04e5c392d9ae6ce39e1181a75f6641ab11a33e2553368fe9d5802813ba5340ca

Resubmissions

30-11-2024 21:48

241130-1nrpla1jep 8

30-11-2024 21:46

241130-1mnxba1jcm 8

Analysis

max time kernel
24s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

untitled.exe
Size

245KB
MD5

3d403f366d81c9017ea7242e083dad33
SHA1

d5abdf75c5ed5032b298fd2afb1a29ac97716519
SHA256

04e5c392d9ae6ce39e1181a75f6641ab11a33e2553368fe9d5802813ba5340ca
SHA512

5163ebf669f568d64f4cbbb8f9aec5382064cc0d32b3a603a3d0ac1feafe84c63c978c6092cf6b1c5a89012d6c1aeb3edf397fb96e782dc9c7ba23518fef68dc
SSDEEP

6144:wRywQEWjxXCcL5jrpSiPv6v3T64croHBf:wSGcFJ5wT+CBf

Score

8^/10

defense_evasion discovery exploit persistence privilege_escalation

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3524	icacls.exe
3604	takeown.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3524	icacls.exe
3604	takeown.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\Fax\Personal CoverPages\desktop.ini	FXSCOVER.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	mctadmin.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
920	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\MpSigStub.exe	MpSigStub.exe
File opened for modification	C:\Windows\system32\comexp.msc	mmc.exe
File opened for modification	C:\Windows\system32\compmgmt.msc	mmc.exe
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File created	C:\Windows\system32\mapi32.dll	fixmapi.exe
File opened for modification	C:\Windows\system32\MpSigStub.exe	MpSigStub.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3536	tasklist.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	djoin.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	djoin.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ieUnatt.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	djoin.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	dnscacheugc.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dispdiag.exe
File created	C:\Windows\FONTS\eudcadm.tte	eudcedit.exe
File opened for modification	C:\Windows\rescache\ResCache.mni	mcbuilder.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1E92A5EF-957C-4A50-8AC3-E5B99C588931}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1E92A5EF-957C-4A50-8AC3-E5B99C588931}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	dnscacheugc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	dnscacheugc.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	djoin.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	dnscacheugc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	ieUnatt.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ieUnatt.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ieUnatt.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3316	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3860	runas.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3800	PATHPING.EXE
3960	PING.EXE
3888	RpcPing.exe
3908	SnippingTool.exe
3216	TRACERT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	bootcfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\Identifier	bootcfg.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3756	timeout.exe

Enumerates system info in registry 2 TTPs 34 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\BIOS	dispdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	dispdiag.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3776	ipconfig.exe
3460	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3752	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3440	taskkill.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	DevicePairingWizard.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	DevicePairingWizard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	DevicePairingWizard.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	DevicePairingWizard.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	DevicePairingWizard.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3960	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2916	aitagent.exe
2916	aitagent.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe
3560	lpksetup.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
2296	mmc.exe
1176	mmc.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeProfSingleProcessPrivilege	2916	aitagent.exe
Token: SeSecurityPrivilege	3056	auditpol.exe
Token: SeBackupPrivilege	1676	vssvc.exe
Token: SeRestorePrivilege	1676	vssvc.exe
Token: SeAuditPrivilege	1676	vssvc.exe
Token: SeRestorePrivilege	2756	DrvInst.exe
Token: SeRestorePrivilege	2756	DrvInst.exe
Token: SeRestorePrivilege	2756	DrvInst.exe
Token: SeRestorePrivilege	2756	DrvInst.exe
Token: SeRestorePrivilege	2756	DrvInst.exe
Token: SeRestorePrivilege	2756	DrvInst.exe
Token: SeRestorePrivilege	2756	DrvInst.exe
Token: SeShutdownPrivilege	2188	DFDWiz.exe
Token: SeLoadDriverPrivilege	2756	DrvInst.exe
Token: SeLoadDriverPrivilege	2756	DrvInst.exe
Token: SeLoadDriverPrivilege	2756	DrvInst.exe
Token: SeRestorePrivilege	2152	dispdiag.exe
Token: SeRestorePrivilege	2152	dispdiag.exe
Token: SeRestorePrivilege	2152	dispdiag.exe
Token: SeRestorePrivilege	2152	dispdiag.exe
Token: SeRestorePrivilege	2152	dispdiag.exe
Token: SeRestorePrivilege	2152	dispdiag.exe
Token: SeRestorePrivilege	2152	dispdiag.exe
Token: SeTcbPrivilege	4028	klist.exe
Token: SeDebugPrivilege	3560	lpksetup.exe
Token: SeSecurityPrivilege	3696	mcbuilder.exe
Token: SeRestorePrivilege	3696	mcbuilder.exe
Token: SeTakeOwnershipPrivilege	3696	mcbuilder.exe
Token: SeSecurityPrivilege	1176	mmc.exe
Token: SeSecurityPrivilege	2372	mmc.exe
Token: SeSecurityPrivilege	2296	mmc.exe
Token: 33	2296	mmc.exe
Token: SeIncBasePriorityPrivilege	2296	mmc.exe
Token: 33	2296	mmc.exe
Token: SeIncBasePriorityPrivilege	2296	mmc.exe
Token: 33	2296	mmc.exe
Token: SeIncBasePriorityPrivilege	2296	mmc.exe
Token: 33	2372	mmc.exe
Token: SeIncBasePriorityPrivilege	2372	mmc.exe
Token: 33	2372	mmc.exe
Token: SeIncBasePriorityPrivilege	2372	mmc.exe
Token: 33	2372	mmc.exe
Token: SeIncBasePriorityPrivilege	2372	mmc.exe
Token: 33	2372	mmc.exe
Token: SeIncBasePriorityPrivilege	2372	mmc.exe
Token: 33	2372	mmc.exe
Token: SeIncBasePriorityPrivilege	2372	mmc.exe
Token: 33	2296	mmc.exe
Token: SeIncBasePriorityPrivilege	2296	mmc.exe
Token: 33	2296	mmc.exe
Token: SeIncBasePriorityPrivilege	2296	mmc.exe
Token: 33	2296	mmc.exe
Token: SeIncBasePriorityPrivilege	2296	mmc.exe
Token: 33	2372	mmc.exe
Token: SeIncBasePriorityPrivilege	2372	mmc.exe
Token: 33	2296	mmc.exe
Token: SeIncBasePriorityPrivilege	2296	mmc.exe
Token: SeShutdownPrivilege	796	LogonUI.exe
Token: SeShutdownPrivilege	796	LogonUI.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2908	DevicePairingWizard.exe
3132	LocationNotifications.exe
2644	wmplayer.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3132	LocationNotifications.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe
3676	Magnify.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2372	mmc.exe
2908	DevicePairingWizard.exe
2296	mmc.exe
2108	certreq.exe
2372	mmc.exe
2296	mmc.exe
1572	eudcedit.exe
1176	mmc.exe
1572	eudcedit.exe
1176	mmc.exe
1992	FXSCOVER.exe
3804	irftp.exe
3676	Magnify.exe
3844	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2908	2304	untitled.exe	31
PID 2304 wrote to memory of 2908	2304	untitled.exe	31
PID 2304 wrote to memory of 2908	2304	untitled.exe	31
PID 2304 wrote to memory of 2916	2304	untitled.exe	32
PID 2304 wrote to memory of 2916	2304	untitled.exe	32
PID 2304 wrote to memory of 2916	2304	untitled.exe	32
PID 2304 wrote to memory of 2808	2304	untitled.exe	33
PID 2304 wrote to memory of 2808	2304	untitled.exe	33
PID 2304 wrote to memory of 2808	2304	untitled.exe	33
PID 2304 wrote to memory of 2980	2304	untitled.exe	35
PID 2304 wrote to memory of 2980	2304	untitled.exe	35
PID 2304 wrote to memory of 2980	2304	untitled.exe	35
PID 2304 wrote to memory of 1928	2304	untitled.exe	36
PID 2304 wrote to memory of 1928	2304	untitled.exe	36
PID 2304 wrote to memory of 1928	2304	untitled.exe	36
PID 2304 wrote to memory of 264	2304	untitled.exe	38
PID 2304 wrote to memory of 264	2304	untitled.exe	38
PID 2304 wrote to memory of 264	2304	untitled.exe	38
PID 2304 wrote to memory of 932	2304	untitled.exe	41
PID 2304 wrote to memory of 932	2304	untitled.exe	41
PID 2304 wrote to memory of 932	2304	untitled.exe	41
PID 2304 wrote to memory of 596	2304	untitled.exe	42
PID 2304 wrote to memory of 596	2304	untitled.exe	42
PID 2304 wrote to memory of 596	2304	untitled.exe	42
PID 2304 wrote to memory of 2168	2304	untitled.exe	43
PID 2304 wrote to memory of 2168	2304	untitled.exe	43
PID 2304 wrote to memory of 2168	2304	untitled.exe	43
PID 2304 wrote to memory of 2852	2304	untitled.exe	44
PID 2304 wrote to memory of 2852	2304	untitled.exe	44
PID 2304 wrote to memory of 2852	2304	untitled.exe	44
PID 2304 wrote to memory of 3056	2304	untitled.exe	45
PID 2304 wrote to memory of 3056	2304	untitled.exe	45
PID 2304 wrote to memory of 3056	2304	untitled.exe	45
PID 2304 wrote to memory of 2772	2304	untitled.exe	52
PID 2304 wrote to memory of 2772	2304	untitled.exe	52
PID 2304 wrote to memory of 2772	2304	untitled.exe	52
PID 2304 wrote to memory of 2780	2304	untitled.exe	53
PID 2304 wrote to memory of 2780	2304	untitled.exe	53
PID 2304 wrote to memory of 2780	2304	untitled.exe	53
PID 2304 wrote to memory of 2876	2304	untitled.exe	54
PID 2304 wrote to memory of 2876	2304	untitled.exe	54
PID 2304 wrote to memory of 2876	2304	untitled.exe	54
PID 2304 wrote to memory of 2864	2304	untitled.exe	56
PID 2304 wrote to memory of 2864	2304	untitled.exe	56
PID 2304 wrote to memory of 2864	2304	untitled.exe	56
PID 2304 wrote to memory of 580	2304	untitled.exe	58
PID 2304 wrote to memory of 580	2304	untitled.exe	58
PID 2304 wrote to memory of 580	2304	untitled.exe	58
PID 2304 wrote to memory of 2704	2304	untitled.exe	60
PID 2304 wrote to memory of 2704	2304	untitled.exe	60
PID 2304 wrote to memory of 2704	2304	untitled.exe	60
PID 2304 wrote to memory of 804	2304	untitled.exe	61
PID 2304 wrote to memory of 804	2304	untitled.exe	61
PID 2304 wrote to memory of 804	2304	untitled.exe	61
PID 2304 wrote to memory of 2580	2304	untitled.exe	62
PID 2304 wrote to memory of 2580	2304	untitled.exe	62
PID 2304 wrote to memory of 2580	2304	untitled.exe	62
PID 2304 wrote to memory of 2820	2304	untitled.exe	63
PID 2304 wrote to memory of 2820	2304	untitled.exe	63
PID 2304 wrote to memory of 2820	2304	untitled.exe	63
PID 2304 wrote to memory of 2720	2304	untitled.exe	64
PID 2304 wrote to memory of 2720	2304	untitled.exe	64
PID 2304 wrote to memory of 2720	2304	untitled.exe	64
PID 2304 wrote to memory of 2960	2304	untitled.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2168	attrib.exe

C:\Users\Admin\AppData\Local\Temp\untitled.exe
"C:\Users\Admin\AppData\Local\Temp\untitled.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\System32\AdapterTroubleshooter.exe
  "C:\Windows\System32\AdapterTroubleshooter.exe"
  2⤵
  PID:2908
- C:\Windows\System32\aitagent.exe
  "C:\Windows\System32\aitagent.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\alg.exe
  "C:\Windows\System32\alg.exe"
  2⤵
  PID:2808
- C:\Windows\System32\appidcertstorecheck.exe
  "C:\Windows\System32\appidcertstorecheck.exe"
  2⤵
  PID:2980
- C:\Windows\System32\appidpolicyconverter.exe
  "C:\Windows\System32\appidpolicyconverter.exe"
  2⤵
  PID:1928
- C:\Windows\System32\ARP.EXE
  "C:\Windows\System32\ARP.EXE"
  2⤵
  PID:264
- C:\Windows\System32\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  PID:932
- C:\Windows\System32\AtBroker.exe
  "C:\Windows\System32\AtBroker.exe"
  2⤵
  PID:596
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe"
  2⤵
  - Views/modifies file attributes
  PID:2168
- C:\Windows\System32\audiodg.exe
  "C:\Windows\System32\audiodg.exe"
  2⤵
  PID:2852
- C:\Windows\System32\auditpol.exe
  "C:\Windows\System32\auditpol.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\autochk.exe
  "C:\Windows\System32\autochk.exe"
  2⤵
  PID:3004
- C:\Windows\System32\autoconv.exe
  "C:\Windows\System32\autoconv.exe"
  2⤵
  PID:3068
- C:\Windows\System32\autofmt.exe
  "C:\Windows\System32\autofmt.exe"
  2⤵
  PID:2740
- C:\Windows\System32\AxInstUI.exe
  "C:\Windows\System32\AxInstUI.exe"
  2⤵
  PID:2772
- C:\Windows\System32\baaupdate.exe
  "C:\Windows\System32\baaupdate.exe"
  2⤵
  PID:2780
- C:\Windows\System32\bcdboot.exe
  "C:\Windows\System32\bcdboot.exe"
  2⤵
  PID:2876
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe"
  2⤵
  PID:2864
- C:\Windows\System32\BdeHdCfg.exe
  "C:\Windows\System32\BdeHdCfg.exe"
  2⤵
  PID:580
- C:\Windows\System32\BdeUISrv.exe
  "C:\Windows\System32\BdeUISrv.exe"
  2⤵
  PID:2704
- C:\Windows\System32\BdeUnlockWizard.exe
  "C:\Windows\System32\BdeUnlockWizard.exe"
  2⤵
  PID:804
- C:\Windows\System32\BitLockerWizard.exe
  "C:\Windows\System32\BitLockerWizard.exe"
  2⤵
  PID:2580
- C:\Windows\System32\BitLockerWizardElev.exe
  "C:\Windows\System32\BitLockerWizardElev.exe"
  2⤵
  PID:2820
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe"
  2⤵
  PID:2720
- C:\Windows\System32\bootcfg.exe
  "C:\Windows\System32\bootcfg.exe"
  2⤵
  - Checks processor information in registry
  PID:2960
- C:\Windows\System32\bridgeunattend.exe
  "C:\Windows\System32\bridgeunattend.exe"
  2⤵
  PID:2680
- C:\Windows\System32\bthudtask.exe
  "C:\Windows\System32\bthudtask.exe"
  2⤵
  PID:2656
- C:\Windows\System32\cacls.exe
  "C:\Windows\System32\cacls.exe"
  2⤵
  PID:2604
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2776
- C:\Windows\System32\CertEnrollCtrl.exe
  "C:\Windows\System32\CertEnrollCtrl.exe"
  2⤵
  PID:2540
- C:\Windows\System32\certreq.exe
  "C:\Windows\System32\certreq.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Windows\System32\certutil.exe
  "C:\Windows\System32\certutil.exe"
  2⤵
  PID:268
- C:\Windows\System32\change.exe
  "C:\Windows\System32\change.exe"
  2⤵
  PID:2480
- C:\Windows\System32\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  PID:2024
- C:\Windows\System32\chglogon.exe
  "C:\Windows\System32\chglogon.exe"
  2⤵
  PID:2464
- C:\Windows\System32\chgport.exe
  "C:\Windows\System32\chgport.exe"
  2⤵
  PID:2328
- C:\Windows\System32\chgusr.exe
  "C:\Windows\System32\chgusr.exe"
  2⤵
  PID:712
- C:\Windows\System32\chkdsk.exe
  "C:\Windows\System32\chkdsk.exe"
  2⤵
  PID:1712
- C:\Windows\System32\chkntfs.exe
  "C:\Windows\System32\chkntfs.exe"
  2⤵
  PID:316
- C:\Windows\System32\choice.exe
  "C:\Windows\System32\choice.exe"
  2⤵
  PID:2308
- C:\Windows\System32\cipher.exe
  "C:\Windows\System32\cipher.exe"
  2⤵
  PID:2344
- C:\Windows\System32\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe"
  2⤵
  - Enumerates connected drives
  PID:2288
- C:\Windows\System32\cliconfg.exe
  "C:\Windows\System32\cliconfg.exe"
  2⤵
  PID:1968
- C:\Windows\System32\clip.exe
  "C:\Windows\System32\clip.exe"
  2⤵
  PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1724
- C:\Windows\System32\cmdkey.exe
  "C:\Windows\System32\cmdkey.exe"
  2⤵
  PID:1360
- C:\Windows\System32\cmdl32.exe
  "C:\Windows\System32\cmdl32.exe"
  2⤵
  PID:1196
- C:\Windows\System32\cmmon32.exe
  "C:\Windows\System32\cmmon32.exe"
  2⤵
  PID:1576
- C:\Windows\System32\cmstp.exe
  "C:\Windows\System32\cmstp.exe"
  2⤵
  PID:1888
- C:\Windows\System32\cofire.exe
  "C:\Windows\System32\cofire.exe"
  2⤵
  PID:2028
- C:\Windows\System32\colorcpl.exe
  "C:\Windows\System32\colorcpl.exe"
  2⤵
  PID:1016
- C:\Windows\System32\comp.exe
  "C:\Windows\System32\comp.exe"
  2⤵
  PID:1048
- C:\Windows\System32\compact.exe
  "C:\Windows\System32\compact.exe"
  2⤵
  PID:1612
- C:\Windows\System32\CompMgmtLauncher.exe
  "C:\Windows\System32\CompMgmtLauncher.exe"
  2⤵
  PID:2840
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2296
- C:\Windows\System32\ComputerDefaults.exe
  "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  PID:2612
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe"
  2⤵
  PID:1944
- C:\Windows\System32\consent.exe
  "C:\Windows\System32\consent.exe"
  2⤵
  PID:2524
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:408
- C:\Windows\System32\convert.exe
  "C:\Windows\System32\convert.exe"
  2⤵
  PID:1108
- C:\Windows\System32\credwiz.exe
  "C:\Windows\System32\credwiz.exe"
  2⤵
  PID:1180
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe"
  2⤵
  PID:2400
- C:\Windows\System32\csrss.exe
  "C:\Windows\System32\csrss.exe"
  2⤵
  PID:3040
- C:\Windows\System32\ctfmon.exe
  "C:\Windows\System32\ctfmon.exe"
  2⤵
  PID:920
- C:\Windows\System32\cttune.exe
  "C:\Windows\System32\cttune.exe"
  2⤵
  PID:1716
- C:\Windows\System32\cttunesvr.exe
  "C:\Windows\System32\cttunesvr.exe"
  2⤵
  PID:2056
- C:\Windows\System32\dccw.exe
  "C:\Windows\System32\dccw.exe"
  2⤵
  PID:2984
- C:\Windows\System32\dcomcnfg.exe
  "C:\Windows\System32\dcomcnfg.exe"
  2⤵
  PID:2384
- - C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2372
- C:\Windows\System32\ddodiag.exe
  "C:\Windows\System32\ddodiag.exe"
  2⤵
  PID:2036
- C:\Windows\System32\Defrag.exe
  "C:\Windows\System32\Defrag.exe"
  2⤵
  PID:2116
- C:\Windows\System32\DeviceDisplayObjectProvider.exe
  "C:\Windows\System32\DeviceDisplayObjectProvider.exe"
  2⤵
  PID:356
- C:\Windows\System32\DeviceEject.exe
  "C:\Windows\System32\DeviceEject.exe"
  2⤵
  PID:1472
- C:\Windows\System32\DevicePairingWizard.exe
  "C:\Windows\System32\DevicePairingWizard.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Windows\System32\DeviceProperties.exe
  "C:\Windows\System32\DeviceProperties.exe"
  2⤵
  PID:3068
- C:\Windows\System32\DFDWiz.exe
  "C:\Windows\System32\DFDWiz.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\dfrgui.exe
  "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:2660
- C:\Windows\System32\dialer.exe
  "C:\Windows\System32\dialer.exe"
  2⤵
  PID:2476
- C:\Windows\System32\diantz.exe
  "C:\Windows\System32\diantz.exe"
  2⤵
  PID:1920
- C:\Windows\System32\dinotify.exe
  "C:\Windows\System32\dinotify.exe"
  2⤵
  PID:572
- C:\Windows\System32\diskpart.exe
  "C:\Windows\System32\diskpart.exe"
  2⤵
  PID:980
- C:\Windows\System32\diskperf.exe
  "C:\Windows\System32\diskperf.exe"
  2⤵
  PID:1312
- C:\Windows\System32\diskraid.exe
  "C:\Windows\System32\diskraid.exe"
  2⤵
  PID:2508
- C:\Windows\System32\Dism.exe
  "C:\Windows\System32\Dism.exe"
  2⤵
  - Drops file in Windows directory
  PID:1260
- C:\Windows\System32\dispdiag.exe
  "C:\Windows\System32\dispdiag.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\DisplaySwitch.exe
  "C:\Windows\System32\DisplaySwitch.exe"
  2⤵
  PID:3036
- C:\Windows\System32\djoin.exe
  "C:\Windows\System32\djoin.exe"
  2⤵
  - Drops file in Windows directory
  PID:2008
- C:\Windows\System32\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:2128
- C:\Windows\System32\dllhst3g.exe
  "C:\Windows\System32\dllhst3g.exe"
  2⤵
  PID:1128
- C:\Windows\System32\dnscacheugc.exe
  "C:\Windows\System32\dnscacheugc.exe"
  2⤵
  - Drops file in Windows directory
  PID:2484
- C:\Windows\System32\doskey.exe
  "C:\Windows\System32\doskey.exe"
  2⤵
  PID:1572
- C:\Windows\System32\dpapimig.exe
  "C:\Windows\System32\dpapimig.exe"
  2⤵
  PID:3068
- C:\Windows\System32\DpiScaling.exe
  "C:\Windows\System32\DpiScaling.exe"
  2⤵
  PID:3032
- C:\Windows\System32\dpnsvr.exe
  "C:\Windows\System32\dpnsvr.exe"
  2⤵
  PID:1552
- C:\Windows\System32\driverquery.exe
  "C:\Windows\System32\driverquery.exe"
  2⤵
  PID:1148
- C:\Windows\System32\drvinst.exe
  "C:\Windows\System32\drvinst.exe"
  2⤵
  PID:408
- C:\Windows\System32\dvdplay.exe
  "C:\Windows\System32\dvdplay.exe"
  2⤵
  PID:704
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    /device:dvd
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2644
- C:\Windows\System32\dvdupgrd.exe
  "C:\Windows\System32\dvdupgrd.exe"
  2⤵
  PID:2744
- C:\Windows\System32\dwm.exe
  "C:\Windows\System32\dwm.exe"
  2⤵
  PID:2412
- C:\Windows\System32\DWWIN.EXE
  "C:\Windows\System32\DWWIN.EXE"
  2⤵
  PID:1312
- C:\Windows\System32\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\SysWOW64\dxdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- C:\Windows\System32\Dxpserver.exe
  "C:\Windows\System32\Dxpserver.exe"
  2⤵
  PID:1944
- C:\Windows\System32\Eap3Host.exe
  "C:\Windows\System32\Eap3Host.exe"
  2⤵
  PID:2852
- C:\Windows\System32\efsui.exe
  "C:\Windows\System32\efsui.exe"
  2⤵
  PID:1176
- C:\Windows\System32\EhStorAuthn.exe
  "C:\Windows\System32\EhStorAuthn.exe"
  2⤵
  PID:2060
- C:\Windows\System32\esentutl.exe
  "C:\Windows\System32\esentutl.exe"
  2⤵
  PID:1212
- C:\Windows\System32\eudcedit.exe
  "C:\Windows\System32\eudcedit.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1572
- C:\Windows\System32\eventcreate.exe
  "C:\Windows\System32\eventcreate.exe"
  2⤵
  PID:2912
- C:\Windows\System32\eventvwr.exe
  "C:\Windows\System32\eventvwr.exe"
  2⤵
  PID:2744
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1176
- C:\Windows\System32\expand.exe
  "C:\Windows\System32\expand.exe"
  2⤵
  PID:2444
- C:\Windows\System32\extrac32.exe
  "C:\Windows\System32\extrac32.exe"
  2⤵
  PID:1356
- C:\Windows\System32\fc.exe
  "C:\Windows\System32\fc.exe"
  2⤵
  PID:1680
- C:\Windows\System32\find.exe
  "C:\Windows\System32\find.exe"
  2⤵
  PID:904
- C:\Windows\System32\findstr.exe
  "C:\Windows\System32\findstr.exe"
  2⤵
  PID:264
- C:\Windows\System32\finger.exe
  "C:\Windows\System32\finger.exe"
  2⤵
  PID:2744
- C:\Windows\System32\fixmapi.exe
  "C:\Windows\System32\fixmapi.exe"
  2⤵
  - Drops file in System32 directory
  PID:2728
- C:\Windows\System32\fltMC.exe
  "C:\Windows\System32\fltMC.exe"
  2⤵
  PID:572
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe"
  2⤵
  PID:2416
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe"
  2⤵
  PID:2444
- - C:\Windows\System32\cmd.exe
    /c echo "06589065-81a6-4a34-9932-08d9f8bb4483.tmp"
    3⤵
    PID:2964
- - C:\Windows\System32\cmd.exe
    /c echo "1263317944"
    3⤵
    PID:716
- - C:\Windows\System32\cmd.exe
    /c echo "1733003300"
    3⤵
    PID:1108
- - C:\Windows\System32\cmd.exe
    /c echo "1733003301"
    3⤵
    PID:1680
- - C:\Windows\System32\cmd.exe
    /c echo "1733003302"
    3⤵
    PID:2728
- - C:\Windows\System32\cmd.exe
    /c echo "1733003303"
    3⤵
    PID:572
- - C:\Windows\System32\cmd.exe
    /c echo "6510277a-296b-4b56-a9c9-3f581e159426.tmp"
    3⤵
    PID:2012
- - C:\Windows\System32\cmd.exe
    /c echo "Admin.bmp"
    3⤵
    PID:3088
- - C:\Windows\System32\cmd.exe
    /c echo "ASPNETSetup_00000.log"
    3⤵
    PID:3108
- - C:\Windows\System32\cmd.exe
    /c echo "ASPNETSetup_00001.log"
    3⤵
    PID:3124
- - C:\Windows\System32\cmd.exe
    /c echo "chrome_installer.log"
    3⤵
    PID:3192
- - C:\Windows\System32\cmd.exe
    /c echo "ddodiag.xml"
    3⤵
    PID:3208
- - C:\Windows\System32\cmd.exe
    /c echo "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
    3⤵
    PID:3248
- - C:\Windows\System32\cmd.exe
    /c echo "dd_SetupUtility.txt"
    3⤵
    PID:3260
- - C:\Windows\System32\cmd.exe
    /c echo "dd_vcredistMSI1DE2.txt"
    3⤵
    PID:3300
- - C:\Windows\System32\cmd.exe
    /c echo "dd_vcredistMSI1E19.txt"
    3⤵
    PID:3324
- - C:\Windows\System32\cmd.exe
    /c echo "dd_vcredistUI1DE2.txt"
    3⤵
    PID:3372
- - C:\Windows\System32\cmd.exe
    /c echo "dd_vcredistUI1E19.txt"
    3⤵
    PID:3400
- - C:\Windows\System32\cmd.exe
    /c echo "dd_wcf_CA_smci_20240903_051522_401.txt"
    3⤵
    PID:3420
- - C:\Windows\System32\cmd.exe
    /c echo "dd_wcf_CA_smci_20240903_051522_760.txt"
    3⤵
    PID:3464
- - C:\Windows\System32\cmd.exe
    /c echo "DELCB79.tmp"
    3⤵
    PID:3504
- - C:\Windows\System32\cmd.exe
    /c echo "DELCBA9.tmp"
    3⤵
    PID:3540
- - C:\Windows\System32\cmd.exe
    /c echo "DELCBC7.tmp"
    3⤵
    PID:3552
- - C:\Windows\System32\cmd.exe
    /c echo "DELCBE8.tmp"
    3⤵
    PID:3584
- - C:\Windows\System32\cmd.exe
    /c echo "DispDiag-20241130-214822-2152-1600.dat"
    3⤵
    PID:3608
- - C:\Windows\System32\cmd.exe
    /c echo "FXSAPIDebugLogFile.txt"
    3⤵
    PID:3616
- - C:\Windows\System32\cmd.exe
    /c echo "hsperfdata_Admin"
    3⤵
    PID:3648
- - C:\Windows\System32\cmd.exe
    /c echo "JavaDeployReg.log"
    3⤵
    PID:3676
- - C:\Windows\System32\cmd.exe
    /c echo "java_install.log"
    3⤵
    PID:3692
- - C:\Windows\System32\cmd.exe
    /c echo "java_install_reg.log"
    3⤵
    PID:3712
- - C:\Windows\System32\cmd.exe
    /c echo "jawshtml.html"
    3⤵
    PID:3760
- - C:\Windows\System32\cmd.exe
    /c echo "jusched.log"
    3⤵
    PID:3792
- - C:\Windows\System32\cmd.exe
    /c echo "Kno51BA.tmp"
    3⤵
    PID:3812
- - C:\Windows\System32\cmd.exe
    /c echo "Kno907B.tmp"
    3⤵
    PID:3820
- - C:\Windows\System32\cmd.exe
    /c echo "Low"
    3⤵
    PID:3852
- - C:\Windows\System32\cmd.exe
    /c echo "lpksetup-20240903-052254-0.log"
    3⤵
    PID:3868
- - C:\Windows\System32\cmd.exe
    /c echo "lpksetup-20240903-052430-0.log"
    3⤵
    PID:3876
- - C:\Windows\System32\cmd.exe
    /c echo "lpksetup-20240903-052555-0.log"
    3⤵
    PID:3896
- - C:\Windows\System32\cmd.exe
    /c echo "lpksetup-20240903-052731-0.log"
    3⤵
    PID:3928
- - C:\Windows\System32\cmd.exe
    /c echo "lpksetup-20240903-052900-0.log"
    3⤵
    PID:3944
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft .NET Framework 4.7.2 Setup_20240903_051511232-MSI_netfx_Full_x64.msi.txt"
    3⤵
    PID:3968
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft .NET Framework 4.7.2 Setup_20240903_051511232.html"
    3⤵
    PID:4020
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219"
    3⤵
    PID:2728
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219"
    3⤵
    PID:3264
- - C:\Windows\System32\cmd.exe
    /c echo "mozilla-temp-files"
    3⤵
    PID:804
- - C:\Windows\System32\cmd.exe
    /c echo "ose00000.exe"
    3⤵
    PID:3340
- - C:\Windows\System32\cmd.exe
    /c echo "RD2B92.tmp"
    3⤵
    PID:1200
- - C:\Windows\System32\cmd.exe
    /c echo "RGI14C9.tmp"
    3⤵
    PID:3324
- - C:\Windows\System32\cmd.exe
    /c echo "RGI14C9.tmp-tmp"
    3⤵
    PID:3372
- - C:\Windows\System32\cmd.exe
    /c echo "scoped_dir2112_1667198029"
    3⤵
    PID:3384
- - C:\Windows\System32\cmd.exe
    /c echo "scoped_dir2112_817205846"
    3⤵
    PID:3464
- - C:\Windows\System32\cmd.exe
    /c echo "SetupExe(20240903051847924).log"
    3⤵
    PID:3436
- - C:\Windows\System32\cmd.exe
    /c echo "untitled.exe"
    3⤵
    PID:3232
- - C:\Windows\System32\cmd.exe
    /c echo "VBE"
    3⤵
    PID:3508
- - C:\Windows\System32\cmd.exe
    /c echo "wmsetup.log"
    3⤵
    PID:3512
- - C:\Windows\System32\cmd.exe
    /c echo "WPDNSE"
    3⤵
    PID:3524
- C:\Windows\System32\fsutil.exe
  "C:\Windows\System32\fsutil.exe"
  2⤵
  PID:2728
- C:\Windows\System32\ftp.exe
  "C:\Windows\System32\ftp.exe"
  2⤵
  PID:1412
- C:\Windows\System32\fvenotify.exe
  "C:\Windows\System32\fvenotify.exe"
  2⤵
  PID:2808
- C:\Windows\System32\fveprompt.exe
  "C:\Windows\System32\fveprompt.exe"
  2⤵
  PID:608
- C:\Windows\System32\FXSCOVER.exe
  "C:\Windows\System32\FXSCOVER.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Suspicious use of SetWindowsHookEx
  PID:1992
- C:\Windows\System32\FXSSVC.exe
  "C:\Windows\System32\FXSSVC.exe"
  2⤵
  PID:2744
- C:\Windows\System32\FXSUNATD.exe
  "C:\Windows\System32\FXSUNATD.exe"
  2⤵
  PID:1632
- C:\Windows\System32\getmac.exe
  "C:\Windows\System32\getmac.exe"
  2⤵
  PID:408
- C:\Windows\System32\GettingStarted.exe
  "C:\Windows\System32\GettingStarted.exe"
  2⤵
  PID:3100
- - C:\Windows\system32\Control.exe
    "C:\Windows\system32\Control.exe" /name Microsoft.GettingStarted
    3⤵
    PID:3160
- C:\Windows\System32\gpresult.exe
  "C:\Windows\System32\gpresult.exe"
  2⤵
  PID:3116
- C:\Windows\System32\gpscript.exe
  "C:\Windows\System32\gpscript.exe"
  2⤵
  PID:3200
- C:\Windows\System32\gpupdate.exe
  "C:\Windows\System32\gpupdate.exe"
  2⤵
  PID:3216
- C:\Windows\System32\grpconv.exe
  "C:\Windows\System32\grpconv.exe"
  2⤵
  PID:3268
- C:\Windows\System32\gxbog2.exe
  "C:\Windows\System32\gxbog2.exe"
  2⤵
  PID:3292
- C:\Windows\System32\hdwwiz.exe
  "C:\Windows\System32\hdwwiz.exe"
  2⤵
  PID:3348
- C:\Windows\System32\help.exe
  "C:\Windows\System32\help.exe"
  2⤵
  PID:3384
- C:\Windows\System32\HOSTNAME.EXE
  "C:\Windows\System32\HOSTNAME.EXE"
  2⤵
  PID:3412
- C:\Windows\System32\hwrcomp.exe
  "C:\Windows\System32\hwrcomp.exe"
  2⤵
  PID:3436
- C:\Windows\System32\hwrreg.exe
  "C:\Windows\System32\hwrreg.exe"
  2⤵
  PID:3480
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3524
- C:\Windows\System32\icardagt.exe
  "C:\Windows\System32\icardagt.exe"
  2⤵
  PID:3560
- C:\Windows\System32\icsunattend.exe
  "C:\Windows\System32\icsunattend.exe"
  2⤵
  PID:3568
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe"
  2⤵
  PID:3600
- C:\Windows\System32\ieetwcollector.exe
  "C:\Windows\System32\ieetwcollector.exe"
  2⤵
  PID:3628
- C:\Windows\System32\ieUnatt.exe
  "C:\Windows\System32\ieUnatt.exe"
  2⤵
  - Drops file in Windows directory
  PID:3660
- C:\Windows\System32\iexpress.exe
  "C:\Windows\System32\iexpress.exe"
  2⤵
  PID:3700
- C:\Windows\System32\InfDefaultInstall.exe
  "C:\Windows\System32\InfDefaultInstall.exe"
  2⤵
  PID:3740
- C:\Windows\System32\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:3776
- C:\Windows\System32\irftp.exe
  "C:\Windows\System32\irftp.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3804
- C:\Windows\System32\iscsicli.exe
  "C:\Windows\System32\iscsicli.exe"
  2⤵
  PID:3832
- C:\Windows\System32\iscsicpl.exe
  "C:\Windows\System32\iscsicpl.exe"
  2⤵
  PID:3860
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe"
  2⤵
  PID:3884
- C:\Windows\System32\java.exe
  "C:\Windows\System32\java.exe"
  2⤵
  PID:3904
- C:\Windows\System32\javaw.exe
  "C:\Windows\System32\javaw.exe"
  2⤵
  PID:3936
- C:\Windows\System32\javaws.exe
  "C:\Windows\System32\javaws.exe"
  2⤵
  PID:3960
- - C:\Program Files\Java\jre7\bin\javaws.exe
    C:\Windows\System32\javaws.exe
    3⤵
    PID:3976
- C:\Windows\System32\klist.exe
  "C:\Windows\System32\klist.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\System32\ksetup.exe
  "C:\Windows\System32\ksetup.exe"
  2⤵
  PID:4044
- C:\Windows\System32\ktmutil.exe
  "C:\Windows\System32\ktmutil.exe"
  2⤵
  PID:3228
- C:\Windows\System32\label.exe
  "C:\Windows\System32\label.exe"
  2⤵
  PID:3100
- C:\Windows\System32\LocationNotifications.exe
  "C:\Windows\System32\LocationNotifications.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3132
- C:\Windows\System32\Locator.exe
  "C:\Windows\System32\Locator.exe"
  2⤵
  PID:2408
- C:\Windows\System32\lodctr.exe
  "C:\Windows\System32\lodctr.exe"
  2⤵
  PID:3060
- C:\Windows\System32\logagent.exe
  "C:\Windows\System32\logagent.exe"
  2⤵
  PID:1356
- C:\Windows\System32\logman.exe
  "C:\Windows\System32\logman.exe"
  2⤵
  PID:3404
- C:\Windows\System32\logoff.exe
  "C:\Windows\System32\logoff.exe"
  2⤵
  PID:3424
- C:\Windows\System32\LogonUI.exe
  "C:\Windows\System32\LogonUI.exe"
  2⤵
  PID:3416
- C:\Windows\System32\lpksetup.exe
  "C:\Windows\System32\lpksetup.exe"
  2⤵
  PID:3412
- C:\Windows\System32\lpremove.exe
  "C:\Windows\System32\lpremove.exe"
  2⤵
  PID:3536
- C:\Windows\System32\lsass.exe
  "C:\Windows\System32\lsass.exe"
  2⤵
  PID:3552
- C:\Windows\System32\lsm.exe
  "C:\Windows\System32\lsm.exe"
  2⤵
  PID:3600
- C:\Windows\System32\Magnify.exe
  "C:\Windows\System32\Magnify.exe"
  2⤵
  PID:3152
- C:\Windows\System32\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:2864
- C:\Windows\System32\manage-bde.exe
  "C:\Windows\System32\manage-bde.exe"
  2⤵
  PID:3648
- C:\Windows\System32\mblctr.exe
  "C:\Windows\System32\mblctr.exe"
  2⤵
  PID:3644
- C:\Windows\System32\mcbuilder.exe
  "C:\Windows\System32\mcbuilder.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\System32\mctadmin.exe
  "C:\Windows\System32\mctadmin.exe"
  2⤵
  - Drops desktop.ini file(s)
  PID:3748
- C:\Windows\System32\MdRes.exe
  "C:\Windows\System32\MdRes.exe"
  2⤵
  PID:3728
- C:\Windows\System32\MdSched.exe
  "C:\Windows\System32\MdSched.exe"
  2⤵
  PID:3724
- C:\Windows\System32\mfpmp.exe
  "C:\Windows\System32\mfpmp.exe"
  2⤵
  PID:3756
- C:\Windows\System32\MigAutoPlay.exe
  "C:\Windows\System32\MigAutoPlay.exe"
  2⤵
  PID:3788
- C:\Windows\System32\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3844
- C:\Windows\System32\mobsync.exe
  "C:\Windows\System32\mobsync.exe"
  2⤵
  PID:3868
- C:\Windows\System32\mountvol.exe
  "C:\Windows\System32\mountvol.exe"
  2⤵
  PID:3920
- C:\Windows\System32\mpnotify.exe
  "C:\Windows\System32\mpnotify.exe"
  2⤵
  PID:4000
- C:\Windows\System32\MpSigStub.exe
  "C:\Windows\System32\MpSigStub.exe"
  2⤵
  - Drops file in System32 directory
  PID:3092
- C:\Windows\System32\MRINFO.EXE
  "C:\Windows\System32\MRINFO.EXE"
  2⤵
  PID:3200
- C:\Windows\System32\msconfig.exe
  "C:\Windows\System32\msconfig.exe"
  2⤵
  PID:904
- C:\Windows\System32\msdt.exe
  "C:\Windows\System32\msdt.exe"
  2⤵
  PID:3956
- C:\Windows\System32\msdtc.exe
  "C:\Windows\System32\msdtc.exe"
  2⤵
  PID:4012
- C:\Windows\System32\msfeedssync.exe
  "C:\Windows\System32\msfeedssync.exe"
  2⤵
  PID:2492
- C:\Windows\System32\msg.exe
  "C:\Windows\System32\msg.exe"
  2⤵
  PID:3192
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe"
  2⤵
  PID:3936
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe"
  2⤵
  PID:4008
- C:\Windows\System32\msinfo32.exe
  "C:\Windows\System32\msinfo32.exe"
  2⤵
  PID:4060
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:3096
- C:\Windows\System32\msra.exe
  "C:\Windows\System32\msra.exe"
  2⤵
  PID:3108
- C:\Windows\System32\MsSpellCheckingFacility.exe
  "C:\Windows\System32\MsSpellCheckingFacility.exe"
  2⤵
  PID:3908
- C:\Windows\System32\mstsc.exe
  "C:\Windows\System32\mstsc.exe"
  2⤵
  PID:3924
- C:\Windows\System32\mtstocom.exe
  "C:\Windows\System32\mtstocom.exe"
  2⤵
  PID:3120
- C:\Windows\System32\MuiUnattend.exe
  "C:\Windows\System32\MuiUnattend.exe"
  2⤵
  PID:4056
- C:\Windows\System32\MultiDigiMon.exe
  "C:\Windows\System32\MultiDigiMon.exe"
  2⤵
  PID:3148
- C:\Windows\System32\NAPSTAT.EXE
  "C:\Windows\System32\NAPSTAT.EXE"
  2⤵
  PID:3172
- C:\Windows\System32\Narrator.exe
  "C:\Windows\System32\Narrator.exe"
  2⤵
  PID:4032
- C:\Windows\System32\nbtstat.exe
  "C:\Windows\System32\nbtstat.exe"
  2⤵
  PID:2976
- C:\Windows\System32\ndadmin.exe
  "C:\Windows\System32\ndadmin.exe"
  2⤵
  PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe"
  2⤵
  PID:4044
- C:\Windows\System32\net1.exe
  "C:\Windows\System32\net1.exe"
  2⤵
  PID:3336
- C:\Windows\System32\netbtugc.exe
  "C:\Windows\System32\netbtugc.exe"
  2⤵
  PID:2876
- C:\Windows\System32\netcfg.exe
  "C:\Windows\System32\netcfg.exe"
  2⤵
  PID:1200
- C:\Windows\System32\netiougc.exe
  "C:\Windows\System32\netiougc.exe"
  2⤵
  PID:2692
- C:\Windows\System32\Netplwiz.exe
  "C:\Windows\System32\Netplwiz.exe"
  2⤵
  PID:356
- C:\Windows\System32\NetProj.exe
  "C:\Windows\System32\NetProj.exe"
  2⤵
  PID:3372
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe"
  2⤵
  PID:3452
- C:\Windows\System32\NETSTAT.EXE
  "C:\Windows\System32\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:3460
- C:\Windows\System32\newdev.exe
  "C:\Windows\System32\newdev.exe"
  2⤵
  PID:3468
- C:\Windows\System32\nltest.exe
  "C:\Windows\System32\nltest.exe"
  2⤵
  PID:3236
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3508
- C:\Windows\System32\nslookup.exe
  "C:\Windows\System32\nslookup.exe"
  2⤵
  PID:3488
- C:\Windows\System32\ntoskrnl.exe
  "C:\Windows\System32\ntoskrnl.exe"
  2⤵
  PID:3548
- C:\Windows\System32\ntprint.exe
  "C:\Windows\System32\ntprint.exe"
  2⤵
  PID:2444
- C:\Windows\System32\ocsetup.exe
  "C:\Windows\System32\ocsetup.exe"
  2⤵
  PID:264
- C:\Windows\System32\odbcad32.exe
  "C:\Windows\System32\odbcad32.exe"
  2⤵
  PID:3612
- C:\Windows\System32\odbcconf.exe
  "C:\Windows\System32\odbcconf.exe"
  2⤵
  PID:3640
- C:\Windows\System32\openfiles.exe
  "C:\Windows\System32\openfiles.exe"
  2⤵
  PID:3628
- C:\Windows\System32\OptionalFeatures.exe
  "C:\Windows\System32\OptionalFeatures.exe"
  2⤵
  PID:3668
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  PID:3728
- C:\Windows\System32\p2phost.exe
  "C:\Windows\System32\p2phost.exe"
  2⤵
  PID:3756
- C:\Windows\System32\PATHPING.EXE
  "C:\Windows\System32\PATHPING.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3800
- C:\Windows\System32\pcalua.exe
  "C:\Windows\System32\pcalua.exe"
  2⤵
  PID:3652
- C:\Windows\System32\pcaui.exe
  "C:\Windows\System32\pcaui.exe"
  2⤵
  PID:3872
- C:\Windows\System32\pcawrk.exe
  "C:\Windows\System32\pcawrk.exe"
  2⤵
  PID:3648
- C:\Windows\System32\pcwrun.exe
  "C:\Windows\System32\pcwrun.exe"
  2⤵
  PID:3932
- C:\Windows\System32\perfmon.exe
  "C:\Windows\System32\perfmon.exe"
  2⤵
  PID:3928
- C:\Windows\System32\PING.EXE
  "C:\Windows\System32\PING.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3960
- C:\Windows\System32\PkgMgr.exe
  "C:\Windows\System32\PkgMgr.exe"
  2⤵
  PID:3848
- C:\Windows\System32\plasrv.exe
  "C:\Windows\System32\plasrv.exe"
  2⤵
  PID:3832
- C:\Windows\System32\PnPUnattend.exe
  "C:\Windows\System32\PnPUnattend.exe"
  2⤵
  PID:1696
- C:\Windows\System32\PnPutil.exe
  "C:\Windows\System32\PnPutil.exe"
  2⤵
  PID:3868
- C:\Windows\System32\poqexec.exe
  "C:\Windows\System32\poqexec.exe"
  2⤵
  PID:2344
- C:\Windows\System32\powercfg.exe
  "C:\Windows\System32\powercfg.exe"
  2⤵
  - Power Settings
  PID:920
- C:\Windows\System32\PresentationHost.exe
  "C:\Windows\System32\PresentationHost.exe"
  2⤵
  PID:3084
- C:\Windows\System32\PresentationSettings.exe
  "C:\Windows\System32\PresentationSettings.exe"
  2⤵
  PID:3896
- C:\Windows\System32\prevhost.exe
  "C:\Windows\System32\prevhost.exe"
  2⤵
  PID:3844
- C:\Windows\System32\print.exe
  "C:\Windows\System32\print.exe"
  2⤵
  PID:3112
- C:\Windows\System32\PrintBrmUi.exe
  "C:\Windows\System32\PrintBrmUi.exe"
  2⤵
  PID:3812
- C:\Windows\System32\printfilterpipelinesvc.exe
  "C:\Windows\System32\printfilterpipelinesvc.exe"
  2⤵
  PID:3124
- C:\Windows\System32\PrintIsolationHost.exe
  "C:\Windows\System32\PrintIsolationHost.exe"
  2⤵
  PID:3208
- C:\Windows\System32\printui.exe
  "C:\Windows\System32\printui.exe"
  2⤵
  PID:904
- C:\Windows\System32\proquota.exe
  "C:\Windows\System32\proquota.exe"
  2⤵
  PID:1556
- C:\Windows\System32\psr.exe
  "C:\Windows\System32\psr.exe"
  2⤵
  PID:1288
- C:\Windows\System32\PushPrinterConnections.exe
  "C:\Windows\System32\PushPrinterConnections.exe"
  2⤵
  PID:1712
- C:\Windows\System32\qappsrv.exe
  "C:\Windows\System32\qappsrv.exe"
  2⤵
  PID:4012
- C:\Windows\System32\qprocess.exe
  "C:\Windows\System32\qprocess.exe"
  2⤵
  PID:3940
- C:\Windows\System32\query.exe
  "C:\Windows\System32\query.exe"
  2⤵
  PID:3936
- C:\Windows\System32\quser.exe
  "C:\Windows\System32\quser.exe"
  2⤵
  PID:4060
- C:\Windows\System32\qwinsta.exe
  "C:\Windows\System32\qwinsta.exe"
  2⤵
  PID:3128
- C:\Windows\System32\rasautou.exe
  "C:\Windows\System32\rasautou.exe"
  2⤵
  PID:1648
- C:\Windows\System32\rasdial.exe
  "C:\Windows\System32\rasdial.exe"
  2⤵
  PID:856
- C:\Windows\System32\raserver.exe
  "C:\Windows\System32\raserver.exe"
  2⤵
  PID:3924
- C:\Windows\System32\rasphone.exe
  "C:\Windows\System32\rasphone.exe"
  2⤵
  PID:3156
- C:\Windows\System32\rdpclip.exe
  "C:\Windows\System32\rdpclip.exe"
  2⤵
  PID:3120
- C:\Windows\System32\rdpinit.exe
  "C:\Windows\System32\rdpinit.exe"
  2⤵
  PID:3260
- C:\Windows\System32\rdpshell.exe
  "C:\Windows\System32\rdpshell.exe"
  2⤵
  PID:4056
- C:\Windows\System32\rdpsign.exe
  "C:\Windows\System32\rdpsign.exe"
  2⤵
  PID:3172
- C:\Windows\System32\rdrleakdiag.exe
  "C:\Windows\System32\rdrleakdiag.exe"
  2⤵
  PID:3344
- C:\Windows\System32\RDVGHelper.exe
  "C:\Windows\System32\RDVGHelper.exe"
  2⤵
  PID:3268
- C:\Windows\System32\ReAgentc.exe
  "C:\Windows\System32\ReAgentc.exe"
  2⤵
  PID:4052
- C:\Windows\System32\recdisc.exe
  "C:\Windows\System32\recdisc.exe"
  2⤵
  PID:3328
- C:\Windows\System32\recover.exe
  "C:\Windows\System32\recover.exe"
  2⤵
  PID:1756
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe"
  2⤵
  PID:1548
- C:\Windows\System32\regedt32.exe
  "C:\Windows\System32\regedt32.exe"
  2⤵
  PID:3724
- C:\Windows\System32\regini.exe
  "C:\Windows\System32\regini.exe"
  2⤵
  PID:1416
- C:\Windows\System32\RegisterIEPKEYs.exe
  "C:\Windows\System32\RegisterIEPKEYs.exe"
  2⤵
  PID:3752
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe"
  2⤵
  PID:3828
- C:\Windows\System32\rekeywiz.exe
  "C:\Windows\System32\rekeywiz.exe"
  2⤵
  PID:3716
- C:\Windows\System32\relog.exe
  "C:\Windows\System32\relog.exe"
  2⤵
  PID:1148
- C:\Windows\System32\RelPost.exe
  "C:\Windows\System32\RelPost.exe"
  2⤵
  PID:2580
- C:\Windows\System32\repair-bde.exe
  "C:\Windows\System32\repair-bde.exe"
  2⤵
  PID:3372
- C:\Windows\System32\replace.exe
  "C:\Windows\System32\replace.exe"
  2⤵
  PID:408
- C:\Windows\System32\reset.exe
  "C:\Windows\System32\reset.exe"
  2⤵
  PID:1680
- C:\Windows\System32\resmon.exe
  "C:\Windows\System32\resmon.exe"
  2⤵
  PID:3584
- C:\Windows\System32\rhfwbrrbc2ux2.exe
  "C:\Windows\System32\rhfwbrrbc2ux2.exe"
  2⤵
  PID:3408
- C:\Windows\System32\RMActivate.exe
  "C:\Windows\System32\RMActivate.exe"
  2⤵
  PID:3440
- C:\Windows\System32\RMActivate_isv.exe
  "C:\Windows\System32\RMActivate_isv.exe"
  2⤵
  PID:3392
- C:\Windows\System32\RMActivate_ssp.exe
  "C:\Windows\System32\RMActivate_ssp.exe"
  2⤵
  PID:3232
- C:\Windows\System32\RMActivate_ssp_isv.exe
  "C:\Windows\System32\RMActivate_ssp_isv.exe"
  2⤵
  PID:3480
- C:\Windows\System32\RmClient.exe
  "C:\Windows\System32\RmClient.exe"
  2⤵
  PID:3540
- C:\Windows\System32\Robocopy.exe
  "C:\Windows\System32\Robocopy.exe"
  2⤵
  PID:2244
- C:\Windows\System32\ROUTE.EXE
  "C:\Windows\System32\ROUTE.EXE"
  2⤵
  PID:3116
- C:\Windows\System32\RpcPing.exe
  "C:\Windows\System32\RpcPing.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3888
- C:\Windows\System32\rrinstaller.exe
  "C:\Windows\System32\rrinstaller.exe"
  2⤵
  PID:3624
- C:\Windows\System32\rstrui.exe
  "C:\Windows\System32\rstrui.exe"
  2⤵
  PID:1804
- C:\Windows\System32\runas.exe
  "C:\Windows\System32\runas.exe"
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:3860
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  PID:3168
- C:\Windows\System32\RunLegacyCPLElevated.exe
  "C:\Windows\System32\RunLegacyCPLElevated.exe"
  2⤵
  PID:3704
- C:\Windows\System32\runonce.exe
  "C:\Windows\System32\runonce.exe"
  2⤵
  PID:3576
- C:\Windows\System32\rwinsta.exe
  "C:\Windows\System32\rwinsta.exe"
  2⤵
  PID:1108
- C:\Windows\System32\sbunattend.exe
  "C:\Windows\System32\sbunattend.exe"
  2⤵
  PID:3348
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe"
  2⤵
  - Launches sc.exe
  PID:3316
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe"
  2⤵
  PID:3284
- C:\Windows\System32\sdbinst.exe
  "C:\Windows\System32\sdbinst.exe"
  2⤵
  PID:2552
- C:\Windows\System32\sdchange.exe
  "C:\Windows\System32\sdchange.exe"
  2⤵
  PID:2864
- C:\Windows\System32\sdclt.exe
  "C:\Windows\System32\sdclt.exe"
  2⤵
  PID:3800
- C:\Windows\System32\sdiagnhost.exe
  "C:\Windows\System32\sdiagnhost.exe"
  2⤵
  PID:3672
- C:\Windows\System32\SearchFilterHost.exe
  "C:\Windows\System32\SearchFilterHost.exe"
  2⤵
  PID:2548
- C:\Windows\System32\SearchIndexer.exe
  "C:\Windows\System32\SearchIndexer.exe"
  2⤵
  PID:3948
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe"
  2⤵
  PID:3740
- C:\Windows\System32\SecEdit.exe
  "C:\Windows\System32\SecEdit.exe"
  2⤵
  PID:3840
- C:\Windows\System32\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  PID:3960
- C:\Windows\System32\services.exe
  "C:\Windows\System32\services.exe"
  2⤵
  PID:3832
- C:\Windows\System32\sethc.exe
  "C:\Windows\System32\sethc.exe"
  2⤵
  PID:3880
- C:\Windows\System32\SetIEInstalledDate.exe
  "C:\Windows\System32\SetIEInstalledDate.exe"
  2⤵
  PID:1696
- C:\Windows\System32\setspn.exe
  "C:\Windows\System32\setspn.exe"
  2⤵
  PID:3868
- C:\Windows\System32\setupcl.exe
  "C:\Windows\System32\setupcl.exe"
  2⤵
  PID:3088
- C:\Windows\System32\setupugc.exe
  "C:\Windows\System32\setupugc.exe"
  2⤵
  PID:3896
- C:\Windows\System32\setx.exe
  "C:\Windows\System32\setx.exe"
  2⤵
  PID:3780
- C:\Windows\System32\sfc.exe
  "C:\Windows\System32\sfc.exe"
  2⤵
  PID:4088
- C:\Windows\System32\shadow.exe
  "C:\Windows\System32\shadow.exe"
  2⤵
  PID:4004
- C:\Windows\System32\shrpubw.exe
  "C:\Windows\System32\shrpubw.exe"
  2⤵
  PID:4092
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe"
  2⤵
  PID:4012
- C:\Windows\System32\sigverif.exe
  "C:\Windows\System32\sigverif.exe"
  2⤵
  PID:4068
- C:\Windows\System32\slui.exe
  "C:\Windows\System32\slui.exe"
  2⤵
  PID:2928
- C:\Windows\System32\smss.exe
  "C:\Windows\System32\smss.exe"
  2⤵
  PID:444
- C:\Windows\System32\SndVol.exe
  "C:\Windows\System32\SndVol.exe"
  2⤵
  PID:796
- C:\Windows\System32\SnippingTool.exe
  "C:\Windows\System32\SnippingTool.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3908
- C:\Windows\System32\snmptrap.exe
  "C:\Windows\System32\snmptrap.exe"
  2⤵
  PID:2800
- C:\Windows\System32\sort.exe
  "C:\Windows\System32\sort.exe"
  2⤵
  PID:3252
- C:\Windows\System32\SoundRecorder.exe
  "C:\Windows\System32\SoundRecorder.exe"
  2⤵
  PID:3248
- C:\Windows\System32\spinstall.exe
  "C:\Windows\System32\spinstall.exe"
  2⤵
  PID:4084
- C:\Windows\System32\spoolsv.exe
  "C:\Windows\System32\spoolsv.exe"
  2⤵
  PID:804
- C:\Windows\System32\sppsvc.exe
  "C:\Windows\System32\sppsvc.exe"
  2⤵
  PID:4028
- C:\Windows\System32\spreview.exe
  "C:\Windows\System32\spreview.exe"
  2⤵
  PID:4048
- C:\Windows\System32\srdelayed.exe
  "C:\Windows\System32\srdelayed.exe"
  2⤵
  PID:4044
- C:\Windows\System32\StikyNot.exe
  "C:\Windows\System32\StikyNot.exe"
  2⤵
  PID:4052
- C:\Windows\System32\subst.exe
  "C:\Windows\System32\subst.exe"
  2⤵
  PID:3328
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1756
- C:\Windows\System32\sxstrace.exe
  "C:\Windows\System32\sxstrace.exe"
  2⤵
  PID:3720
- C:\Windows\System32\SyncHost.exe
  "C:\Windows\System32\SyncHost.exe"
  2⤵
  PID:3816
- C:\Windows\System32\syskey.exe
  "C:\Windows\System32\syskey.exe"
  2⤵
  PID:3692
- C:\Windows\System32\systeminfo.exe
  "C:\Windows\System32\systeminfo.exe"
  2⤵
  - Gathers system information
  PID:3752
- C:\Windows\System32\SystemPropertiesAdvanced.exe
  "C:\Windows\System32\SystemPropertiesAdvanced.exe"
  2⤵
  PID:2692
- C:\Windows\System32\SystemPropertiesComputerName.exe
  "C:\Windows\System32\SystemPropertiesComputerName.exe"
  2⤵
  PID:3388
- C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe
  "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3396
- C:\Windows\System32\SystemPropertiesHardware.exe
  "C:\Windows\System32\SystemPropertiesHardware.exe"
  2⤵
  PID:3464
- C:\Windows\System32\SystemPropertiesPerformance.exe
  "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3568
- C:\Windows\System32\SystemPropertiesProtection.exe
  "C:\Windows\System32\SystemPropertiesProtection.exe"
  2⤵
  PID:3476
- C:\Windows\System32\SystemPropertiesRemote.exe
  "C:\Windows\System32\SystemPropertiesRemote.exe"
  2⤵
  PID:3184
- C:\Windows\System32\systray.exe
  "C:\Windows\System32\systray.exe"
  2⤵
  PID:3420
- C:\Windows\System32\tabcal.exe
  "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3588
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3604
- C:\Windows\System32\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:3400
- C:\Windows\System32\taskeng.exe
  "C:\Windows\System32\taskeng.exe"
  2⤵
  PID:3424
- C:\Windows\System32\taskhost.exe
  "C:\Windows\System32\taskhost.exe"
  2⤵
  PID:3376
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe"
  2⤵
  - Kills process with taskkill
  PID:3440
- C:\Windows\System32\tasklist.exe
  "C:\Windows\System32\tasklist.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3536
- C:\Windows\System32\taskmgr.exe
  "C:\Windows\System32\taskmgr.exe"
  2⤵
  PID:3888
- C:\Windows\System32\tcmsetup.exe
  "C:\Windows\System32\tcmsetup.exe"
  2⤵
  PID:3168
- C:\Windows\System32\TCPSVCS.EXE
  "C:\Windows\System32\TCPSVCS.EXE"
  2⤵
  PID:3628
- C:\Windows\System32\timeout.exe
  "C:\Windows\System32\timeout.exe"
  2⤵
  - Delays execution with timeout.exe
  PID:3756
- C:\Windows\System32\TpmInit.exe
  "C:\Windows\System32\TpmInit.exe"
  2⤵
  PID:3784
- C:\Windows\System32\tracerpt.exe
  "C:\Windows\System32\tracerpt.exe"
  2⤵
  PID:3292
- C:\Windows\System32\TRACERT.EXE
  "C:\Windows\System32\TRACERT.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3216
- C:\Windows\System32\tscon.exe
  "C:\Windows\System32\tscon.exe"
  2⤵
  PID:2784
- C:\Windows\System32\tsdiscon.exe
  "C:\Windows\System32\tsdiscon.exe"
  2⤵
  PID:2864
- C:\Windows\System32\tskill.exe
  "C:\Windows\System32\tskill.exe"
  2⤵
  PID:3672
- C:\Windows\System32\TSTheme.exe
  "C:\Windows\System32\TSTheme.exe"
  2⤵
  PID:680
- C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
  "C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe"
  2⤵
  PID:3900
- C:\Windows\System32\TSWbPrxy.exe
  "C:\Windows\System32\TSWbPrxy.exe"
  2⤵
  PID:3928
- C:\Windows\System32\TsWpfWrp.exe
  "C:\Windows\System32\TsWpfWrp.exe"
  2⤵
  PID:2416
- C:\Windows\System32\typeperf.exe
  "C:\Windows\System32\typeperf.exe"
  2⤵
  PID:3740
- C:\Windows\System32\tzutil.exe
  "C:\Windows\System32\tzutil.exe"
  2⤵
  PID:3832
- C:\Windows\System32\ucsvc.exe
  "C:\Windows\System32\ucsvc.exe"
  2⤵
  PID:1696
- C:\Windows\System32\UI0Detect.exe
  "C:\Windows\System32\UI0Detect.exe"
  2⤵
  PID:3088
- C:\Windows\System32\unlodctr.exe
  "C:\Windows\System32\unlodctr.exe"
  2⤵
  PID:1300
- C:\Windows\System32\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe"
  2⤵
  PID:3896
- C:\Windows\System32\upnpcont.exe
  "C:\Windows\System32\upnpcont.exe"
  2⤵
  PID:3112
- C:\Windows\System32\UserAccountControlSettings.exe
  "C:\Windows\System32\UserAccountControlSettings.exe"
  2⤵
  PID:3780
- C:\Windows\System32\userinit.exe
  "C:\Windows\System32\userinit.exe"
  2⤵
  PID:3988
- C:\Windows\System32\Utilman.exe
  "C:\Windows\System32\Utilman.exe"
  2⤵
  PID:4088
- C:\Windows\System32\VaultCmd.exe
  "C:\Windows\System32\VaultCmd.exe"
  2⤵
  PID:1860
- C:\Windows\System32\VaultSysUi.exe
  "C:\Windows\System32\VaultSysUi.exe"
  2⤵
  PID:2276
- C:\Windows\System32\vds.exe
  "C:\Windows\System32\vds.exe"
  2⤵
  PID:3192
- C:\Windows\System32\vdsldr.exe
  "C:\Windows\System32\vdsldr.exe"
  2⤵
  PID:4012
- C:\Windows\System32\verclsid.exe
  "C:\Windows\System32\verclsid.exe"
  2⤵
  PID:4068
- C:\Windows\System32\verifier.exe
  "C:\Windows\System32\verifier.exe"
  2⤵
  PID:444
- C:\Windows\System32\vmicsvc.exe
  "C:\Windows\System32\vmicsvc.exe"
  2⤵
  PID:796
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe"
  2⤵
  PID:3908
- C:\Windows\System32\VSSVC.exe
  "C:\Windows\System32\VSSVC.exe"
  2⤵
  PID:3104
- C:\Windows\System32\w32tm.exe
  "C:\Windows\System32\w32tm.exe"
  2⤵
  PID:3264
- C:\Windows\System32\waitfor.exe
  "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3252
- C:\Windows\System32\wbadmin.exe
  "C:\Windows\System32\wbadmin.exe"
  2⤵
  PID:804
- C:\Windows\System32\wbengine.exe
  "C:\Windows\System32\wbengine.exe"
  2⤵
  PID:3176
- C:\Windows\System32\wecutil.exe
  "C:\Windows\System32\wecutil.exe"
  2⤵
  PID:4044
- C:\Windows\System32\WerFault.exe
  "C:\Windows\System32\WerFault.exe"
  2⤵
  PID:4052
- C:\Windows\System32\WerFaultSecure.exe
  "C:\Windows\System32\WerFaultSecure.exe"
  2⤵
  PID:3764
- C:\Windows\System32\wermgr.exe
  "C:\Windows\System32\wermgr.exe"
  2⤵
  PID:2408
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe"
  2⤵
  PID:3328
- C:\Windows\System32\wextract.exe
  "C:\Windows\System32\wextract.exe"
  2⤵
  PID:3720
- C:\Windows\System32\WFS.exe
  "C:\Windows\System32\WFS.exe"
  2⤵
  PID:3816
- C:\Windows\System32\where.exe
  "C:\Windows\System32\where.exe"
  2⤵
  PID:3692
- C:\Windows\System32\whoami.exe
  "C:\Windows\System32\whoami.exe"
  2⤵
  PID:3752
- C:\Windows\System32\wiaacmgr.exe
  "C:\Windows\System32\wiaacmgr.exe"
  2⤵
  PID:3388
- C:\Windows\System32\wiawow64.exe
  "C:\Windows\System32\wiawow64.exe"
  2⤵
  PID:3396
- C:\Windows\System32\wimserv.exe
  "C:\Windows\System32\wimserv.exe"
  2⤵
  PID:3464
- C:\Windows\System32\WindowsAnytimeUpgradeResults.exe
  "C:\Windows\System32\WindowsAnytimeUpgradeResults.exe"
  2⤵
  PID:3568
- C:\Windows\System32\wininit.exe
  "C:\Windows\System32\wininit.exe"
  2⤵
  PID:408
- C:\Windows\System32\winload.exe
  "C:\Windows\System32\winload.exe"
  2⤵
  PID:3476
- C:\Windows\System32\winlogon.exe
  "C:\Windows\System32\winlogon.exe"
  2⤵
  PID:3184
- C:\Windows\System32\winresume.exe
  "C:\Windows\System32\winresume.exe"
  2⤵
  PID:3420
- C:\Windows\System32\winrs.exe
  "C:\Windows\System32\winrs.exe"
  2⤵
  PID:3428
- C:\Windows\System32\winrshost.exe
  "C:\Windows\System32\winrshost.exe"
  2⤵
  PID:3460
- C:\Windows\System32\WinSAT.exe
  "C:\Windows\System32\WinSAT.exe"
  2⤵
  PID:1680
- C:\Windows\System32\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  PID:1356
- C:\Windows\System32\wisptis.exe
  "C:\Windows\System32\wisptis.exe"
  2⤵
  PID:3444
- C:\Windows\System32\wksprt.exe
  "C:\Windows\System32\wksprt.exe"
  2⤵
  PID:3376
- C:\Windows\System32\wlanext.exe
  "C:\Windows\System32\wlanext.exe"
  2⤵
  PID:3416
- C:\Windows\System32\wlrmdr.exe
  "C:\Windows\System32\wlrmdr.exe"
  2⤵
  PID:3508
- C:\Windows\System32\wowreg32.exe
  "C:\Windows\System32\wowreg32.exe"
  2⤵
  PID:3236
- C:\Windows\System32\WPDShextAutoplay.exe
  "C:\Windows\System32\WPDShextAutoplay.exe"
  2⤵
  PID:3488
- C:\Windows\System32\wpnpinst.exe
  "C:\Windows\System32\wpnpinst.exe"
  2⤵
  PID:3544
- C:\Windows\System32\write.exe
  "C:\Windows\System32\write.exe"
  2⤵
  PID:3548
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe"
  2⤵
  PID:3524
- C:\Windows\System32\WSManHTTPConfig.exe
  "C:\Windows\System32\WSManHTTPConfig.exe"
  2⤵
  PID:3644
- C:\Windows\System32\wsmprovhost.exe
  "C:\Windows\System32\wsmprovhost.exe"
  2⤵
  PID:3980
- C:\Windows\System32\wsqmcons.exe
  "C:\Windows\System32\wsqmcons.exe"
  2⤵
  PID:2244
- C:\Windows\System32\wuapp.exe
  "C:\Windows\System32\wuapp.exe"
  2⤵
  PID:1456
- C:\Windows\System32\wuauclt.exe
  "C:\Windows\System32\wuauclt.exe"
  2⤵
  PID:3116
- C:\Windows\System32\WUDFHost.exe
  "C:\Windows\System32\WUDFHost.exe"
  2⤵
  PID:264
- C:\Windows\System32\wusa.exe
  "C:\Windows\System32\wusa.exe"
  2⤵
  PID:3624
- C:\Windows\System32\xcopy.exe
  "C:\Windows\System32\xcopy.exe"
  2⤵
  PID:3704
- C:\Windows\System32\xm5qtc2zdpjhg.exe
  "C:\Windows\System32\xm5qtc2zdpjhg.exe"
  2⤵
  PID:808
- C:\Windows\System32\xpsrchvw.exe
  "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3860
- C:\Windows\System32\xwizard.exe
  "C:\Windows\System32\xwizard.exe"
  2⤵
  PID:3576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe -Embedding
1⤵
PID:912

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A0" "00000000000005D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1864

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1094571113-6186662828798396881822933462-332467927-545842740-16697002481932530817"
1⤵
PID:704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1160110169380855547-1180400537-622220589652311886-1783240859-1195210575-1212432827"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1869576152-461662377-6521815281070692602634354980-1358167431746889302-533497014"
1⤵
PID:264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13663167191351291305-1320395547239330444-251907897-342672005745851336569734320"
1⤵
PID:716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1428834252028454145220499633551796517-2060731251920763329-272302548453946037"
1⤵
PID:3540

C:\Windows\system32\lpksetup.exe
"C:\Windows\system32\lpksetup.exe" -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5603974801560056404333419985-2059818390-176260496020280784351404569290-1588897587"
1⤵
PID:3608

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
PID:3576
- C:\Windows\System32\Magnify.exe
  "C:\Windows\System32\Magnify.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "964043674568513660-19779057221668917059-173981025617843240551373216082-1709016591"
1⤵
PID:3616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2136059915942140006-168552512428701733715569404901347637825-20795916341425346221"
1⤵
PID:3260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1634198916-344484121481547447107026270511489992811036623651568766618-687313568"
1⤵
PID:3400

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-486628179503280203-1295339378-79664996358198130820673128863320661612135369983"
1⤵
PID:3852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "900033450-1936536608-677224655818895277-243661349-285239597-512262831-2104870658"
1⤵
PID:4020

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1237335241-1090148443207672580-1725725209-206933435917183311451869685528547168935"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1437350200202442094619690348339022527-797153546-907632503-777207122-1309904031"
1⤵
PID:4008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1678069981265615849-255332369-15865367221292158256-1980603443-1021400216-874291289"
1⤵
PID:3096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-162008293715825835771408728416191031095918638116552813136712094959756-1306527482"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4974730551704681244-2132946402-449297117684155968-1766753139-194597611-907958186"
1⤵
PID:4032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "259143263-144063119318914660881233008103-18214397318342889021358484808386064954"
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1362341595-19315162281268884642-6824872451475438095-18430430-1868482123-731376128"
1⤵
PID:356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "574991019-195644010015512670821730326485-2436579441614224894511527071639175474"
1⤵
PID:3416

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3381698841592884710229589408309927528-838992078-1083678543-1980732781550857140"
1⤵
PID:3524

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:3668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5711191011812244179-1725950659135691792-287216256-205107634876826236-2075070671"
1⤵
PID:3920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1853722995555278981-149465832021158064771161853271-974819993112249293-1772195332"
1⤵
PID:3848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-190288420648847995965389721876383451-1891054057182481120-1118858711-338212573"
1⤵
PID:3788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "377099483568042513-1644189363-1325060632-1240322537-349287081-16942284631757301734"
1⤵
PID:3584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8716136742071539566904215373-1443799902-1328549926801767010963012851950379921"
1⤵
PID:3644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1364307133-280456703-2142787995259500192098851183274243256-4414907981216775807"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1615703374588938233-19459033621136867941-273354508-2128830101-1035919492949774964"
1⤵
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-675490730-9247123561432100775-13696158081153005518260443652078668861380625447"
1⤵
PID:3800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6086688802003998342-1041883404-1789177156-168173670-650930355-847637946-2103450892"
1⤵
PID:3948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2116381978843569245-1437470948-1848930411892803930-6642458819838660982019660641"
1⤵
PID:3880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1738961795687659465-173244182283736489-380122438-7789885717513525731372316128"
1⤵
PID:3868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "647711732-11485450299199533-20757624219953888277993670431633923743-1140518163"
1⤵
PID:4004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-87823589-1273442730-110658940-1938570533-16940155914682203101877187225770593076"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1851455598-899044096198241306-1106009696-137977628711354439-635047076-867719014"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3821402771520289253-386705830-1607733818-52871030613902742561070544539-1208632745"
1⤵
PID:3248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "125367109247441035-328687731-1638195261-15917768942131619633-12811805281502419072"
1⤵
PID:4084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-58725570614707552321166163698-2024531169-766313391316513839954900088-424632310"
1⤵
PID:4028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2125935194-73489311315503778851744766675-59520222150104578-1803433901-825162437"
1⤵
PID:4048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "940444652-1817297546-10297573811627331677-1766046576-299130732-1322647904476150395"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11180157101279334791-859267727-179480135-2075890587-419133674-2804090151324356702"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2082783815131846004-18730973701517790156654223494-14532404442000090794-639657429"
1⤵
PID:3440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "207129293519445333451872557324-14739762201742482242-1881192881-2104657051859690998"
1⤵
PID:3536

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1288

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:4092
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Power Settings

T1653

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Device Metadata\dmrc.idx

Filesize
758KB

MD5
b2ab2e23641a8729ef181d3604a29bbc

SHA1
e32b6f84011bfb6b507e74af470a80cfca9d048d

SHA256
b736250034b30609a7ff430d369c5802ba75c7120218fd929c6e18acab1c85f2

SHA512
64a2f6daf10165a5be0e60e3646fa61a57f14da504fb4b6934b4a73f06ff4a9f360cfe1b2db6a05096107eae2889b9265d1ff4d479aad8b55434ccd35f662589

Download Submit
C:\Users\Admin\AppData\Local\Temp\1733003302\PackageInfo.xml

Filesize
29KB

MD5
9de75e8ac6b7dc4ba1a9436569053ea8

SHA1
97b0f401f4966e092fb9e141780e89e8953904a2

SHA256
1033f36c5c24f01ba068e513f2fdf13fc1bede506cd63a8e74b847a0f041a5ab

SHA512
c719de5941ccf903536e1b305ee4448e7579dd6cb358025c8fcf06b1370c8db9fd4c3a30b875895eb6f175c75d368f55d4980a39fc30b3eb7192003be673913d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1733003303\PackageInfo.xml

Filesize
461KB

MD5
8f91cf4b11a33af51ef67fc39635792e

SHA1
a94ab03caaaee9a4da952fa3c21536fb2cc1d47d

SHA256
8eea259ea0e453375cf9fc6ee63f25d726e59a891bc2fe98d255c5f58906879d

SHA512
e1127992b1e34a2ec381fb26ba87f4e1d33433bc9f1fdb02ddd9cc4d4041cfc38f86b0cc486425bef6ba09ee552fdbefb7b90d97a3bc9c2a62685fa3d03529c4

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
8KB

MD5
58f7c21ac63cf5bfdb25ddb1c9dba609

SHA1
af59a648d3fbf4e2002a91ca39ca36461dd3baf6

SHA256
ed42228dd9fca2f79ee7065295fca2180999729053dbdaaf0dd7c6638c8057ff

SHA512
7f4aa54ce7a9b499d87ad65329239afe14b9b52c684131d8d20c964a1f82351d8d01db2e7072f004b9b71bfded3839a711f9aa0f874581c9dff4fa3b7b1cdfdc

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
10KB

MD5
0049e3b16d44e9accb7eb8cc4272bd41

SHA1
23f75741c5516ddc857bd8f20c90e76bbc4dc233

SHA256
e027b5101907f33e051cb0a13a91f713f1d4772e294243661e8cb3c4c629f93d

SHA512
00613bb9538ed8c6af49723a3d769ba492606a1fdc59c510fbc9ec83eafbe8a067ab902d5c13c816ae027e1f55bf48c10892e7ab70ca32db1d107b02aca5f094

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
7KB

MD5
607e639e88498b245b4718bb0d024b88

SHA1
d079ed8c76a3e8c749d8e95a7a9edafdca408a28

SHA256
ec79d8ce1c935fb3236e6cd0cef3cc06e9f790cddc048883a06918ea85177718

SHA512
aac32332c9d08a6a4b761cd80afdd5a245dff637f91df189df0aba4812ec0a6f87928c6746765fb2bc874d048fe01788687b602f628019f2a7f8ca1b916ce0f5

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
9KB

MD5
f409e4c7856d23cbc064425442a07af7

SHA1
677a4e66e0dfcd6b3401f2628b5d4e82cc61c571

SHA256
1e52a2e2d93ac0bc23fc639f182303587acd64af2960194bf93df1b2023245cc

SHA512
85ef9b31e983ad7c0e070a20fbc195440bd79b521595cf515c72adccaa89ea8b2ed2342bb5f9d5e3d3210a71288b838976e4ca5f31ff80e559e5cd22ff27d26b

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
20KB

MD5
11f46afdb7bf00f7983e414ad2d60669

SHA1
7f00903b2c12d39c69ee99db9c4cd4f0bc1bff4f

SHA256
8521dd8adfe4243e1753d381419418322d00d20e85eef649a32a07a989ca161f

SHA512
7adcae2a833245bc23b213e76883fed38acc64b6c2ef9c5083a30b6ba327ecb086a99ff808733584b94e8907af9acb8f912b27fbe17eb45d717f6a52a8caea9c

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
21KB

MD5
1c11ae341151dfd92f2af55759578be3

SHA1
14db6901db0d5db416ac80dd68a06a2eef859902

SHA256
21b03459d3d74a51eb636044631c3ba93d26b975fe9d06ffcb3218536ef4654d

SHA512
18af6bcfb88e0aa02045b13a9e1f920977817d20bc21866894ab9f80d373d1e00a4d1899950a50fdb91ee5930327736a047722082caafc591b11065b23911e81

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
466B

MD5
1bdfa5c53e2eb9f68c65d10c63660068

SHA1
4864ae8bda4aeb461c50e39eb3a71b78aad1956a

SHA256
163ed9050588bc083ba61d52d5ecb8dead54fad47d0ad1240abbe488725c44fe

SHA512
6a4ca5902f322ca6c9a991f3db4158cd77f6e6e89a067793f81a56a3fbf39d0e2864d46e9ff8b3b7d89a3f1f453fee68d5f8e895326df3f46ac4776475473865

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
600B

MD5
fe4b3dffe8dabcd0d133401aa036ff28

SHA1
ac9af2cdb16bbac2b4a6b5cbd1e429eb66ef162a

SHA256
32214340e40e6b4dcc14d268d15e92840e3c67f6536c47cc5b72f4b1b0f4b7c2

SHA512
92778cc09b3cc0cce36c6c52c70789fc028488ca5b295c0d321f22c3b3a83bf9f250323820ed0f6a98c07f4482bba2eb5c7717811051ce11f2ae1ef7f3488ff1

Download Submit
memory/1016-0-0x000007FEF6FC0000-0x000007FEF700C000-memory.dmp

Filesize
304KB

Download
memory/1016-139-0x000007FEF6FC0000-0x000007FEF700C000-memory.dmp

Filesize
304KB

Download
memory/1176-88-0x00000000024B0000-0x00000000024CE000-memory.dmp

Filesize
120KB

Download
memory/1176-90-0x000000001D5D0000-0x000000001D916000-memory.dmp

Filesize
3.3MB

Download
memory/2036-21-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2108-98-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

Filesize
4KB

Download
memory/2108-96-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

Filesize
4KB

Download
memory/2108-100-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/2304-87-0x000000013FD90000-0x000000013FDCF000-memory.dmp

Filesize
252KB

Download
memory/2304-136-0x000000013FD90000-0x000000013FDCF000-memory.dmp

Filesize
252KB

Download
memory/3348-51-0x000007FEF5C40000-0x000007FEF5C7A000-memory.dmp

Filesize
232KB

Download
memory/3408-91-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3408-140-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3548-89-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3904-81-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3936-78-0x00000000022B0000-0x00000000023B0000-memory.dmp

Filesize
1024KB

Download
memory/3936-80-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download