\Admin\AppData\Local\Temp\on5bnpf4\CSC5C9FD00F3D23453785393C0794026AE.TMPFilesize
652B
MD5b63f28b541bba5be432850021feb5a36
SHA1ad69deab09476662d83f8d99c2436e74e07ee8bf
SHA2561a458bef51e01be19a4f6177ba4609b0e027416e634264da9e15893cbe28831c
SHA512164d80e80af0390db25064f3cba943240c4e358efbe89ed82a06a503bed2cd38a01f409a7b938ed3681c441b6aa544421ab734af56cdf3bb90b3043da53f53ed
-
\??\c:\Users\Admin\AppData\Local\Temp\on5bnpf4\on5bnpf4.0.csFilesize
272B
MD5188a35f3c29c637f10acb64368535fdf
SHA1284ef2a0dbcfff8ee45d709037a200bc064e19bf
SHA25610965c488921948f6a22135f6aa84bc4e6464343f6703516f62d126cecd9097b
SHA5120026ee29515799302293231e264262f9bd2c6144ad8871d6b1efa303f81e4a80c6d611cd9a7aefd3efe8e15d6b7c462f71713b5100807009673dcfd6ee4b0b94
-
\??\c:\Users\Admin\AppData\Local\Temp\on5bnpf4\on5bnpf4.cmdlineFilesize
369B
MD5fa8ccaa212844b82737b145661fa59ba
SHA1cd58f797f6433ee800af7623acce3e70fc05cc97
SHA2564c4facb7cec62187360f5e0bc7bbb0233c548bbda5a2af5dd51e8b4a07251c2a
SHA512deaf6d179e1f522520f7157d4266b2a2c56a3caa2b36ea1825a2722d9e343d0b40d4d1b598953f7b7aa1ce7d327d693a62c4c7507eb376c4080d95116fd9d108
-
\??\c:\Windows\Temp\zpjkrj4f\CSC97CDE1E45BA04913B28CDE86983A7C12.TMPFilesize
652B
MD5b9d18ca701f1ba26407ae19c0c72d4e2
SHA1fb67cbd0cf27a38589da0956f3e6e2ef2211b5e5
SHA256ef476b47f354df25a6cbbcf8dfd88412791640368744723155e23b20b4e0c2aa
SHA5126a2a5ce6f6f0797c3f5396bd554c93c04a131d8b096abfbddbce63276aabc651e043f95c0a54c63918b23df785db8bc732cb8605ddf29a0fbb2bc798d3235b4b
-
\??\c:\Windows\Temp\zpjkrj4f\zpjkrj4f.0.csFilesize
522B
MD52e6c19c5992b1e58c8f6f98bb426ced9
SHA163fd7179df39870be99efc9faeddd69991639cdd
SHA256cca4fca9d50e7adead3201fdaead6abc5391b1e575ab33e4725eef731a4d1ac7
SHA512ead127d9b08050f9726fa23be2beed3afdcafe12327f64ab21c902a953b691b8dafd003872b448942d5b95d27cd90aed9a1a721db4a2637eddde135f6c290ab1
-
\??\c:\Windows\Temp\zpjkrj4f\zpjkrj4f.cmdlineFilesize
131B
MD5fb836eda0a7d3a145c501d094b7e1571
SHA1406a27acd0a2f7742689ab275debebbdf3af9961
SHA256fc1585b9767f14a7c782e5aa8f7f6d95a45dbc2ebb84e704c60f726b2e08c100
SHA512ef7cfdc5c9d9c20252d31396074573cb89947f3ea893269bf06fcfa119996e536fe1c4884c08e5c373f483e21186d47f1f72c5daafe31b5ab951d4e24773020a
-
\??\pipe\LOCAL\crashpad_4084_FKIXYECAWEZTHEPCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_5812_EJUJUYLWEYZZRRNUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/444-340-0x000001D3CC1A0000-0x000001D3CC1B0000-memory.dmpFilesize
64KB
-
memory/444-341-0x000001D3CC1A0000-0x000001D3CC1B0000-memory.dmpFilesize
64KB
-
memory/444-342-0x000001D3CC1A0000-0x000001D3CC1B0000-memory.dmpFilesize
64KB
-
memory/444-343-0x000001D3CC1A0000-0x000001D3CC1B0000-memory.dmpFilesize
64KB
-
memory/532-198-0x0000000000000000-mapping.dmp
-
memory/556-175-0x0000000000000000-mapping.dmp
-
memory/592-336-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/592-335-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/720-347-0x000001DF04CB0000-0x000001DF04CC0000-memory.dmpFilesize
64KB
-
memory/720-352-0x000001DF04CB0000-0x000001DF04CC0000-memory.dmpFilesize
64KB
-
memory/720-346-0x000001DF04CB0000-0x000001DF04CC0000-memory.dmpFilesize
64KB
-
memory/720-353-0x000001DF04CB0000-0x000001DF04CC0000-memory.dmpFilesize
64KB
-
memory/860-170-0x0000000000000000-mapping.dmp
-
memory/948-150-0x0000000000000000-mapping.dmp
-
memory/1056-171-0x0000000000000000-mapping.dmp
-
memory/1164-165-0x0000000000000000-mapping.dmp
-
memory/1264-153-0x0000000000000000-mapping.dmp
-
memory/1420-327-0x0000023E52150000-0x0000023E52160000-memory.dmpFilesize
64KB
-
memory/1420-328-0x0000023E52150000-0x0000023E52160000-memory.dmpFilesize
64KB
-
memory/1420-325-0x0000023E52150000-0x0000023E52160000-memory.dmpFilesize
64KB
-
memory/1420-326-0x0000023E52150000-0x0000023E52160000-memory.dmpFilesize
64KB
-
memory/1788-285-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/1808-227-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/1808-222-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/1808-217-0x0000000000000000-mapping.dmp
-
memory/1840-213-0x0000000000000000-mapping.dmp
-
memory/1852-216-0x0000000000000000-mapping.dmp
-
memory/1852-160-0x0000000000000000-mapping.dmp
-
memory/1908-169-0x0000000000000000-mapping.dmp
-
memory/1944-164-0x0000000000000000-mapping.dmp
-
memory/2100-254-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-255-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-253-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-256-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-264-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-263-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2164-140-0x0000000000000000-mapping.dmp
-
memory/2184-261-0x000001A4340C0000-0x000001A4340D0000-memory.dmpFilesize
64KB
-
memory/2184-258-0x000001A4340C0000-0x000001A4340D0000-memory.dmpFilesize
64KB
-
memory/2184-260-0x000001A4340C0000-0x000001A4340D0000-memory.dmpFilesize
64KB
-
memory/2184-257-0x000001A4340C0000-0x000001A4340D0000-memory.dmpFilesize
64KB
-
memory/2224-309-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2224-310-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2232-267-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2232-274-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2232-265-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2232-273-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2232-266-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2272-135-0x0000000000000000-mapping.dmp
-
memory/2272-144-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2272-137-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2272-138-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2364-287-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2364-289-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2436-132-0x0000000003000000-0x000000000343C000-memory.dmpFilesize
4.2MB
-
memory/2436-148-0x000001CFFA240000-0x000001CFFA2B6000-memory.dmpFilesize
472KB
-
memory/2436-134-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2436-133-0x0000000003500000-0x0000000003E26000-memory.dmpFilesize
9.1MB
-
memory/2436-146-0x000001CFFA170000-0x000001CFFA1B4000-memory.dmpFilesize
272KB
-
memory/2436-147-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2436-145-0x000001CFF8FE0000-0x000001CFF9002000-memory.dmpFilesize
136KB
-
memory/2436-151-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2436-136-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2436-379-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2468-246-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2468-239-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2484-368-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-369-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-365-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmpFilesize
64KB
-
memory/2484-364-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmpFilesize
64KB
-
memory/2484-370-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-367-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-359-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-360-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-363-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-362-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-361-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2600-172-0x0000000000000000-mapping.dmp
-
memory/2608-228-0x0000000000000000-mapping.dmp
-
memory/2676-174-0x0000000000000000-mapping.dmp
-
memory/2680-308-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2680-307-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2908-231-0x0000000000000000-mapping.dmp
-
memory/3048-139-0x0000000000000000-mapping.dmp
-
memory/3056-159-0x0000000000000000-mapping.dmp
-
memory/3244-354-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3244-355-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3412-161-0x0000000000000000-mapping.dmp
-
memory/3456-214-0x0000000000000000-mapping.dmp
-
memory/3536-168-0x0000000000000000-mapping.dmp
-
memory/3556-358-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3556-357-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3656-212-0x0000000000000000-mapping.dmp
-
memory/3708-156-0x0000000000000000-mapping.dmp
-
memory/3776-319-0x000002702E440000-0x000002702E450000-memory.dmpFilesize
64KB
-
memory/3776-318-0x000002702E440000-0x000002702E450000-memory.dmpFilesize
64KB
-
memory/3776-317-0x000002702E440000-0x000002702E450000-memory.dmpFilesize
64KB
-
memory/3776-320-0x000002702E440000-0x000002702E450000-memory.dmpFilesize
64KB
-
memory/3784-162-0x0000000000000000-mapping.dmp
-
memory/3816-345-0x00000232650E0000-0x00000232650F0000-memory.dmpFilesize
64KB
-
memory/3816-339-0x00000232650E0000-0x00000232650F0000-memory.dmpFilesize
64KB
-
memory/3816-338-0x00000232650E0000-0x00000232650F0000-memory.dmpFilesize
64KB
-
memory/3816-344-0x00000232650E0000-0x00000232650F0000-memory.dmpFilesize
64KB
-
memory/3844-196-0x0000000000000000-mapping.dmp
-
memory/3876-324-0x000001E7B6470000-0x000001E7B6480000-memory.dmpFilesize
64KB
-
memory/3876-330-0x000001E7B6470000-0x000001E7B6480000-memory.dmpFilesize
64KB
-
memory/3876-329-0x000001E7B6470000-0x000001E7B6480000-memory.dmpFilesize
64KB
-
memory/3876-323-0x000001E7B6470000-0x000001E7B6480000-memory.dmpFilesize
64KB
-
memory/3908-311-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3908-208-0x0000000000000000-mapping.dmp
-
memory/3908-312-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3948-209-0x0000000000000000-mapping.dmp
-
memory/4012-331-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4012-332-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4080-315-0x0000012405780000-0x0000012405790000-memory.dmpFilesize
64KB
-
memory/4080-322-0x0000012405780000-0x0000012405790000-memory.dmpFilesize
64KB
-
memory/4080-321-0x0000012405780000-0x0000012405790000-memory.dmpFilesize
64KB
-
memory/4080-316-0x0000012405780000-0x0000012405790000-memory.dmpFilesize
64KB
-
memory/4152-197-0x0000000000000000-mapping.dmp
-
memory/4168-230-0x0000000000000000-mapping.dmp
-
memory/4172-163-0x0000000000000000-mapping.dmp
-
memory/4204-199-0x0000000000000000-mapping.dmp
-
memory/4232-314-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4232-313-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4236-158-0x0000000000000000-mapping.dmp
-
memory/4256-236-0x0000000000000000-mapping.dmp
-
memory/4296-195-0x0000000000000000-mapping.dmp
-
memory/4436-349-0x00000228B9070000-0x00000228B9080000-memory.dmpFilesize
64KB
-
memory/4436-348-0x00000228B9070000-0x00000228B9080000-memory.dmpFilesize
64KB
-
memory/4436-351-0x00000228B9070000-0x00000228B9080000-memory.dmpFilesize
64KB
-
memory/4436-350-0x00000228B9070000-0x00000228B9080000-memory.dmpFilesize
64KB
-
memory/4552-141-0x0000000000000000-mapping.dmp
-
memory/4552-149-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/4552-152-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/4580-337-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4676-166-0x0000000000000000-mapping.dmp
-
memory/4696-333-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4696-334-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4732-167-0x0000000000000000-mapping.dmp
-
memory/4928-237-0x0000000000000000-mapping.dmp
-
memory/4928-283-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4928-281-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5100-305-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5100-306-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5124-229-0x0000000000000000-mapping.dmp
-
memory/5168-233-0x0000000000000000-mapping.dmp
-
memory/5212-207-0x0000000000000000-mapping.dmp
-
memory/5232-268-0x0000013F96EF0000-0x0000013F96F00000-memory.dmpFilesize
64KB
-
memory/5232-269-0x0000013F96EF0000-0x0000013F96F00000-memory.dmpFilesize
64KB
-
memory/5232-270-0x0000013F96EF0000-0x0000013F96F00000-memory.dmpFilesize
64KB
-
memory/5232-271-0x0000013F96EF0000-0x0000013F96F00000-memory.dmpFilesize
64KB
-
memory/5252-235-0x0000000000000000-mapping.dmp
-
memory/5280-177-0x0000000000000000-mapping.dmp
-
memory/5284-234-0x0000000000000000-mapping.dmp
-
memory/5328-200-0x0000000000000000-mapping.dmp
-
memory/5380-201-0x0000000000000000-mapping.dmp
-
memory/5400-211-0x0000000000000000-mapping.dmp
-
memory/5404-210-0x0000000000000000-mapping.dmp
-
memory/5412-249-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5412-282-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5472-202-0x0000000000000000-mapping.dmp
-
memory/5496-203-0x0000000000000000-mapping.dmp
-
memory/5520-204-0x0000000000000000-mapping.dmp
-
memory/5540-205-0x0000000000000000-mapping.dmp
-
memory/5680-206-0x0000000000000000-mapping.dmp
-
memory/5728-291-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5780-215-0x0000000000000000-mapping.dmp
-
memory/5824-356-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5828-179-0x0000000000000000-mapping.dmp
-
memory/5836-219-0x0000000000000000-mapping.dmp
-
memory/5840-232-0x0000000000000000-mapping.dmp
-
memory/6036-185-0x0000000000000000-mapping.dmp
-
memory/6068-187-0x0000000000000000-mapping.dmp
-
memory/6076-223-0x0000000000000000-mapping.dmp
-
memory/6084-192-0x0000000000000000-mapping.dmp