01e9f0811c2c9ebe4415fe92a9392b7af18010e7b478061c627f60053c6d91a5

Resubmissions

02-11-2023 15:42

231102-s5f1esec3x 1

02-11-2023 15:26

231102-svbyqafh37 1

Analysis

max time kernel
412s
max time network
436s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows license patcher - pass x123/windows license patcher.cmd
Size

4KB
MD5

2e12f2e632131de23ceddfac488086ef
SHA1

606d0b44faf93e9263c89263bec13550807b1199
SHA256

540e7b4747b2a42e25fce449719f4e4c6c807d3f5a56976356bef3c256d8a782
SHA512

80a398827789b8892fac9072db5cb92338f37a52b296040261e909c227ee18991d94abed6f7b9d0cf80fdf1a283edea857984e92e0542945a5a3c6a07eae1ca8
SSDEEP

96:5Dr6FHS5Zm3DpqExUTHjUsge+P2h3IcXri223aTI2K3T8jFsuz2KLP+77WSPknrn:5BmzuZhHN2OjKwRP+77WSPc

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4512	msedge.exe
4512	msedge.exe
2928	msedge.exe
2928	msedge.exe
4964	identity_helper.exe
4964	identity_helper.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5068	WMIC.exe
Token: SeSecurityPrivilege	5068	WMIC.exe
Token: SeTakeOwnershipPrivilege	5068	WMIC.exe
Token: SeLoadDriverPrivilege	5068	WMIC.exe
Token: SeSystemProfilePrivilege	5068	WMIC.exe
Token: SeSystemtimePrivilege	5068	WMIC.exe
Token: SeProfSingleProcessPrivilege	5068	WMIC.exe
Token: SeIncBasePriorityPrivilege	5068	WMIC.exe
Token: SeCreatePagefilePrivilege	5068	WMIC.exe
Token: SeBackupPrivilege	5068	WMIC.exe
Token: SeRestorePrivilege	5068	WMIC.exe
Token: SeShutdownPrivilege	5068	WMIC.exe
Token: SeDebugPrivilege	5068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5068	WMIC.exe
Token: SeRemoteShutdownPrivilege	5068	WMIC.exe
Token: SeUndockPrivilege	5068	WMIC.exe
Token: SeManageVolumePrivilege	5068	WMIC.exe
Token: 33	5068	WMIC.exe
Token: 34	5068	WMIC.exe
Token: 35	5068	WMIC.exe
Token: 36	5068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5068	WMIC.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 3032	2928	msedge.exe	106
PID 2928 wrote to memory of 3032	2928	msedge.exe	106
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 2044	2928	msedge.exe	107
PID 2928 wrote to memory of 4512	2928	msedge.exe	108
PID 2928 wrote to memory of 4512	2928	msedge.exe	108
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109
PID 2928 wrote to memory of 1936	2928	msedge.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows license patcher - pass x123\windows license patcher.cmd"
1⤵
PID:456

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\windows license patcher - pass x123\windows license patcher.cmd
1⤵
PID:944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffde48f46f8,0x7ffde48f4708,0x7ffde48f4718
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,12122972770466030370,15932476848283383376,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3252

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x340
1⤵
PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windows license patcher - pass x123\windows license patcher.cmd" "
1⤵
PID:4920
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ckms
  2⤵
  PID:4428
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /upk
  2⤵
  PID:1060
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /cpky
  2⤵
  PID:4332
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\system32\findstr.exe
  findstr /I "enterprise"
  2⤵
  PID:2352
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\system32\findstr.exe
  findstr /I "home"
  2⤵
  PID:2892
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os
  2⤵
  PID:648
- C:\Windows\system32\findstr.exe
  findstr /I "education"
  2⤵
  PID:4420
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os
  2⤵
  PID:3220
- C:\Windows\system32\findstr.exe
  findstr /I "10 pro"
  2⤵
  PID:4116
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
  2⤵
  PID:3548
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk MH37W-N47XK-V7XM9-C7227-GCQG9
  2⤵
  PID:2664
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk NRG8B-VKK3Q-CXVCJ-9G2XF-6Q84J
  2⤵
  PID:3196
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk 9FNHH-K3HBT-3W4TD-6383H-6XYWF
  2⤵
  PID:4608
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk 6TP4R-GNPTD-KYYHQ-7B7DP-J447Y
  2⤵
  PID:3692
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk YVWGF-BXNMC-HTQYQ-CPQ99-66QFC
  2⤵
  PID:2832
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms 104.244.78.23:1688
  2⤵
  PID:5064
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:2544
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms kms.digiboy.ir:1688
  2⤵
  PID:1584
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:2008
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms kms.chinancce.com:1688
  2⤵
  PID:3916
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:4880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\windows license patcher - pass x123\windows license patcher.cmd"
1⤵
PID:1116
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ckms
  2⤵
  PID:4440
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /upk
  2⤵
  PID:2484
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /cpky
  2⤵
  PID:4032
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os
  2⤵
  PID:1780
- C:\Windows\system32\findstr.exe
  findstr /I "enterprise"
  2⤵
  PID:1560
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os
  2⤵
  PID:3036
- C:\Windows\system32\findstr.exe
  findstr /I "home"
  2⤵
  PID:3236
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os
  2⤵
  PID:2388
- C:\Windows\system32\findstr.exe
  findstr /I "education"
  2⤵
  PID:1256
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os
  2⤵
  PID:2248
- C:\Windows\system32\findstr.exe
  findstr /I "10 pro"
  2⤵
  PID:3096
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
  2⤵
  PID:4760
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk MH37W-N47XK-V7XM9-C7227-GCQG9
  2⤵
  PID:5076
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk NRG8B-VKK3Q-CXVCJ-9G2XF-6Q84J
  2⤵
  PID:884
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk 9FNHH-K3HBT-3W4TD-6383H-6XYWF
  2⤵
  PID:3132
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk 6TP4R-GNPTD-KYYHQ-7B7DP-J447Y
  2⤵
  PID:4944
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ipk YVWGF-BXNMC-HTQYQ-CPQ99-66QFC
  2⤵
  PID:3352
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms 104.244.78.23:1688
  2⤵
  PID:4232
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:1852
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms kms.digiboy.ir:1688
  2⤵
  PID:3656
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:3996
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms kms.chinancce.com:1688
  2⤵
  PID:2564
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:1008
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms s8.uk.to:1688
  2⤵
  PID:3108
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:776
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms sv9.uk.to:1688
  2⤵
  PID:3388
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:2796
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms kms7.MSGuides.com:1688
  2⤵
  PID:1412
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:1568
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms kms8.MSGuides.com:1688
  2⤵
  PID:1044
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:2924
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /skms kms9.MSGuides.com:1688
  2⤵
  PID:2104
- C:\Windows\system32\cscript.exe
  cscript //nologo slmgr.vbs /ato
  2⤵
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
a18488b29b7fd8448e52ea291fed54cc

SHA1
19a4cc67e098fdc836dc52f7831ecd83740b47f9

SHA256
754873e089d46155f999a7b6eaf0320c29be7eb51c38423c23de4bc95767bd16

SHA512
3a726dee2df58ea0b2aa40f8021b741e356697173e2dff4a8e3412987f6a6ea66d411551f87dfbfbd294cdcd6187589d2efd761fa014041891777401dd8b7dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
77b9ce4671f34012ffb085455fd18c59

SHA1
dedd7a6ca1f367ae07d0393b859f14930ce3c379

SHA256
85900a943a52390b9439fec0bc41815a96e9a53e8901aae4ddd9b159b2f81db7

SHA512
ae7a9b75aaca76ddfd04ba6df10ccb7301f3a57ba2aa1c0be26c019c3336fdbc887af02bd418b066b52e4ae0d70247a6c48e761b6ee83b449710832db1f68f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
b0950cd84a49cc3b7d0c27ad52003b4c

SHA1
aeaf40b1d9a50b9f89cc072fccf1416c16c1818f

SHA256
7f869083cf82ca07e9a364dbbfae79b1145cd4a7e2fb85185f48c1ca54b4a7c8

SHA512
ffed3625b24d0407fa6489a1023f8696affa872dc4b1f4200bbdcd1aff7a2a6333cf744ecb6e3ffd9d753ec7980a271ce83b20902bb4fec3d961d0b28d88945f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c5fc0ec09a37549fc2e72a35bd148b39

SHA1
87c47e2445a0096564435d7650791988e2b76cd0

SHA256
726990e7e27b13ae6b9f897991ad8af1d2dd144ab610f054b806ccdf63aecf67

SHA512
cadd6c04ca93bec7acac01cfd6e18a86ecb42ca03f8f2472ca5727646d6db11b107cc758137c159eb497985d8fb13f409b8db94c46f8d3a9ea85b3c07a22d1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5a275bccbd2ad144fc60ee087c2343ba

SHA1
9c237c1b983e2b19b8aa472450d2e583ba747692

SHA256
34d4f6ddd6658533770dd9abc77d480dacae28c66b2bc0bb7befa2d651a3828a

SHA512
1fae017db8e912ba8a561dae5765398d5e770e96d4ef621676743c5ccfb70cfc0d6adfa486de7a6ccf93ee4e8e56adb5e16213049f7fc53240863ed0b90ea764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e173cd530eb6fc08abadd75ffbea0b0

SHA1
e7ca9740baf68b37b24785ba3adce4a93937f9b8

SHA256
47699faad048ec7ff990a0f770669db96179067f34d6ec00219bf7d3e8148e96

SHA512
172d79de644ef90d26fcec47a330c90a294091d327d451ef9d061bea5c04ee3538592f39afad79ecd7cc5929bb1949814cf6a2d438fd52b5f7d960452990e4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c9da1806fb5fe0a986bb60cf5cad4bce

SHA1
0d8a1cc82c8ff9ad1afac8311391e44b654de4c0

SHA256
2c84df535a89adae0441d64f3b8e325479d8869a775ec60531c721f0e8dedc2d

SHA512
1c10df24323165ab7a4223389d588e6e0cf751182cc643151a3666e1d1aa26ab03acf37c1a7f11c6f76a940a1c0afb0f6b3efb7c5a0468c2edd304b07e06b5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
383a69b4a965a6ca9aacdeab672c77e4

SHA1
67ae42eb5a8c97e5e53ed122b908c9911cf12215

SHA256
dd3ca6575ae3c10d8e027847cb31ca8978496abe4779271dee9bf7384f6c0bea

SHA512
0caef89c7f994e7e1faee1fe398f0cc79ecf9575308d128b60c59ccf48a3d5cef6151f87aa63107fd8cda63f50f82bc31a7b68be6599af25a8df5f5952f90087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0d0e9a84ea88b742d7d5783ac1c55f6b

SHA1
fb45ce5ef61c3e9af916d5b207e4d9e60a7c63e7

SHA256
f32d0abc4afb02f8fb7d422d137536b48bb635251347729d9d36b7c514aaee3b

SHA512
47a22d39e24700eaa1265371abed0a229790e745a7eb14afbbe5c59a0d8c85adaab63f9b023d0e533760c901527428f74110080db02c9e6c929131c447f49172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
363b33f78c28364ba3c872610b61ab73

SHA1
89b687a135d4f4349e4ea9d6777a15847de688f5

SHA256
bb472ef335b88881cc6e4480a4310865ee849f3b75cd0a2465946cfe44f06e4e

SHA512
e47d5da03cfa423f7ef21bc4e01eb4690e2dbda245512af9255880b8c89f0c6487d5aed0f102cd13322b093bd32d9dca7ad760b29035f35f9554cfeeecc4ec4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
7bc8604be2ef3942b4f4644a67b9d831

SHA1
425ffbd0ee79b9a00ca9dfc5da6613244e97cfd2

SHA256
346c17fee3efb31fdd70b911fe52d7641da1999f0e2c404eacba9df1af82abb0

SHA512
d52ffe7364840eb2f4dab663295dd8b8d6a9b807242e7b0d037739859e0ae3c105c592c45e4e394bb6788433b95807717bcf2b868624348acec604bd4998c7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
139B

MD5
b172f53dd0595f97a6b056481c17b45e

SHA1
cb888c7ba5ea6efa6a3aad6a26ea41255bf05adb

SHA256
27c49f4cc47968c0abb8aeead8d803e6e2e5bcc813100999e963fb8d0c77ccf3

SHA512
44d1201e3df902bb1dd7de9c32d0a0cf8f1293a8a76dc76f20cc88185747238cc779a109e959654963db9e861eacfdb9c4e550d8cc99043992ec0dbb93448247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
c68088b875295f79a782108aba730303

SHA1
45c09f8ab7f0565829fb7b479196a316e0ed12d6

SHA256
e799bdb57bae8626e6dde4f07fa4e81d99033e058d21d27d5d5c6baf03048a5d

SHA512
b5455c6d86e380d72a78959b4106d9904ca9dc5ce8317a83491bcb0f4b9b3b91a60fefced2100f67ce81750a6633f313afb040d83e958ce747598920d6e53c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5cb04c.TMP

Filesize
89B

MD5
5868e674ee2a1d5bde2d00c56a4ab07d

SHA1
32acd4f254e4319b40976a3f2ea9f83b02c80d8b

SHA256
de27ee90ae3c38a262497c588901a94d240022d55efae9d3ad5875c835d3bd1b

SHA512
64e9205b59c3a86d6e0d3a612a57f927eeee641acd03659976ec464e599acbb4eacb4b5d6327adcc2c23f78cdefd150a384898552508e1fd02a9c770be1d1b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
04df167cc3d65f99d8fc927f61cc5a02

SHA1
456eb02fce8ce2ddcaed7391cc080f50d4b12a72

SHA256
4ca7c1b017ddefa1cbe3524cff727e76ef116ca441458605bab689255e159833

SHA512
c53b5bdebfbd6e1a162621cadbb1045b4ca3e51c0205b98d207922b4ae0706686df1609b207b2426bca32ea48e29a5fe58dd174e081cc8b29e3fbc27823c4677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
17ac623c6f0862db94b175cd12052d70

SHA1
fae875fae5cf9666c6fce2cc66ddee1995b2daa3

SHA256
649c9936e0c25d72ea1a537f52cdac96234d478007160942d2b42925b03d2a03

SHA512
392268330da4b4c60a0d50c1d3c7494ac83ef10a8d0aca513da3df5b589b185045d91e74013abc6f9a5d40945bebb21d2ed732ceb256cf5ab84e76984c71f4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c4240.TMP

Filesize
372B

MD5
c976b1721f55656d618298005e8fd82f

SHA1
f7cebe5a0edaae6216de63202db420c3fe2e78f4

SHA256
58ab3da543423dc6782b820b1cba2dde71b61fe8c2d2dabba2c986a04bddb9c0

SHA512
492b8bc5a5466a8b7cecd27a4ea811a3ddd95a92b73e2e8636618cae2627f9ce683bb6821ae221aa1b3163df3fe81670baa8296b9e0b196b111f93b9a8e0b888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
75c68dbe27bdf88c0f57e0f14ebe24d8

SHA1
0d22bfa8e3f8fbe588e579f68cf8fbda9dc4b755

SHA256
5c495724c4e5dba137151097713cc1a26364b1685f449231ac257b17b28e784d

SHA512
cda2d38e3ed74d28a8e6dd15f035c0a12447441d72a8375f99ef464c9daacea0dc22f8558fa72656e83346a692509a8a87c03bba3d3c37f11fff6971b4c73193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18db9c2259faca30e4a11f28b94cdb6e

SHA1
4d84ec3627c43dbf21a6f27972b3b53eeaebc764

SHA256
6a5cc63595597367df624cf08879525c348be7f2fb0b232076c4c84029a8d974

SHA512
ddbbe5b5959293da44630f593eba971ca8e416340d05167f559d00ebdff369347fb614ab848afaf7e993d67b14327ad4f00498e886997b7250e9bbd553c8f3de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
25f8d33578253e8613b6a786a068bdc7

SHA1
193b3b4fe6a083641312d85143b357ea15afbebe

SHA256
86b674bffcdc21b8decc227ebc1e3c2dcaab6622d13945327ca2d4068f789abd

SHA512
85c1c1eccfc6028fa86112e4d701f50379d4d121d9ce0a3a20c4124ff6e8831b8d39400f3fd92f8d8d59568aa8a53ec4eb292b7961fb5131932b233744164ad3

Download Submit