Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
749s -
max time network
771s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
06/04/2024, 14:43
Static task
static1
Behavioral task
behavioral1
Sample
rustdesk-1.2.3-1-x86_64.exe
Resource
win11-20240221-en
Errors
General
-
Target
rustdesk-1.2.3-1-x86_64.exe
-
Size
19.9MB
-
MD5
b71124d95891e357bbd69f2a37d09c77
-
SHA1
082f950345bdc751426e07fa11a7160c2ec41b0b
-
SHA256
4996194639c099db0d854d20832a64e6629fefa37ce6a01ffd8710ac6c9e2522
-
SHA512
c17c0d26cbf6ee1031a2b8ea158734ca56f8a696d948451e4a6e68e8f19d1cdadad27756a8838f437036fc1be9b7b240c527f06903c53cbf252b45c02bcb7e4b
-
SSDEEP
393216:yKhFWmaON8w8M1pnQvYdN+ZCN8Syv4aUiOod1WvxJztFIaWyyO0Je7/RA5:yKhUxy8k7PzyAa/OGQxFILNTJs/RA
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 72 icacls.exe 2220 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype for Desktop = "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe" reg.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: mstsc.exe File opened (read-only) \??\J: mstsc.exe File opened (read-only) \??\Z: mstsc.exe File opened (read-only) \??\F: rustdesk.exe File opened (read-only) \??\A: mstsc.exe File opened (read-only) \??\G: mstsc.exe File opened (read-only) \??\L: mstsc.exe File opened (read-only) \??\P: mstsc.exe File opened (read-only) \??\R: mstsc.exe File opened (read-only) \??\S: mstsc.exe File opened (read-only) \??\Y: mstsc.exe File opened (read-only) \??\B: mstsc.exe File opened (read-only) \??\H: mstsc.exe File opened (read-only) \??\K: mstsc.exe File opened (read-only) \??\N: mstsc.exe File opened (read-only) \??\V: mstsc.exe File opened (read-only) \??\W: mstsc.exe File opened (read-only) \??\I: mstsc.exe File opened (read-only) \??\M: mstsc.exe File opened (read-only) \??\O: mstsc.exe File opened (read-only) \??\Q: mstsc.exe File opened (read-only) \??\T: mstsc.exe File opened (read-only) \??\U: mstsc.exe File opened (read-only) \??\X: mstsc.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 17044 Process not Found -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-time-l1-1-0.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-SDGUS.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-E0NVK.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\vk_swiftshader.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-VILE8.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-string-l1-1-0.dll Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-environment-l1-1-0.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-NMH3T.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-47G96.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-76J6G.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-6RF6V.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-filesystem-l1-1-0.dll Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-heap-l1-1-0.dll Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-localization-l1-2-0.dll Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-heap-l1-1-0.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-1DCFG.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-552T9.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-K0SL3.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-5TD8S.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-4QU6J.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-O3F7T.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-F2DVG.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-HAONT.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-2TTS6.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-MHP08.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-SOHFH.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-DDBB1.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\win\is-KL8HB.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-QFP53.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-synch-l1-1-0.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-MJ65G.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-2I100.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-9FOA3.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-048U2.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-console-l1-1-0.dll Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\TxNdi.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-JPGRK.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-util-l1-1-0.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-J0466.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-3RG4K.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-CJV49.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-6U668.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-H0RKN.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\unins000.dat Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-utility-l1-1-0.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-BI4VD.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-T5OD4.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-F6NR3.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-MIC57.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-MEII5.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-FFOHF.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-BE5KE.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-6QBB0.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\SkypeContext.dll Skype-8.116.0.213.tmp File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\vccorlib140.dll Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\unins000.dat Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-S72R6.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-SKCIO.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-DPHV3.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\is-OL7KK.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-SKCF8.tmp Skype-8.116.0.213.tmp File created C:\Program Files (x86)\Microsoft\Skype for Desktop\is-UBJEJ.tmp Skype-8.116.0.213.tmp File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa Process not Found File opened for modification C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\Processing.NDI.Lib.x86.dll Skype-8.116.0.213.tmp -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\SystemTemp\shared_memory-rs\shmem_DEF4CC06924FDDE1 rustdesk.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log rustdesk.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Executes dropped EXE 16 IoCs
pid Process 3888 rustdesk.exe 3832 rustdesk.exe 4432 rustdesk.exe 4728 rustdesk.exe 2328 rustdesk.exe 11864 Skype-8.116.0.213.exe 11836 Skype-8.116.0.213.tmp 12248 Skype.exe 11048 Skype.exe 11464 Skype.exe 11772 Skype.exe 12176 Skype.exe 7084 Skype.exe 12324 Skype.exe 7456 Skype.exe 9568 Skype.exe -
Loads dropped DLL 64 IoCs
pid Process 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4432 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 4728 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 12248 Skype.exe 12248 Skype.exe 12248 Skype.exe 12248 Skype.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\Device Parameters mstsc.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters mstsc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Device Parameters mstsc.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters mstsc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\TSRedirFlags mstsc.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Skype.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Skype.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Skype.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Skype.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Skype.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Skype.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Skype.exe -
Enumerates processes with tasklist 1 TTPs 64 IoCs
pid Process 6392 tasklist.exe 14592 Process not Found 6752 tasklist.exe 7216 tasklist.exe 15680 tasklist.exe 15492 Process not Found 8944 tasklist.exe 15564 tasklist.exe 16004 tasklist.exe 8796 tasklist.exe 12496 tasklist.exe 10008 tasklist.exe 8468 tasklist.exe 9780 tasklist.exe 14296 tasklist.exe 5048 tasklist.exe 15384 Process not Found 8920 tasklist.exe 9724 tasklist.exe 10496 tasklist.exe 10760 tasklist.exe 11840 tasklist.exe 12680 tasklist.exe 13724 tasklist.exe 12880 tasklist.exe 2768 tasklist.exe 7456 tasklist.exe 10440 tasklist.exe 7212 tasklist.exe 12884 tasklist.exe 11040 tasklist.exe 13508 tasklist.exe 7036 tasklist.exe 6324 tasklist.exe 11216 tasklist.exe 12056 tasklist.exe 14760 tasklist.exe 7364 tasklist.exe 7392 tasklist.exe 8924 tasklist.exe 12384 tasklist.exe 12484 tasklist.exe 13524 tasklist.exe 11444 tasklist.exe 7728 tasklist.exe 7060 tasklist.exe 8812 tasklist.exe 5544 tasklist.exe 10412 tasklist.exe 8720 tasklist.exe 12784 tasklist.exe 6556 tasklist.exe 14296 tasklist.exe 15504 tasklist.exe 16372 Process not Found 16940 Process not Found 17052 Process not Found 17352 Process not Found 9952 tasklist.exe 12040 tasklist.exe 12824 tasklist.exe 16088 Process not Found 7812 tasklist.exe 7816 tasklist.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 3 IoCs
pid Process 3096 taskkill.exe 1636 taskkill.exe 3612 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "180" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" Process not Found -
Modifies registry class 31 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\skype-meetnow\URL Protocol Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\skype\URL Protocol Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tel\URL Protocol Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{9FE348C7-BEF3-4229-A1CA-37E63EB6467B} msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\icon = "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe" Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\SkypeURL Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\DefaultIcon\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\"" Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\SkypeURL\shell\open\command Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\tel Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\ Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\" \"%1\"" Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\SkypeURL\DefaultIcon Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tel\ = "URL:tel" Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\callto Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{137DE1A2-82D1-486E-B84D-6AB65B049E53} msedge.exe Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\" --share-file=\"%V\"" Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open\command Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\skype Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\command Skype-8.116.0.213.tmp Key created \REGISTRY\MACHINE\Software\Classes\skype-meetnow Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\skype-meetnow\ = "URL:skype-meetnow" Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\skype\ = "URL:skype" Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\callto\ = "URL:callto" Skype-8.116.0.213.tmp Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\MUIVerb = "@C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\SkypeContext.dll,-101" Skype-8.116.0.213.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\callto\URL Protocol Skype-8.116.0.213.tmp -
Modifies registry key 1 TTPs 7 IoCs
pid Process 11904 reg.exe 3600 reg.exe 9944 reg.exe 8496 reg.exe 12000 reg.exe 10668 reg.exe 9796 reg.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 954646.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Skype-8.116.0.213.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\batch-virus-main.zip:Zone.Identifier msedge.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2328 rustdesk.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3888 rustdesk.exe 3832 rustdesk.exe 3832 rustdesk.exe 4432 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 3888 rustdesk.exe 9972 msedge.exe 9972 msedge.exe 5720 msedge.exe 5720 msedge.exe 8040 msedge.exe 8040 msedge.exe 9636 identity_helper.exe 9636 identity_helper.exe 11072 msedge.exe 11072 msedge.exe 11796 msedge.exe 11796 msedge.exe 11836 Skype-8.116.0.213.tmp 11836 Skype-8.116.0.213.tmp 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 13828 msedge.exe 13828 msedge.exe 13592 msedge.exe 13592 msedge.exe 9568 Skype.exe 9568 Skype.exe 12840 msedge.exe 12840 msedge.exe 8156 identity_helper.exe 8156 identity_helper.exe 14448 msedge.exe 14448 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 14408 msedge.exe 14408 msedge.exe 14908 identity_helper.exe 14908 identity_helper.exe 14704 msedge.exe 14704 msedge.exe 14704 msedge.exe 15128 msedge.exe 15128 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 6704 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs
pid Process 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3096 taskkill.exe Token: SeDebugPrivilege 3832 rustdesk.exe Token: SeDebugPrivilege 1636 taskkill.exe Token: 33 6284 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 6284 AUDIODG.EXE Token: SeDebugPrivilege 6464 tasklist.exe Token: SeDebugPrivilege 6652 tasklist.exe Token: SeDebugPrivilege 6780 tasklist.exe Token: SeDebugPrivilege 6892 tasklist.exe Token: SeDebugPrivilege 7024 tasklist.exe Token: SeDebugPrivilege 7136 tasklist.exe Token: SeDebugPrivilege 6648 tasklist.exe Token: SeDebugPrivilege 7036 tasklist.exe Token: SeDebugPrivilege 7352 tasklist.exe Token: SeDebugPrivilege 7728 tasklist.exe Token: SeDebugPrivilege 7896 tasklist.exe Token: SeDebugPrivilege 8004 tasklist.exe Token: SeDebugPrivilege 8140 tasklist.exe Token: SeDebugPrivilege 7364 tasklist.exe Token: SeDebugPrivilege 7092 tasklist.exe Token: SeDebugPrivilege 7756 tasklist.exe Token: SeDebugPrivilege 6752 tasklist.exe Token: SeDebugPrivilege 7812 tasklist.exe Token: SeDebugPrivilege 8040 tasklist.exe Token: SeDebugPrivilege 5320 tasklist.exe Token: SeDebugPrivilege 8108 tasklist.exe Token: SeDebugPrivilege 7392 tasklist.exe Token: SeDebugPrivilege 7012 tasklist.exe Token: SeDebugPrivilege 7192 tasklist.exe Token: SeDebugPrivilege 7812 tasklist.exe Token: SeDebugPrivilege 7968 tasklist.exe Token: SeDebugPrivilege 6380 tasklist.exe Token: SeDebugPrivilege 7352 tasklist.exe Token: SeDebugPrivilege 7092 tasklist.exe Token: SeDebugPrivilege 7180 tasklist.exe Token: SeDebugPrivilege 6764 tasklist.exe Token: SeDebugPrivilege 2920 tasklist.exe Token: SeDebugPrivilege 7060 tasklist.exe Token: SeDebugPrivilege 8004 tasklist.exe Token: SeDebugPrivilege 2768 tasklist.exe Token: SeDebugPrivilege 5256 tasklist.exe Token: SeDebugPrivilege 7812 tasklist.exe Token: SeDebugPrivilege 7544 tasklist.exe Token: SeDebugPrivilege 2768 tasklist.exe Token: SeDebugPrivilege 7156 tasklist.exe Token: SeDebugPrivilege 8060 tasklist.exe Token: SeDebugPrivilege 7320 tasklist.exe Token: SeDebugPrivilege 8052 tasklist.exe Token: SeDebugPrivilege 6304 tasklist.exe Token: SeDebugPrivilege 6392 tasklist.exe Token: SeDebugPrivilege 8032 tasklist.exe Token: SeDebugPrivilege 6388 tasklist.exe Token: SeDebugPrivilege 6536 tasklist.exe Token: SeDebugPrivilege 7816 tasklist.exe Token: SeDebugPrivilege 7808 tasklist.exe Token: SeDebugPrivilege 7140 tasklist.exe Token: SeDebugPrivilege 7036 tasklist.exe Token: SeDebugPrivilege 8380 tasklist.exe Token: SeDebugPrivilege 8504 tasklist.exe Token: SeDebugPrivilege 8812 tasklist.exe Token: SeDebugPrivilege 8936 tasklist.exe Token: SeDebugPrivilege 9060 tasklist.exe Token: SeDebugPrivilege 9176 tasklist.exe Token: SeDebugPrivilege 8468 tasklist.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3888 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 12248 Skype.exe 12248 Skype.exe 12248 Skype.exe 12248 Skype.exe 12248 Skype.exe 12248 Skype.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 9972 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 13592 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe 8656 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3888 rustdesk.exe 3888 rustdesk.exe 2328 rustdesk.exe 2328 rustdesk.exe 6492 MiniSearchHost.exe 6704 OpenWith.exe 17304 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4968 wrote to memory of 3096 4968 rustdesk-1.2.3-1-x86_64.exe 80 PID 4968 wrote to memory of 3096 4968 rustdesk-1.2.3-1-x86_64.exe 80 PID 4968 wrote to memory of 3888 4968 rustdesk-1.2.3-1-x86_64.exe 83 PID 4968 wrote to memory of 3888 4968 rustdesk-1.2.3-1-x86_64.exe 83 PID 3888 wrote to memory of 2220 3888 rustdesk.exe 85 PID 3888 wrote to memory of 2220 3888 rustdesk.exe 85 PID 3888 wrote to memory of 72 3888 rustdesk.exe 86 PID 3888 wrote to memory of 72 3888 rustdesk.exe 86 PID 3888 wrote to memory of 3832 3888 rustdesk.exe 89 PID 3888 wrote to memory of 3832 3888 rustdesk.exe 89 PID 3888 wrote to memory of 4728 3888 rustdesk.exe 91 PID 3888 wrote to memory of 4728 3888 rustdesk.exe 91 PID 3888 wrote to memory of 2120 3888 rustdesk.exe 93 PID 3888 wrote to memory of 2120 3888 rustdesk.exe 93 PID 2120 wrote to memory of 1636 2120 cmd.exe 95 PID 2120 wrote to memory of 1636 2120 cmd.exe 95 PID 3888 wrote to memory of 2328 3888 rustdesk.exe 96 PID 3888 wrote to memory of 2328 3888 rustdesk.exe 96 PID 3888 wrote to memory of 6412 3888 rustdesk.exe 98 PID 3888 wrote to memory of 6412 3888 rustdesk.exe 98 PID 6412 wrote to memory of 6464 6412 cmd.exe 100 PID 6412 wrote to memory of 6464 6412 cmd.exe 100 PID 6412 wrote to memory of 6472 6412 cmd.exe 101 PID 6412 wrote to memory of 6472 6412 cmd.exe 101 PID 3888 wrote to memory of 6604 3888 rustdesk.exe 103 PID 3888 wrote to memory of 6604 3888 rustdesk.exe 103 PID 6604 wrote to memory of 6652 6604 cmd.exe 105 PID 6604 wrote to memory of 6652 6604 cmd.exe 105 PID 6604 wrote to memory of 6660 6604 cmd.exe 106 PID 6604 wrote to memory of 6660 6604 cmd.exe 106 PID 3888 wrote to memory of 6732 3888 rustdesk.exe 107 PID 3888 wrote to memory of 6732 3888 rustdesk.exe 107 PID 6732 wrote to memory of 6780 6732 cmd.exe 109 PID 6732 wrote to memory of 6780 6732 cmd.exe 109 PID 6732 wrote to memory of 6788 6732 cmd.exe 110 PID 6732 wrote to memory of 6788 6732 cmd.exe 110 PID 3888 wrote to memory of 6844 3888 rustdesk.exe 111 PID 3888 wrote to memory of 6844 3888 rustdesk.exe 111 PID 6844 wrote to memory of 6892 6844 cmd.exe 113 PID 6844 wrote to memory of 6892 6844 cmd.exe 113 PID 6844 wrote to memory of 6900 6844 cmd.exe 114 PID 6844 wrote to memory of 6900 6844 cmd.exe 114 PID 3888 wrote to memory of 6976 3888 rustdesk.exe 115 PID 3888 wrote to memory of 6976 3888 rustdesk.exe 115 PID 6976 wrote to memory of 7024 6976 cmd.exe 117 PID 6976 wrote to memory of 7024 6976 cmd.exe 117 PID 6976 wrote to memory of 7032 6976 cmd.exe 118 PID 6976 wrote to memory of 7032 6976 cmd.exe 118 PID 3888 wrote to memory of 7088 3888 rustdesk.exe 119 PID 3888 wrote to memory of 7088 3888 rustdesk.exe 119 PID 7088 wrote to memory of 7136 7088 cmd.exe 121 PID 7088 wrote to memory of 7136 7088 cmd.exe 121 PID 7088 wrote to memory of 7144 7088 cmd.exe 122 PID 7088 wrote to memory of 7144 7088 cmd.exe 122 PID 3888 wrote to memory of 6444 3888 rustdesk.exe 124 PID 3888 wrote to memory of 6444 3888 rustdesk.exe 124 PID 6444 wrote to memory of 6648 6444 cmd.exe 126 PID 6444 wrote to memory of 6648 6444 cmd.exe 126 PID 6444 wrote to memory of 6608 6444 cmd.exe 127 PID 6444 wrote to memory of 6608 6444 cmd.exe 127 PID 3888 wrote to memory of 6852 3888 rustdesk.exe 128 PID 3888 wrote to memory of 6852 3888 rustdesk.exe 128 PID 6852 wrote to memory of 7036 6852 cmd.exe 130 PID 6852 wrote to memory of 7036 6852 cmd.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\rustdesk-1.2.3-1-x86_64.exe"C:\Users\Admin\AppData\Local\Temp\rustdesk-1.2.3-1-x86_64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RuntimeBroker_rustdesk.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe"C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe"2⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\system32\icacls.exe"icacls" C:\ProgramData\RustDesk /grant *S-1-1-0:(OI)(CI)F /T3⤵
- Modifies file permissions
PID:2220
-
-
C:\Windows\system32\icacls.exe"icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant *S-1-1-0:(OI)(CI)F /T3⤵
- Modifies file permissions
PID:72
-
-
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe"C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --portable-service3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe"C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --run-as-system4⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4432
-
-
-
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe"C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --check-hwcodec-config3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4728
-
-
C:\Windows\system32\cmd.exe"cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\taskkill.exetaskkill /F /IM RuntimeBroker_rustdesk.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
-
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe"C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --cm3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:6412 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6464
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6472
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:6604 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6652
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6660
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:6732 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6780
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6788
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:6844 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6892
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6900
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:6976 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7024
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7032
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:7088 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7136
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7144
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:6444 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6648
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6608
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:6852 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7036
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7052
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7284
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7352
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7360
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7676
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7728
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7736
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7848
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7896
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7904
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7956
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8004
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8020
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8092
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8140
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8148
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7248
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7364
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7412
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7512
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7092
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6644
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:2768
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7756
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7752
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7580
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6752
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6612
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7408
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7812
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7868
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7852
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8040
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8056
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7992
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5320
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:2192
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8156
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8108
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7284
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7392
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7248
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:1868
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7012
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6884
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7816
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7192
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6752
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7484
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7812
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7868
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8032
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7968
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7880
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7052
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6380
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6392
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8128
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7352
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7340
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7364
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7092
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:1236
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7336
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7180
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7576
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7228
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6764
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7884
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7968
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7964
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7160
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7060
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8092
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7868
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8004
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6308
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7976
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8040
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7512
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5256
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7324
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6380
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7812
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7908
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6808
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7544
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6608
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7548
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8040
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6388
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7156
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5348
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8060
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6764
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7180
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7320
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6808
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:2920
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8052
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7032
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7056
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6304
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6312
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5260
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6392
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7368
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7580
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8032
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8052
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7484
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6388
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7056
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7704
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6536
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7640
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7324
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7816
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8136
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6692
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7808
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7548
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7512
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7140
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8004
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7640
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7036
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6392
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8336
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8380
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8388
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8456
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8504
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8512
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8624
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:8812
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8820
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8896
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8936
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8944
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9004
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:9060
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9068
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9132
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Suspicious use of AdjustPrivilegeToken
PID:9176
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9184
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8400
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:8468
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8544
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8968
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8932
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8920
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8156
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6388
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8268
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9008
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:5544
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9148
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:4608
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8504
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8508
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8972
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:8920
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8956
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9100
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8156
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8220
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7336
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8952
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8960
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5916
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:7652
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9196
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8964
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8500
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8540
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5396
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9172
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9156
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9012
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8964
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7336
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:2540
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:7456
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8968
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8540
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:8944
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9100
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9268
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9324
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9332
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9384
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9428
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9436
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9488
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9544
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9552
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9612
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9656
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9664
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9720
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:9780
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9788
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9864
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9908
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9916
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10216
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9460
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9432
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9808
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:9724
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9748
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5024
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9696
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9716
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5424
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6564
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10220
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9816
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:8924
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6536
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9508
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8904
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8968
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9540
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9440
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9244
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7784
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9628
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9644
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9460
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:9952
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10216
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9440
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6304
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9456
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9732
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:6324
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8356
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8040
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:7272
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8968
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9824
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9244
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6324
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:1620
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:7272
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9084
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9540
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9104
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9148
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9628
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6564
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8524
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10364
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10412
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10420
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10476
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10520
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10528
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10596
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10636
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10644
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10716
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10760
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10768
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10844
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10892
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10900
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10992
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11040
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11048
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11136
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11184
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11192
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11248
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9404
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6564
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10384
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:10412
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10420
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10536
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10512
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10504
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9384
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10672
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10652
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10264
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10780
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10796
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10860
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10892
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10900
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10184
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11072
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11064
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11000
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:11216
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11200
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11136
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9408
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10276
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10328
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10984
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10968
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8112
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10412
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10420
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8728
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10636
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10624
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7352
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10780
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10796
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11068
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9492
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9580
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10340
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10384
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10424
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8652
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9944
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9900
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6324
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11152
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11216
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10624
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:8796
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10788
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11144
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:10496
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10328
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11080
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:10760
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10796
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10036
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10496
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10328
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10488
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9892
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9888
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6324
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6852
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9412
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11168
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9476
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9260
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10132
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10988
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10624
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8792
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10388
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6324
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10400
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10488
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10776
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6560
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10096
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10056
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10988
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:7216
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9616
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10132
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10452
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7216
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11260
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10400
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5860
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11156
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10176
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9244
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10440
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6324
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11260
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:10440
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6324
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10768
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11276
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11284
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11464
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11508
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11516
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11676
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11732
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11740
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11864
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11904
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11912
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11988
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12040
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12048
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12140
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12188
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12196
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11320
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10412
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11132
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10548
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:7212
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11044
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11540
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6984
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11700
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11724
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11936
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11932
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11880
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12056
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12040
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10388
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6452
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10044
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7204
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12276
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12252
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12204
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12148
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8852
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:7212
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11044
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12024
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12044
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12000
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11608
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6452
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10044
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7204
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9072
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11360
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:2348
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9324
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11752
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11876
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11680
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6560
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12128
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12136
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5548
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11712
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10532
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11612
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10300
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11848
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10540
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:8720
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9924
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11812
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6928
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6612
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11796
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:7216
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:3544
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11920
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6612
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8664
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12072
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11840
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11292
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:9796
-
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10452
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11800
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:10668
-
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12072
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6596
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:11840
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6612
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11888
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12284
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10048
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9616
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12284
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10664
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:11904
-
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10268
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11784
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12344
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12384
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12392
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12452
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12496
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12504
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12784
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12824
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12832
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13292
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11844
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8672
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12420
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12352
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12464
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12688
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12716
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11440
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9928
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10888
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10844
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12928
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12964
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12972
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12860
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12784
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12812
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9576
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13128
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13136
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13140
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10656
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6440
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:796
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8972
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9844
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13260
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8948
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8944
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10116
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9940
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10180
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10712
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12396
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12656
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12512
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:7612
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12388
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12344
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11444
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11480
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11040
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12884
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12896
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9528
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10820
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8780
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8944
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10208
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9228
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10700
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11784
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11532
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12484
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12412
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12480
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12500
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7612
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12704
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12724
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12376
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12888
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:11040
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12872
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11620
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9800
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10524
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10208
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11432
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9872
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9616
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12592
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10656
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12412
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12132
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12512
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12404
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13296
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12712
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9316
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:988
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12948
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9180
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11360
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:4648
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10656
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9488
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9588
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:1304
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12356
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:7372
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12680
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10204
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10768
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9316
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12804
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13008
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12936
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7496
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10488
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9228
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12592
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12412
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12132
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12444
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:4172
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:11444
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12400
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12948
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9180
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11360
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12944
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11836
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12448
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10488
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12408
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12424
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12132
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12356
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10308
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10280
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11360
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10848
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9536
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11820
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12756
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12628
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10136
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12116
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:2000
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12412
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12444
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9912
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10952
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11448
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12448
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9588
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9844
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9572
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10156
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11784
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9436
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11040
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12388
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12888
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:2024
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12936
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9800
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10156
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11560
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12412
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9676
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8248
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:12876
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9912
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9180
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8156
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8476
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8372
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13220
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:6556
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11444
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9364
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9572
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:1552
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6900
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:5732
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9832
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8156
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8856
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10628
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:6440
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9568
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9652
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11784
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:6440
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6556
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9652
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:8156
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13364
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13412
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13420
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13484
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:13524
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13532
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14292
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:5020
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13320
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13528
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:13508
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13500
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:4560
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:14296
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14316
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:8156
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13692
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13660
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13528
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13392
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:3928
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14136
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13976
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14324
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11376
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13532
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9836
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13976
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12824
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13320
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13968
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:1640
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:9568
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5020
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14324
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11608
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14232
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14036
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13952
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14296
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13320
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13976
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9836
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14188
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14228
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13544
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13912
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13920
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14288
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13744
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13752
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13880
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14276
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13728
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14052
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14308
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13908
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5020
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:14296
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10524
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14228
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8120
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13912
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12924
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10728
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13708
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13980
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14072
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14256
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13972
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14048
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13952
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11460
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13832
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:2348
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:11880
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11656
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13780
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13912
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13544
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13380
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13708
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13560
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14048
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:5048
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14156
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14200
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14228
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11880
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13664
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13844
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13780
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13896
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13380
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14056
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14264
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:12880
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13744
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11880
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13088
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:10640
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13944
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9588
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13560
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14208
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13804
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13704
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13084
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13952
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:10308
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13980
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14276
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:6664
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14264
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12880
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14048
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12780
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:1768
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13704
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13868
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13756
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14256
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14208
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14264
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:11060
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:8612
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:12780
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:13756
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:10128
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:2588
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14256
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:13724
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:11212
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5400
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:2128
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:7136
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9692
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9912
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14048
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14996
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:15036
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:15044
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15292
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:15336
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:15344
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:14776
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:12864
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14828
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:9692
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14984
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:15068
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15260
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14736
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14744
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15304
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14628
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13936
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15076
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:9692
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13724
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15332
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:14760
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14628
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:5048
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:15304
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14672
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15516
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:15564
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:15580
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:16032
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:16080
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:16088
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:16336
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:16376
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14792
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15492
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:15504
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:15500
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15784
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:15624
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:15592
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15836
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:15876
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:14256
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15884
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:10008
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:13704
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15940
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:16004
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:16012
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:16088
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:13532
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:16216
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:16228
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:15680
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:15688
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15748
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:14580
-
-
C:\Windows\system32\findstr.exefindstr consent.exe4⤵PID:15132
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "tasklist | findstr consent.exe"3⤵PID:15388
-
C:\Windows\system32\tasklist.exetasklist4⤵PID:15532
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004941⤵
- Suspicious use of AdjustPrivilegeToken
PID:6284
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:7024
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:7516
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:7556
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:8340
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:4608
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:9972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5ecb3cb8,0x7fff5ecb3cc8,0x7fff5ecb3cd82⤵PID:10060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:8944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:82⤵PID:9320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:9440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:9456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:12⤵PID:9940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:9912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:8040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:9636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:12⤵PID:10548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:12⤵PID:8284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:11188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:9408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:10276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵PID:10760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵PID:9488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:12⤵PID:9084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:10608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵PID:10980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:10652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3584 /prefetch:82⤵PID:8564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5944 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:11072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵PID:10784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:12⤵PID:9952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6976 /prefetch:82⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵PID:11580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:11796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:12⤵PID:11432
-
-
C:\Users\Admin\Downloads\Skype-8.116.0.213.exe"C:\Users\Admin\Downloads\Skype-8.116.0.213.exe"2⤵
- Executes dropped EXE
PID:11864 -
C:\Users\Admin\AppData\Local\Temp\is-B1SJO.tmp\Skype-8.116.0.213.tmp"C:\Users\Admin\AppData\Local\Temp\is-B1SJO.tmp\Skype-8.116.0.213.tmp" /SL5="$90314,90120352,404480,C:\Users\Admin\Downloads\Skype-8.116.0.213.exe"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:11836 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Skype.exe4⤵
- Kills process with taskkill
PID:3612
-
-
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
PID:12248 -
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=e8f4da8d-9ed9-49ec-8ed3-a106bf71ff86&uid=e8f4da8d-9ed9-49ec-8ed3-a106bf71ff86 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.116.0.213 "--annotation=exe=C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x598,0x59c,0x5a0,0x594,0x5a4,0x7e1d2d8,0x7e1d2e8,0x7e1d2f45⤵
- Executes dropped EXE
PID:11048
-
-
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 --field-trial-handle=2156,i,16929068636127048223,12419556138564409096,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:25⤵
- Executes dropped EXE
PID:11464
-
-
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=2428 --field-trial-handle=2156,i,16929068636127048223,12419556138564409096,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:85⤵
- Executes dropped EXE
PID:11772
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:8496
-
-
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2904 --field-trial-handle=2156,i,16929068636127048223,12419556138564409096,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --skype-process-type=Main --skype-window-id=__MAIN_ROOT_VIEW_ID__ /prefetch:15⤵
- Executes dropped EXE
PID:12176
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate5⤵
- Modifies registry key
PID:12000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:8720
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype For Desktop"5⤵
- Modifies registry key
PID:10668
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\tel\UserChoice /v ProgId5⤵
- Modifies registry key
PID:9796
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgId5⤵
- Modifies registry key
PID:3600 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:11812
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\tel\UserChoice /v ProgId5⤵
- Modifies registry key
PID:11904
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCR\\Application /v ApplicationName5⤵PID:6596
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCR\\Application /v ApplicationName5⤵PID:7112
-
-
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3920 --field-trial-handle=2156,i,16929068636127048223,12419556138564409096,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:15⤵
- Executes dropped EXE
PID:7084
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgId5⤵
- Modifies registry key
PID:9944
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve5⤵PID:7536
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve5⤵PID:10532
-
-
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3928 --field-trial-handle=2156,i,16929068636127048223,12419556138564409096,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:9568
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17208074650692400843,12400395398110887683,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7100 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:9640
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:9148
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4860
-
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"1⤵
- Executes dropped EXE
PID:12324 -
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1856,i,8596061088418705308,2244525116118652628,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Executes dropped EXE
PID:7456
-
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:6440
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:4172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:12992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:13592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fff5ecb3cb8,0x7fff5ecb3cc8,0x7fff5ecb3cd82⤵PID:13612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:22⤵PID:13788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:13828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵PID:13884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:13964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:13976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:12⤵PID:13972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵PID:13904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:12840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,17787020494565350048,5978465482033567475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:8156
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:14124
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:14232
-
C:\Windows\system32\mstsc.exe"C:\Windows\system32\mstsc.exe"1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:13532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:8656 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5ecb3cb8,0x7fff5ecb3cc8,0x7fff5ecb3cd82⤵PID:8804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:22⤵PID:14440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:14448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:82⤵PID:14456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:14588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:14600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:15084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:15092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:14408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:14908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:13836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5208 /prefetch:82⤵PID:15092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5168 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:14704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:15260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:14596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:15628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:15636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:16140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:12⤵PID:16148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:14628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,18099354559893394530,6468747941631036604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:15128
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:14684
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:14796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117.5MB
MD5082b4bbfbfbccf3fc4c76c95263a38a6
SHA10cf7d8845b659bf13d94fd428c1aa393c95dd40c
SHA256d3721e0963c607931455f44895ec549893db5b77e168c118be1b3ecd7e905fda
SHA5127b27f591d0a5406832a471145fa3e7a1172febb6cbb004c87299ebaea0fa6047b4fbff931f7fcc9fb09c9a58bce982e6c99975960a6100ad173e720ac36d8da8
-
Filesize
23B
MD5c2b13b7df49404462c3b249ff9cf54cc
SHA1fc83d6e53e64083efa3634b9baba9ad451708b76
SHA256ece9cbf58da05e4f5581d64da6824c6dc10122a359b93d9650dcd0d3273877b4
SHA512e40e1b5b05f36d16a06f3f1460965d4c35e64f7ce15350a70dc3eb69b0ed42aaf82173198e36734abcd1a32f9f9540ccbf57c9b8a70302581ec771935a22d9e7
-
Filesize
152B
MD5ce319bd3ed3c89069337a6292042bbe0
SHA17e058bce90e1940293044abffe993adf67d8d888
SHA25634070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3
SHA512d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7
-
Filesize
152B
MD512b71c4e45a845b5f29a54abb695e302
SHA18699ca2c717839c385f13fb26d111e57a9e61d6f
SHA256c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0
SHA51209f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241
-
Filesize
152B
MD529c4285cc0392de53e35d4245ab1e3e9
SHA1161d77c56a8976f2cf3b3bc782abdf65e91ec13c
SHA25691da74fb57746b0bacc8d962e826524cdfe1db01b72ea2cf058509c7f7f07a4d
SHA512821ddddb8c2efa01547687840f4890cb621931caefadbb7c16e0ad96e48160e20e89b27d1a63a7fdd5b3a6d1e8c00face8827a2eceb96b9891b21faf8e8c2585
-
Filesize
152B
MD555829f0f27b5b990ff046e916665c748
SHA1406ed65de8eb7732c578917d8e1766cf1bc6b265
SHA25695bc8b4efe9bad89e07c74042b8e100040a1bcde0c9856fda58fe1963c585806
SHA512f20f4bd38fcfaaae928d42cf881804335d6bf97b0b67693123bf3451bff3f0017f4396bd2cafbccf38cebd4cef51c0ff0ada7b103e5b740bd0132c72d673dfa0
-
Filesize
152B
MD51c1aaf5eea7157f816d1960afaf4fb72
SHA180d861c24101689097e96b078ab55b97090e2f5b
SHA256fc3c2f54ac8ebbd30881dbb5c5f33b2cba62afd1814ea0dde3f10b075e45ac59
SHA512264b92040c534614a16ffb10f496df4e009f34454310dd37191298eacad69a1e29b7509ec80e603aad58cdabc0070cbdf621bc6b60448382eb05b9b7f7a1ab53
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\393b508d-7255-4f9e-964c-f7c700678c02.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5f3ba72979223f891b4cca5f8cdba3e82
SHA178721423edcde9fcfd3ecb82c21b44f41798f1be
SHA2563b6380c18bf659b1383b35950a0ae22bbf96a420599d0cf2c1d793ec86517373
SHA51285715c7d764cabcc1028355da1bc454419df0e8692d22e4a14164218b96da41fcfd62c7d153bcbe7865c11ec1d2ab52d18f3ba92c8e3b13ed5318b5ba0fdfb7e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5310c2eda28423ca1a66c64d11b7275fc
SHA1c5e6751833d400fd11a0f431167be70514e02f47
SHA2567dc1b154ad9c8f94e86d4ebcc222b18146cd9377b10295daf93a5c8963e1c4ca
SHA512ba7e601bdf61dc1fcacbff4084e6e34e8a83853f6d5d473d10a3fc30c8f1a46888107b2f8eecb8f8d95e0133b4077aac75099897833a9430f992669ef3655bc3
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD567cb62c2aa34638a4940473b7853bb8e
SHA1621dd12f6ba9d6666c56e6544e766cabd4d2a360
SHA256719551fbe2d4fd4bc5ab5985053504a9ce6b4f7cca970446a321eb43b9c5a723
SHA51293dce94ad36e441cd622641e8ece0dd616521372defd141749d4baea067274588fed95703cf307931dfe994daff5c91094d4143dd497f2166fe206c053f07b44
-
Filesize
1KB
MD5fe4cf269b72ed3f0e708e323242da9fb
SHA12bfba27db3a4b6d8f89732c0f9582b5aa355261e
SHA2569f7c0116085ad8f430c6e88d1a33b4e2427e10d7ceda8d985b3ac0cdf5384ad4
SHA512312ed8eb495f4e279e14defa2364d43c47809e76261d2c95c8f4c0de8bec49444dea2f447aae7f0474cdaa570cf3b8916412e42a2bb70c0c19f3311d16dc289f
-
Filesize
1KB
MD524e2d8eb6d1484cf3a56296a264cc1cc
SHA160a40cdb228ab0fb8940c21701e9fde9e089f75a
SHA2567e170d582d37fc6bd52eda33365f79a8e2aadbb3f5c2bdaa35ec6f1b18085f84
SHA5120965f096b1c2015f1aae60a0f2b0223b7356420c82f44bb946cace6fb59cd71245dc498f4ac8a83f05902492bd494ec1a95f25d79d4d40a9420cf2aea36cc94c
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
2KB
MD57ce61db5997f3a84d6e1d1c2d439cb78
SHA16476c282f2d68e9744913721fa2989fbd458cfb9
SHA256e86024cdd8c4577e662d224cd43cd9957048895f69538c224af640f8c30d4b30
SHA512d3ba83b811173b50ba6ce986fe1819295af5706a3d89ce356bc0c3796afb13c482d9f8e6c8e60edf5201e69f17adffa59345cdb48581491075b99d24f9a4ee21
-
Filesize
6KB
MD53a51abe16b0dbd6d5bef59e81539fd40
SHA11b1fa99c5c7bbb0855757f259ab6d4a312b3025d
SHA256fb784ff512e83f796424cafe2659d412aa291417211250925d72a25d0c954f72
SHA512e3a12b6f6f0daf38c6930b93b83da0b0481efe684f866a538eb4e6cd3775c1c41989803c7aa02d8cfdef3a6e9093854fa09ade4c60bab4f02cd3dbad0a3d2f88
-
Filesize
7KB
MD55ac519193be51670203e5882a5ce51a9
SHA18150b6e49b94916b9b7998c2da4449296554c395
SHA256d6a47d13e65394d282757454b784e001872a2cb4470c8c91ebf24ffe22b74cf8
SHA51232d11539c6029aaf5ecdfe558dcad79f38529ca2b8ea6cedca87b0deda8e09a1582e09bfd3f328dc8fb47cedd8d084a4ebee7fdfd6b52117ec380ccf4cdad19a
-
Filesize
7KB
MD5795db17df685e0a22f75cf663220f655
SHA158a3a776149860a44e774a85d0cfde1bab3a94bc
SHA256721660461bb2bbe3dfa57d312ad456bbb056457ad1d8a9b2560f26ec13aa6eac
SHA5128e887714b8cb7ff89b120ef4631016eb80f68cc681019be4c9506fb307bbe8bd6a269fa76661773b2f0f3b20e117e334edaeb83478e2c21f6c287a32df6e6532
-
Filesize
6KB
MD5ed03dc8cbe0d1d3c4aab7de90eb2695c
SHA18cc6e97200b7cce62b94f7225c1fad928f449f3b
SHA2568488ba5bd4cd8e8096a470a3b5ceacf546fe838c08e20168f850fc6684b54bd8
SHA512b7af75c34ac5786a7fdf261812ba1b0a300cf23b7d5d644ef710281b09091cb485dbfc3264314f4fc084f4ce8d047c4466f5d8d5df69972dcec97d743b3570bb
-
Filesize
6KB
MD5246385837994f4beb47f04a80194fd52
SHA1f40b2523a564649ee8d8ea1b805ae603e07dc43c
SHA256deb168bac2db49a7ce56e6ea1507b80df1b6a6c7e4ac6cdfbb34f8c948cde695
SHA512466ee63e1760ab8d9adf90ca714c3eb4090a0c00af72cec2d2ef377b6320e7b881aecb27c03b662b7dabc6f631160b520208ad61e0a2659161d099328fb727a0
-
Filesize
5KB
MD5dbd5bd5dcec7360d832f627127feeda3
SHA12733c5b40393b4484db9e28a86070327928f2c95
SHA256b9ced446c8998759f9868d27efbfbf7d0b63699bff5ebecd34ea2a542262cf49
SHA5124743a26bbc804725602eeda4cfd112bc9738509fc23a472f55a8acb499df99d3f024669c8aecd356c0db20a573255c8586f5cec6e16f7d810a3a6d2e3d705eba
-
Filesize
6KB
MD5944b3125775f85e29dfa4442fd0c4cca
SHA1dd38b260c547e725beae743c1eaf25f652b72f13
SHA25602be123fbf4a0461cc41c729ce350b0482f05e242b5c8b6491e450895b7f5611
SHA5129d627df82a89263392edeeb5f51a3a6ae4abbeb22956eefb750fc2a6f1694bdcaad3f09d2ef9f0102d8a624e065f58055861d24442f461a357b828589c357b06
-
Filesize
7KB
MD51ca8c5ee4fafc3bb1224465838f3fc1a
SHA14a4d4fe6f7398de1f9d9d80efe69c5aa39761663
SHA25616e799124a7c95fb7a0b3d3552571b84d40e13ea3fdfb557baa44057fd992a9b
SHA5120393f8222b95b955bf21ac2e1cb95c45ff692e0af05db0a053230e30ceff2de60dd3875b8f54915410eafe40996002abf0eebcb2d35d291d97cafae12bc3ec89
-
Filesize
5KB
MD58593151391eba657d383f538fd166d92
SHA15c985c8285c2e4844ff8d730db2315f19e291c16
SHA2561c5ff3768755eaeb4dfd87e394c593b9e5b3292f03d53c85e9e9c78bf22126a7
SHA512b7d31bfe0c15991289e8978a8406da2d825db43a43432bdf5f9578ea3b12ca727e4753dd9fdad20d75cbf24debcb95c1d4b157ccf64a1fb385f3979ab39e4a70
-
Filesize
7KB
MD59db3ac0f56a68280e500f88533d0c3b3
SHA17d6559f517bcac949498005459b96c84599c7680
SHA256853e7cec46e50d2f01326347816dbcbc762f3d08429e1aa59226da4fb90e169e
SHA512e59e021faf45e6d6b01f068a24fc1843897c8b6ebdd630c28f31fa242173364d5a059ac1ebf99eae172e13f5218d0c32142e6fbad3e1f1814c4cb2b0d0b29684
-
Filesize
5KB
MD5766238d1e4147bdfd00c6706ce5cb580
SHA13b4ec7335a1ee87f09bbf6c018f8eaa38bb65716
SHA256ebdd98422f407c3bcb27c56ae3154b1f4642677bf79b7f84101092ee2520f6d1
SHA512378b3fed572f5056c6efbd2f2ede1fbf577c0326ccf40fa6b8232f1c2c922ea12f523c44c85f2a93ecf4b6ee416d7a2d367454f03a672f44b5976c2ce50585a6
-
Filesize
6KB
MD59168c8a308b3c1102472c74f33c3bf56
SHA1ff57258f120f3c3b75a472dbb60ce1ef8b8e451d
SHA2564fae282ee12f940e7dfce021bd864c534bfb5fc57d32dbbdaf48d3b9cf5094ef
SHA51297e5945eb1b005cddc9920a11cc36cfd4877f8f0b883607a0a87dde891e0d38a2681db9492532a83177f499ce60465da8f0d742164b27e727137337f09da8950
-
Filesize
7KB
MD5a04a5e1e388c477536da4ab8d0025cd3
SHA14c370ba98aa5bc75e28204c5fb39c41492b690cc
SHA2568c269e985611cd2877c3f019197c64545fd0e2366f42227fbefa04a92fb61a22
SHA5125f233954ed83e72f2faab44fc6bc0436d3fbaa415e4c7f4d3ed7a39a07aa99b9ff7a949ac5b11325729fa2a1447e2bb0c2baa620a0f21cc9646baeae568b9193
-
Filesize
1KB
MD596f9e0dd850419e778cdbe02384bbf80
SHA15d1f2c3614ad03710ec418a534a40e25348f9e81
SHA25629a8221af98b8c711bb25f57501b6305c2f7aacc2ff306c5a403bb2ee7f6c32a
SHA512c55f95885dd38f7d977dfa3f7aa988438adfc32c70f81dce9df20839ff005b09b208d3777a44c82acb2ce2f5cbcb976b44d77707b347b6769124bc5404d4aa2c
-
Filesize
1KB
MD57d7d39d039f96caee142c15269fc5a2f
SHA1301da759873520466692bcab2d8fe6f7cf0cc5a3
SHA256afac283be7949ccc8c16224ba359d777d7d36a08c96be10c8064fe7efb94fa20
SHA512ab4ce2c722307ae268da9dbff36dbb095f5e7b50858230f295ce4a608515f253b340491f1df431b9ec189a2f922fb692cf6d1e36c03ef26f4cd8c6f2f398253e
-
Filesize
1KB
MD5a551040286352bce64b2d5de66be08cb
SHA1d3c59815191e755968509b23746864884fe23d74
SHA25637c7c8a0e6981306de374bf7112afae521ebf5f9dffca6937a444334abb00c2b
SHA5125823c0610475020cb93e8cb84349cbfbe4615599efcb593ee0611f4d951a900fae1adfb25bdf5852d91cf7259eb49be15ee029bb5269b77125ca4e27087adb59
-
Filesize
2KB
MD5d239dd91fbe9613247989030abc4dde5
SHA135e551c8c79e163751df7a8ad8957cd1c0dae2ba
SHA2566c41644f3a6549f2b262f4c1e3c35394f27b0fd41de6072bf8961650c8cbd783
SHA5125896199b739f9c75ce84fde85ea9490427f79b002376007a55e5128815df1f078d2daad6d1e466d52cc615724a7e9d6f85cb4524d425c107a864ba056c5371f8
-
Filesize
1KB
MD5b56d3397ab2684a5d50bc1e0cae15feb
SHA1a7e82d976ecabb914f2e17b3af65aadb5ad911c2
SHA256a6a35530a9f57f7f21a216d1ba3cd3e481f6e87dacec54275768fc8e0632d803
SHA512b9f3cacc5ad655b9acf392624c45aa51a10bc11ec85ffb79f0abb3a20f0440c48e659cf0ad8df3a8450a39f6e9c444f969b0134cb5818d608ac1958fbdc7f667
-
Filesize
2KB
MD54fca9766067117977dd1b3d5e07ffa66
SHA15f31b5f700139a687ea30a9bd0c15859359119bf
SHA25691302130484acefd603258acbd9d460903df9a84098f555c76d343155cdd482d
SHA51239b1edea7de22f4dcc62f8f8cb55ddd1e9ca7e960950a875f35186da99375312fd6332b24ea46c6a4e6c26d6c2ec83a1e4190d35bb6de251402dfcff8a7d491a
-
Filesize
703B
MD5b2b4d70ecf67dc71e751401e89d4436d
SHA10995a3f2e26688907eca505060540dea7b188bf6
SHA2560e3363c01817a05592a36f075a20034b6cc0b30b7d8966ef96cdb508f03d0bd5
SHA512311210895aa8276f4c58b28c48dff8d77d7565b92810a69c94deafb011826508a0721f69dfb0fd23039351944bbe3f033a60c9021086e22df49dbd4a6a6a8802
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD5589c49f8a8e18ec6998a7a30b4958ebc
SHA1cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA25626d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2
-
Filesize
11KB
MD5870f65eff983b0be38d85de6290ab13f
SHA1949247465227d6ba33299d85220f757b985469d6
SHA25637eb5b517becc567bab8a723786662161d580632ce2b36fa5e73e5a1af9be1a0
SHA51233591a5a482cb4ca1b2c538cf7c2d295f737e5ba1b0bf322dcf580ca36125d032a489e651c2bbf9c1574d332832fe2b5600d695117021097463a82cbecbc4b8f
-
Filesize
11KB
MD5bf8c55d7043f156e24ffa3de36722411
SHA15b2145509ab51b2d739468632ae1d6228edd09c6
SHA2567cf4f01c4ac6720f3927198e94c1de6becdd8b3d10d012f321955c26a24803f3
SHA512ee9853220ed76914ca20c7b3223592fed4a4ba2ce3286beb8fd544aee77fcd2f00f0353d513d4155db0680896626e8b27460856732a82cf5837c4ccf063fba4a
-
Filesize
12KB
MD5fa5d3835eac06c43a5a4a0d7378c3b43
SHA1dd1c15173fb94637c280f522f3a5bb9dda08cd35
SHA256084fb0f7561793538452d751a22c1106de19e1838098ea0602025c50d0b748ba
SHA51277123f5b739e9c54f9dde65b5971266ef6b139ae826a1d395a8105082f4fa1359bfdbacd076bd7b4983ad7455a1683e37a241dbfeb503358357b35b73188af9d
-
Filesize
11KB
MD54d5044c515157a4dde723f188339601d
SHA1f8d16ed1bd0f84e6e4d513f3ddd934f9f2895260
SHA2560ca8855683f66263f27080c53d345e0266046cc15021f9050627d50c311d4fa3
SHA5120b507161293307759cc1f012fc87e753d3f46fdacac6138dab506acc35f23145cd8f5d9354af351b45f63b39d571befeb361a06fff32d842689e7b7ac2279eb1
-
Filesize
12KB
MD5f037372547c5400b707921e28785fd48
SHA166aa0cf8b55c61377faa4420db395a92d9de4fcf
SHA256e6f19f5320dd1a620bfb25e8feacc2c9e182206b6cf294912f0861f5a89ee577
SHA5122c72032929e3c7ff6082075148808916c1d33ec38fa89293e5276a7224641c309fad568e14bd6066c45c81e7d91d80701ea095290ff632c1d3d5a557873c0580
-
Filesize
11KB
MD51dccb4a6f6c44b37f49c0e0bcce325a4
SHA1795552204ce1ac01b75589fd7e80ff78bc506343
SHA256198b500943726c6bbbee71ac8feef199ec8e486da7d8e1082e439ffdc545ec79
SHA5123029cd55019a5788cfba5a724fd36abaaaa1f4c870825c9fe5168103e1e0faa84773730fb583e5a87a202a4fb66c41192e8133407313e8cf6e6a28acae4e6c85
-
Filesize
11KB
MD5b5df4339b9c758953065bf35c5e3f65a
SHA19951b42562eb6d10c17fd3b8ac19ff98c4ceb4d7
SHA2566f15fa1f6999722558e3c540ff1ce53a5b4c6affb5d518bd2691d509573e3ff7
SHA512651fed8a0021fffe12c3b658ac42953ca468cfdae4459b97eea26715a6f06d4c6b120c1a21d950567137b5ce6832d8e730d20c4bc0aec6a3925d675984c50d13
-
Filesize
11KB
MD5c0990f514ea1d0a6cec70b697955a1e0
SHA1b5581af1a3d42a08cd07354670b9c3721434bc8b
SHA256ccd3c11cf255cc38c528978005f2deb0b4ae9085981dec4fa38d5577449add67
SHA512e8e025a19e533b74d5968210cec3cd9b988e569ec95b6878750a094cb7ca5c351ec2bcc08446175d3f7afe62d02cdd9e7850a1f3e87681c74774e05c09f2b3e3
-
Filesize
12KB
MD589962725f514daa8572fc0dd62dfa308
SHA14e8ce992f1eb5f4908bf12c23f83ac3091c54e7d
SHA25647eaf561e53f1137bb26b06e4212156a151f3762e2cd87059e60dbb7d4279714
SHA5124f5239167987b810c48671bd0324610800d8fce87a19a06eed881ce3592167898a82c96922209c54903a4bcde2eaa915798a15f3c2cd0d054f51e17a67e7f0e7
-
Filesize
264KB
MD509ebae8df3bf1cb0bca1c6dbb3496e75
SHA132323ec5a815268de9def471c3c715057d0484b7
SHA256c7d51a5a339f046d8b8114e8cd8c2ac8c5c5886981cecb24fbe367bce76396be
SHA512d9c1476ca0737852efc2cc2c5e560374f254d7468e6f6c4952c9b1a602495d1b192cac85e43f22874c3376e5a77f6c1cda046b40677fea67cf767a5df8964525
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD577375d17a8241aa06af550428e413cee
SHA1ec13b23081e0a9cd92ae4d944deea5f5e0f036e6
SHA25645d3a9dec1354dbdaa71102c669564b4ed52f1981fd657550f6c1babc20982eb
SHA51264ba1637e51aa95f61c25c46fe20e597bbcae509cb0f1cd71bf26aa1841b2bb4e06e2941a25cf94addeff2f097d84feeb7fbfbb05729f3cc921dd076e95da56c
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD57559e6648e4aafc0e861b78cbe330394
SHA19503b9fa9c99a1af87bd7842112a7fca646b1029
SHA25666a83a216b12b12d970ef2be5230abe29fefd0bf44efcddaa52928fc8a24c785
SHA512c51871feab28e4711a83b0d34bde40172245766565be629060676fccba15efc248869e884cf0cc99ec2cabeea71adc903c30c20aeded276ecfac6adba927969b
-
Filesize
12.6MB
MD5c36746f370e9327ba21630295005f223
SHA1524e3c1c667021ae29e131bef8fe9adff4890240
SHA256380cadde1b37c8bd28978486d3bb77035449a20c25c25198bdc7bbfa79715bbb
SHA512e8881448224e138519c527c0d1645f2a4519c78f0fd8f4612affc68bdcc89d11eca3a5ed2786dda4a8286771337112c194ae6acf91d527105823cd725c4b0968
-
Filesize
332KB
MD5300b8258faa366b5f92130394a094282
SHA18d787229e20aca29cbbbc0ff19d149fac16fd17b
SHA2561b44840edb9199d131d81e385954e29110845724e745d3c0c7bd72434b8e1106
SHA512becabbd28f96612aaaa5eb9c31b2e03ec3df8c3b2364484bf140c6c3096ac7d27b573ea78f6e4b91edb2ad6bac1f430eecf75a75d4f9603005e4123728d3cb75
-
Filesize
405KB
MD5fec08be31c1962491fde4f1d30243a26
SHA1bc4a84ec3eccb7c484193499bc2fd9f4b9893260
SHA2563c53abfabaa721021887bf8e98a53d799743f7133c23c990160da7846a475c6c
SHA51288008a581e0e099baa4e206f6a2092a41f614816ecb525723da9d3304b6a97eb30b62c8839bc794b64e1d7f7d2cf6c346d0045d7e3c888d82cb9e9f524dcb07a
-
Filesize
322KB
MD5acae09dd94244caa1e077a502e8bfc52
SHA1a045c2e3f685cad7935bd09e3ddf5b2fa2890d8b
SHA2566d612b7f7f0187f247bcdd66037eddbca0c9a84458d53a1351848f0c75ee30ce
SHA512fb03abbea2179ba99cadec8703a852790eafbf4e7ac143e7e6f0a790d14b598f6ca33e72657ac8a956748f179ae8e27f6a1c4ac3414234577e73ac34571d5966
-
Filesize
17.0MB
MD5a8f8be856b62218f834495c45828f608
SHA1f1512c764a3f8de72287debf99b7703d33778ee8
SHA256b3e4cc825eb6453646a4048f9760f3b3179e272888e375e6d5cbafa2db11c04b
SHA5123ab0cc14e75d365d8a7d6d610d8e6ab7c86fb4589c611da8ecd7fd912e9b39ce1ae1c3b34adb06d0bc67ba7f86236d84f2435c2eaad85e330f9fdabb23609a0d
-
Filesize
23.6MB
MD5639ae82338a685d5e863a0a203f2508c
SHA1126461d1c0da2ec5eff66b65b64a604743f9d4ad
SHA256ae274bfa74b9507fd5cfa84dd888f0b0424817377681be07cec416c2f638e535
SHA512191b15c55a36df9f732892fbedd3ac87bee2a3143528697f7d1125591cd7ae8e8c0200e1be095011a9fe394bc41f68a63b95561be5dffc325a60e4b91a1d3545
-
Filesize
266KB
MD5e91aac29b515e6577bda36c430d74577
SHA10f5f4ab3572e194340d887b02068357149b86ac2
SHA256243892629b06008c79f627b3e63d269eef877a1a0c6ea7fd37949e85bf614b46
SHA512778fbed766f3a4d65ee249f4788afd4003d847cdaba8c48100aa4d88676472e09a947d6270b74634844a7ea57faa5c22f3ae98d65474a053950ecffd40d9d748
-
Filesize
557KB
MD56f26af07c96083ab82b0d21dbb68375d
SHA1fe69d65141063a96e22a633410e3a9daa87ee1c1
SHA256308b23122c237dfd6a3376fb6294888322ab90c41db8189c2934e20990d77fa9
SHA512e1008f5a00a1ef5d0660c5ee65397b71e79e80e22ab063c28ef2e78fd2a3579a5d3df521e7576b8c069f9ea507a54a8b57a250be16c22a215dc99741f6ffcb49
-
Filesize
335KB
MD5145cc3e5a55bae49f380e1163554bb71
SHA193a328b26b1503e376f02b2bd69f4c8d0bf7738e
SHA25665710f10d67f5becc80d148ea4fd7e4300074d7062115b3eb5ce611cfc73164d
SHA5127e151acbb1c3cfc59c1f2db2d9dc78f15c017babbe8d51d870408590208300054fd26620930783f2f7c43f0ffcc06427ab47b6b31a17507c1cd6f9851193c21c
-
Filesize
554KB
MD5cd8bb243e494e7c7aeef0c353cebfc8f
SHA1d70d15873e618313cc8642fdd369fb62bd624472
SHA256d7df7409a8da5778203f0b59b7082a10cf040fa805dce8e95f505da4d37c8bf2
SHA512f597af7cbb73bd05bf1c97afea7ea14d40c970a66e8e783b9639917b7fcec1c9e52607de78731d2b3ce7d9312e3b7b2f41544d3ef86398eba201218fb23ef174
-
Filesize
332KB
MD5637cfa03bc9eb08534097a69eaad5752
SHA10ca11d1517809008f647d7fbfc77586acfb4fd98
SHA2563065fc9f9ef6ecb28010cbf1f48eb3cec339e89f054e66d2355d0cb06b9fcd44
SHA512e63aa02a0dadc8ecab726fe42fd90a5c942491b9e581635e32b7b3b5ed64d5ece1de5b89517c5ec2ca48e1b44204933b18aaa4573ca0c657948347cc0eee2cc8
-
Filesize
597KB
MD512089e31587d8ad45887eaeace85ea75
SHA17737583b420dcf6b1de32929df126a8e5c5053bb
SHA256059a4e767ac9cc948c977fe6b0ad2c72e5f0d29e7843f4b2cbf4f4b2f02905a5
SHA512c442cf080b75723b8d2133afb66f3be2444a1ce47f308888b3cfb8c65bbb90d5b73048a3980a4975f13d27016673d3a3ac3567a6d0720cf289f459f25677f2c1
-
Filesize
551KB
MD5fc4d607cfec778c56237a9c59cd28308
SHA14c0eed30f08f08aa294123879733402765141707
SHA256b8f5eff0f266908d962435c9a0bec66393ab4a97791a0a69dce0cd4ab9c7462d
SHA512037865fbcebc5530f59e731200ead2fb4a5c56936b341a41c7c123448b56d6658cf16f6ef26097b0b9d184aa7f210e9aa8a5a6ee292a90faa2d57a57bfc0d5e4
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
732B
MD50ab7e949e41b8d4fe159d83f0196a4f1
SHA127dd2dd66c9bcdcbd963c3ec79fbd75c427d8791
SHA2567bb946102f0ea43818a74377610422592189cbc8f3ef373912ae3e559e7b6522
SHA512138cbdba860f036ccd4c11bb2994f1aff92de1e87ba0ae816ee561504cb173dafe5a8ebda300ad911ad7b93fe3d90c11f857a70afcccbde336ac1cd5ccdfd127
-
Filesize
538B
MD5a5ab0f75b3a6d75cc024cb9495c329ce
SHA1de63828b0df2bb1b13255cf1c6011d70fe233e7c
SHA256c5c269fb4f45820a5475d8b1968b37b19c0903542b81b3cb5560cf9bbc12c82b
SHA512fc75586bb8a2b203aa712efa62f88f64472e9ceec066a09e11b6a53d417ba7ec314bda8b02c949ef23994676ce75d9667dc180c9be69207c21280b6c393e3e95
-
Filesize
538B
MD5ad66da9494943b8030f22c1f1700d32f
SHA1c76997fc6da8ba05aff126f1a72100c1a3310968
SHA2563d9acbb1193ebc145074b6d7afa3ea244c0a0946f916f150e52b9b3cf93ed971
SHA512589c43a86dbcbcce279979a76fdd1f9eb9ca39b9664236d8bf7ce6a0892ec6cad886ab951fd607b611d939776f721db71c7149b4c19d869b1acea0b7124418cf
-
Filesize
538B
MD5ec4859e6b9b3ce85998a509bc91f0f04
SHA18fa33cad49acee44b5f6199d71273c0f72e1b7af
SHA256d6c4bac6c113eeb92b35f6e31a1d7c281e7089a80bb91bb91650f0d8a60041d2
SHA512c29f3046b17787d69166decb497887af52535a18265cd91e1af19ffad409877c0ea9208329d8c0ab33848987eb4278ce8e9aaac9c11ef90c20f3c86b2962ad14
-
Filesize
370B
MD5d9e8acf4393017b769d3030a486b9b36
SHA1d61d0dc29bb6d5727d7f919b3c61e6f41cb79c28
SHA2564ada2e9f8f029625fa6fe3ec6e3a5304218e9b865de338a201f580d379fd0144
SHA512cb58d64171c5cfd1a214a71e7764a848753c0f05145bd4bd55934e6d6eb702a4243e9181497adb4bcab572ad08500ac29e6d2ccfbd8d762ff2e0e37a26616f4e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\97a4e8b8-110f-4f29-aacf-51169423087e\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5d36c65a5ee91904a57951ebd342ccb7a
SHA19e617391b42faeef376b64f595bb92ede8947572
SHA256bb11a61dad1f390418d8c4dcab922762fcc48d3bf88f7589a7f1a6603aef5e5b
SHA51213ced86f3c2911133227d74cd94f9c846523618cb0f1264780215c341027d21b84a162b177f6b5b86186507fd076380613cb154ff610a68603766608cc835aaa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\97a4e8b8-110f-4f29-aacf-51169423087e\Code Cache\js\index-dir\the-real-index
Filesize240B
MD54308d1ab1dea753c9e8417c7a9be00b3
SHA1e793c219f604cbcd6f609f88f4433320df1534c7
SHA256e6f72f18cfb41dfd962aa172beec0c2866fc60d2edba6f8be09ed9d320f235e4
SHA512be6dfa5b9894ed45d94ed726d1cd8dad5f0025fe3e6847d02c6e04a16f7f50c25f2600ee2bfce8745d2aaaed6d20b12740f02a3b900d2c7a4f8ca441e0b4e8d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\97a4e8b8-110f-4f29-aacf-51169423087e\Code Cache\js\index-dir\the-real-index
Filesize96B
MD51af1dafe8e1f386faf40e1c1a6073d18
SHA17e7d5c3733bc218b3033277fd9a47c4be7159fc4
SHA256e0d4460fb48b75739bfb6968662d221574828764f02436573dda91409f7ee1bd
SHA512125a561949e9077b081ecc4ceeabdc1789ea57f0ed1ffd895192c22d2470e438c9d367715860dd0695099acf8aa35ff87af883e42c99f2b4d359ba067a9334bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\97a4e8b8-110f-4f29-aacf-51169423087e\Local Storage\leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\97a4e8b8-110f-4f29-aacf-51169423087e\Network\Network Persistent State
Filesize849B
MD53c2d1e1d2f9e32af66eee8314ead8f16
SHA18ae4c41b7f378d1a1cb373e91912e6c11e1e6c0b
SHA256587c69569b0e2f10117713ada22bd0bee4791776628d98ac69df97b8ffb6f467
SHA5127fc94df433c6c3122175e5310ea1f53d784d494c53be61724a447040e1a9e088f2c1d6e3ef31e264e7422559d919ffaa52d5f50a551b4191097acb6fd12ed889
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\97a4e8b8-110f-4f29-aacf-51169423087e\Network\TransportSecurity
Filesize706B
MD55b157dc6a454abe26b53da17999d0f97
SHA1d023015b4b095fa424b946138d6d56f532670333
SHA256bfb0b7bd4e3229cd2bbe2fe09f6b7beb264a43bb331319363591da5cbbcf3860
SHA512e1ce97e50315523379fdc43cb56b992e39c9845cd1b94c2d4714d3a669b46e4b874b986636fee4ef7c79e59ff790b18a08d1df8a15bb51ae5d3d87fda8156c7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\97a4e8b8-110f-4f29-aacf-51169423087e\Network\TransportSecurity~RFe5edaae.TMP
Filesize539B
MD59596f8fb02734cee0c44273d8fa59627
SHA18b3149698caa99c2b3c940ac4cc4340df4d11ea3
SHA256034e315f35a4b76d8a15fff976088adb52b1746cecdbbd995cc32213e7f96050
SHA5125b674e018e0e34244d5099f979004437b8abb2c86ac09dda255bb762fa14bd43795e1a9759d683faf2aac96fafeafe26157093d6fc5b8fd389759f096e4c1e6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\97a4e8b8-110f-4f29-aacf-51169423087e\Session Storage\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
86.5MB
MD5a766b975a16b82dca20c3a11bbbbc90f
SHA10da04b2e9f7d0e119762743b658e916ebb81a8a7
SHA256615315c59b88a74de54a9b484794ab0b6fb6004c40df249f9f822093796fb9c5
SHA512af0e385b37009edadc12c96372e0aaac739ebea0d618f6e1c44d6ba9eac82a2ff23e92ddcf8f1045c07f53e13e01d409c26912c63b883ea3293642b904551c3f
-
Filesize
28KB
MD5cbafef9e4869db15b79329bb4f46b66f
SHA18b55fcfd3c965d59f06ad878f6d60def26c12ca4
SHA25677edd09c8ef0321fd7c39036c6220d3e5e152e3bdb2a2954a06f6943b31a3939
SHA51272f815ba527cc088fe2116f88173cd6aadffd39fd7e115ab26ca2e0ceea3d1aeca389f38850fd50b5198cf19bd665197bf2b674c08dc04f5a28c40b07058fbb3