04e5c392d9ae6ce39e1181a75f6641ab11a33e2553368fe9d5802813ba5340ca

Resubmissions

30-11-2024 21:48

241130-1nrpla1jep 8

30-11-2024 21:46

241130-1mnxba1jcm 8

Analysis

max time kernel
8s
max time network
35s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-11-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

untitled.exe
Size

245KB
MD5

3d403f366d81c9017ea7242e083dad33
SHA1

d5abdf75c5ed5032b298fd2afb1a29ac97716519
SHA256

04e5c392d9ae6ce39e1181a75f6641ab11a33e2553368fe9d5802813ba5340ca
SHA512

5163ebf669f568d64f4cbbb8f9aec5382064cc0d32b3a603a3d0ac1feafe84c63c978c6092cf6b1c5a89012d6c1aeb3edf397fb96e782dc9c7ba23518fef68dc
SSDEEP

6144:wRywQEWjxXCcL5jrpSiPv6v3T64croHBf:wSGcFJ5wT+CBf

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7604	icacls.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\compmgmt.msc	mmc.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	BdeHdCfg.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	BdeHdCfg.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	BdeHdCfg.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	BdeHdCfg.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	cleanmgr.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7348	cmd.exe

System Time Discovery 1 TTPs 3 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
6516	cmd.exe
7604	cmd.exe
7556	cmd.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
7760	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	CompMgmtLauncher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	control.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	certreq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	changepk.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3587106988-279496464-3440778474-1000\{4DD62DFD-C00F-4E02-BD58-D4283CEAD749}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	calc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3020	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3664	svchost.exe
Token: SeShutdownPrivilege	3664	svchost.exe
Token: SeCreatePagefilePrivilege	3664	svchost.exe
Token: SeSecurityPrivilege	3596	auditpol.exe
Token: SeSystemEnvironmentPrivilege	4480	bootim.exe
Token: SeBackupPrivilege	4420	vssvc.exe
Token: SeRestorePrivilege	4420	vssvc.exe
Token: SeAuditPrivilege	4420	vssvc.exe
Token: SeShutdownPrivilege	3020	explorer.exe
Token: SeCreatePagefilePrivilege	3020	explorer.exe
Token: 33	2848	mmc.exe
Token: SeIncBasePriorityPrivilege	2848	mmc.exe
Token: 33	2848	mmc.exe
Token: SeIncBasePriorityPrivilege	2848	mmc.exe
Token: SeSecurityPrivilege	2848	mmc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3020	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1116	OpenWith.exe
4656	certreq.exe
1424	CloudNotifications.exe
4920	conhost.exe
2848	mmc.exe
2848	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2828	2728	untitled.exe	79
PID 2728 wrote to memory of 2828	2728	untitled.exe	79
PID 2728 wrote to memory of 1268	2728	untitled.exe	81
PID 2728 wrote to memory of 1268	2728	untitled.exe	81
PID 2728 wrote to memory of 2908	2728	untitled.exe	82
PID 2728 wrote to memory of 2908	2728	untitled.exe	82
PID 2728 wrote to memory of 4456	2728	untitled.exe	84
PID 2728 wrote to memory of 4456	2728	untitled.exe	84
PID 2728 wrote to memory of 1448	2728	untitled.exe	86
PID 2728 wrote to memory of 1448	2728	untitled.exe	86
PID 2728 wrote to memory of 2620	2728	untitled.exe	87
PID 2728 wrote to memory of 2620	2728	untitled.exe	87
PID 2728 wrote to memory of 2312	2728	untitled.exe	89
PID 2728 wrote to memory of 2312	2728	untitled.exe	89
PID 2728 wrote to memory of 4624	2728	untitled.exe	91
PID 2728 wrote to memory of 4624	2728	untitled.exe	91
PID 2728 wrote to memory of 4476	2728	untitled.exe	93
PID 2728 wrote to memory of 4476	2728	untitled.exe	93
PID 2728 wrote to memory of 4032	2728	untitled.exe	95
PID 2728 wrote to memory of 4032	2728	untitled.exe	95
PID 2728 wrote to memory of 3948	2728	untitled.exe	96
PID 2728 wrote to memory of 3948	2728	untitled.exe	96
PID 2728 wrote to memory of 224	2728	untitled.exe	97
PID 2728 wrote to memory of 224	2728	untitled.exe	97
PID 2728 wrote to memory of 2972	2728	untitled.exe	99
PID 2728 wrote to memory of 2972	2728	untitled.exe	99
PID 2728 wrote to memory of 2624	2728	untitled.exe	100
PID 2728 wrote to memory of 2624	2728	untitled.exe	100
PID 2728 wrote to memory of 3028	2728	untitled.exe	102
PID 2728 wrote to memory of 3028	2728	untitled.exe	102
PID 2728 wrote to memory of 2516	2728	untitled.exe	104
PID 2728 wrote to memory of 2516	2728	untitled.exe	104
PID 2728 wrote to memory of 5020	2728	untitled.exe	107
PID 2728 wrote to memory of 5020	2728	untitled.exe	107
PID 2728 wrote to memory of 3868	2728	untitled.exe	108
PID 2728 wrote to memory of 3868	2728	untitled.exe	108
PID 2728 wrote to memory of 1500	2728	untitled.exe	110
PID 2728 wrote to memory of 1500	2728	untitled.exe	110
PID 2728 wrote to memory of 2264	2728	untitled.exe	111
PID 2728 wrote to memory of 2264	2728	untitled.exe	111
PID 2728 wrote to memory of 3844	2728	untitled.exe	113
PID 2728 wrote to memory of 3844	2728	untitled.exe	113
PID 2728 wrote to memory of 2496	2728	untitled.exe	114
PID 2728 wrote to memory of 2496	2728	untitled.exe	114
PID 2728 wrote to memory of 3748	2728	untitled.exe	116
PID 2728 wrote to memory of 3748	2728	untitled.exe	116
PID 2728 wrote to memory of 3596	2728	untitled.exe	117
PID 2728 wrote to memory of 3596	2728	untitled.exe	117
PID 2728 wrote to memory of 3388	2728	untitled.exe	119
PID 2728 wrote to memory of 3388	2728	untitled.exe	119
PID 2728 wrote to memory of 2464	2728	untitled.exe	121
PID 2728 wrote to memory of 2464	2728	untitled.exe	121
PID 2728 wrote to memory of 5004	2728	untitled.exe	122
PID 2728 wrote to memory of 5004	2728	untitled.exe	122
PID 2728 wrote to memory of 4900	2728	untitled.exe	123
PID 2728 wrote to memory of 4900	2728	untitled.exe	123
PID 2728 wrote to memory of 540	2728	untitled.exe	124
PID 2728 wrote to memory of 540	2728	untitled.exe	124
PID 2728 wrote to memory of 1856	2728	untitled.exe	125
PID 2728 wrote to memory of 1856	2728	untitled.exe	125
PID 2728 wrote to memory of 1568	2728	untitled.exe	127
PID 2728 wrote to memory of 1568	2728	untitled.exe	127
PID 2728 wrote to memory of 3540	2728	untitled.exe	129
PID 2728 wrote to memory of 3540	2728	untitled.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2496	attrib.exe

C:\Users\Admin\AppData\Local\Temp\untitled.exe
"C:\Users\Admin\AppData\Local\Temp\untitled.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\56zyq2b7vc4tk.exe
  "C:\Windows\System32\56zyq2b7vc4tk.exe"
  2⤵
  PID:3600
- C:\Windows\System32\agentactivationruntimestarter.exe
  "C:\Windows\System32\agentactivationruntimestarter.exe"
  2⤵
  PID:2828
- C:\Windows\System32\AgentService.exe
  "C:\Windows\System32\AgentService.exe"
  2⤵
  PID:1268
- C:\Windows\System32\AggregatorHost.exe
  "C:\Windows\System32\AggregatorHost.exe"
  2⤵
  PID:2908
- C:\Windows\System32\aitstatic.exe
  "C:\Windows\System32\aitstatic.exe"
  2⤵
  PID:4456
- C:\Windows\System32\alg.exe
  "C:\Windows\System32\alg.exe"
  2⤵
  PID:1448
- C:\Windows\System32\AppHostRegistrationVerifier.exe
  "C:\Windows\System32\AppHostRegistrationVerifier.exe"
  2⤵
  PID:2620
- C:\Windows\System32\appidcertstorecheck.exe
  "C:\Windows\System32\appidcertstorecheck.exe"
  2⤵
  PID:2312
- C:\Windows\System32\appidpolicyconverter.exe
  "C:\Windows\System32\appidpolicyconverter.exe"
  2⤵
  PID:4624
- C:\Windows\System32\appidtel.exe
  "C:\Windows\System32\appidtel.exe"
  2⤵
  PID:4476
- C:\Windows\System32\ApplicationFrameHost.exe
  "C:\Windows\System32\ApplicationFrameHost.exe"
  2⤵
  PID:4032
- C:\Windows\System32\ApplySettingsTemplateCatalog.exe
  "C:\Windows\System32\ApplySettingsTemplateCatalog.exe"
  2⤵
  PID:3948
- C:\Windows\System32\ApplyTrustOffline.exe
  "C:\Windows\System32\ApplyTrustOffline.exe"
  2⤵
  PID:224
- C:\Windows\System32\ApproveChildRequest.exe
  "C:\Windows\System32\ApproveChildRequest.exe"
  2⤵
  PID:2972
- C:\Windows\System32\AppVClient.exe
  "C:\Windows\System32\AppVClient.exe"
  2⤵
  PID:2624
- C:\Windows\System32\AppVDllSurrogate.exe
  "C:\Windows\System32\AppVDllSurrogate.exe"
  2⤵
  PID:3028
- C:\Windows\System32\AppVNice.exe
  "C:\Windows\System32\AppVNice.exe"
  2⤵
  PID:2516
- C:\Windows\System32\AppVShNotify.exe
  "C:\Windows\System32\AppVShNotify.exe"
  2⤵
  PID:5020
- C:\Windows\System32\ARP.EXE
  "C:\Windows\System32\ARP.EXE"
  2⤵
  PID:3868
- C:\Windows\System32\AssignedAccessGuard.exe
  "C:\Windows\System32\AssignedAccessGuard.exe"
  2⤵
  PID:1500
- C:\Windows\System32\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  PID:2264
- C:\Windows\System32\AtBroker.exe
  "C:\Windows\System32\AtBroker.exe"
  2⤵
  PID:3844
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe"
  2⤵
  - Views/modifies file attributes
  PID:2496
- C:\Windows\System32\audiodg.exe
  "C:\Windows\System32\audiodg.exe"
  2⤵
  PID:3748
- C:\Windows\System32\auditpol.exe
  "C:\Windows\System32\auditpol.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\AuthHost.exe
  "C:\Windows\System32\AuthHost.exe"
  2⤵
  PID:3388
- C:\Windows\System32\autochk.exe
  "C:\Windows\System32\autochk.exe"
  2⤵
  PID:2072
- C:\Windows\System32\AxInstUI.exe
  "C:\Windows\System32\AxInstUI.exe"
  2⤵
  PID:2464
- C:\Windows\System32\baaupdate.exe
  "C:\Windows\System32\baaupdate.exe"
  2⤵
  PID:5004
- C:\Windows\System32\backgroundTaskHost.exe
  "C:\Windows\System32\backgroundTaskHost.exe"
  2⤵
  PID:4900
- C:\Windows\System32\BackgroundTransferHost.exe
  "C:\Windows\System32\BackgroundTransferHost.exe"
  2⤵
  PID:540
- C:\Windows\System32\bcdboot.exe
  "C:\Windows\System32\bcdboot.exe"
  2⤵
  PID:1856
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe"
  2⤵
  PID:1568
- C:\Windows\System32\bdechangepin.exe
  "C:\Windows\System32\bdechangepin.exe"
  2⤵
  PID:3540
- C:\Windows\System32\BdeHdCfg.exe
  "C:\Windows\System32\BdeHdCfg.exe"
  2⤵
  - Drops file in Windows directory
  PID:984
- C:\Windows\System32\BdeUISrv.exe
  "C:\Windows\System32\BdeUISrv.exe"
  2⤵
  PID:5076
- C:\Windows\System32\bdeunlock.exe
  "C:\Windows\System32\bdeunlock.exe"
  2⤵
  PID:3220
- C:\Windows\System32\BioIso.exe
  "C:\Windows\System32\BioIso.exe"
  2⤵
  PID:1772
- C:\Windows\System32\BitLockerDeviceEncryption.exe
  "C:\Windows\System32\BitLockerDeviceEncryption.exe"
  2⤵
  PID:2420
- C:\Windows\System32\BitLockerWizard.exe
  "C:\Windows\System32\BitLockerWizard.exe"
  2⤵
  PID:1132
- C:\Windows\System32\BitLockerWizardElev.exe
  "C:\Windows\System32\BitLockerWizardElev.exe"
  2⤵
  PID:912
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe"
  2⤵
  PID:1880
- C:\Windows\System32\bootim.exe
  "C:\Windows\System32\bootim.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\System32\bootsect.exe
  "C:\Windows\System32\bootsect.exe"
  2⤵
  PID:1356
- C:\Windows\System32\bridgeunattend.exe
  "C:\Windows\System32\bridgeunattend.exe"
  2⤵
  PID:452
- C:\Windows\System32\browserexport.exe
  "C:\Windows\System32\browserexport.exe"
  2⤵
  PID:2308
- C:\Windows\System32\browser_broker.exe
  "C:\Windows\System32\browser_broker.exe"
  2⤵
  PID:3204
- C:\Windows\System32\bthudtask.exe
  "C:\Windows\System32\bthudtask.exe"
  2⤵
  PID:1012
- C:\Windows\System32\ByteCodeGenerator.exe
  "C:\Windows\System32\ByteCodeGenerator.exe"
  2⤵
  PID:4212
- C:\Windows\System32\cacls.exe
  "C:\Windows\System32\cacls.exe"
  2⤵
  PID:3728
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - Modifies registry class
  PID:2884
- C:\Windows\System32\CameraSettingsUIHost.exe
  "C:\Windows\System32\CameraSettingsUIHost.exe"
  2⤵
  PID:2696
- C:\Windows\System32\CastSrv.exe
  "C:\Windows\System32\CastSrv.exe"
  2⤵
  PID:4664
- C:\Windows\System32\CertEnrollCtrl.exe
  "C:\Windows\System32\CertEnrollCtrl.exe"
  2⤵
  PID:4172
- C:\Windows\System32\certreq.exe
  "C:\Windows\System32\certreq.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4656
- C:\Windows\System32\certutil.exe
  "C:\Windows\System32\certutil.exe"
  2⤵
  PID:3248
- C:\Windows\System32\change.exe
  "C:\Windows\System32\change.exe"
  2⤵
  PID:816
- C:\Windows\System32\changepk.exe
  "C:\Windows\System32\changepk.exe"
  2⤵
  - Modifies registry class
  PID:8
- C:\Windows\System32\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  PID:4948
- C:\Windows\System32\CheckNetIsolation.exe
  "C:\Windows\System32\CheckNetIsolation.exe"
  2⤵
  PID:4144
- C:\Windows\System32\chglogon.exe
  "C:\Windows\System32\chglogon.exe"
  2⤵
  PID:1900
- C:\Windows\System32\chgport.exe
  "C:\Windows\System32\chgport.exe"
  2⤵
  PID:2844
- C:\Windows\System32\chgusr.exe
  "C:\Windows\System32\chgusr.exe"
  2⤵
  PID:4612
- C:\Windows\System32\chkdsk.exe
  "C:\Windows\System32\chkdsk.exe"
  2⤵
  PID:2120
- C:\Windows\System32\chkntfs.exe
  "C:\Windows\System32\chkntfs.exe"
  2⤵
  PID:5044
- C:\Windows\System32\choice.exe
  "C:\Windows\System32\choice.exe"
  2⤵
  PID:3404
- C:\Windows\System32\CIDiag.exe
  "C:\Windows\System32\CIDiag.exe"
  2⤵
  PID:3820
- C:\Windows\System32\cipher.exe
  "C:\Windows\System32\cipher.exe"
  2⤵
  PID:4912
- C:\Windows\System32\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\dismhost.exe {B4AE5DBC-EBF9-41AF-A19A-1D90EA876757}
    3⤵
    PID:5724
- C:\Windows\System32\cliconfg.exe
  "C:\Windows\System32\cliconfg.exe"
  2⤵
  PID:2612
- C:\Windows\System32\clip.exe
  "C:\Windows\System32\clip.exe"
  2⤵
  PID:5040
- C:\Windows\System32\ClipDLS.exe
  "C:\Windows\System32\ClipDLS.exe"
  2⤵
  PID:4720
- C:\Windows\System32\ClipRenew.exe
  "C:\Windows\System32\ClipRenew.exe"
  2⤵
  PID:1564
- C:\Windows\System32\ClipUp.exe
  "C:\Windows\System32\ClipUp.exe"
  2⤵
  PID:4872
- - C:\Windows\System32\ClipUp.exe
    "C:\Windows\System32\ClipUp.exe" -ppl C:\Users\Admin\AppData\Local\Temp\temAC2E.tmp
    3⤵
    PID:1036
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2308
- C:\Windows\System32\CloudExperienceHostBroker.exe
  "C:\Windows\System32\CloudExperienceHostBroker.exe"
  2⤵
  PID:1568
- C:\Windows\System32\CloudNotifications.exe
  "C:\Windows\System32\CloudNotifications.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3728
- C:\Windows\System32\cmdkey.exe
  "C:\Windows\System32\cmdkey.exe"
  2⤵
  PID:3428
- C:\Windows\System32\cmdl32.exe
  "C:\Windows\System32\cmdl32.exe"
  2⤵
  PID:2864
- C:\Windows\System32\cmmon32.exe
  "C:\Windows\System32\cmmon32.exe"
  2⤵
  PID:3248
- C:\Windows\System32\cmstp.exe
  "C:\Windows\System32\cmstp.exe"
  2⤵
  PID:2176
- C:\Windows\System32\cofire.exe
  "C:\Windows\System32\cofire.exe"
  2⤵
  PID:3904
- C:\Windows\System32\colorcpl.exe
  "C:\Windows\System32\colorcpl.exe"
  2⤵
  PID:3412
- C:\Windows\System32\comp.exe
  "C:\Windows\System32\comp.exe"
  2⤵
  PID:4680
- C:\Windows\System32\compact.exe
  "C:\Windows\System32\compact.exe"
  2⤵
  PID:1208
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4612
- C:\Windows\System32\CompatTelRunner.exe
  "C:\Windows\System32\CompatTelRunner.exe"
  2⤵
  PID:3536
- - C:\Windows\system32\CompatTelRunner.exe
    C:\Windows\system32\CompatTelRunner.exe -m:devinv.dll -f:CreateDeviceInventory -cv:0dhcTyX7jUKKrIk0.4 -oobe
    3⤵
    PID:8624
- C:\Windows\System32\CompMgmtLauncher.exe
  "C:\Windows\System32\CompMgmtLauncher.exe"
  2⤵
  - Modifies registry class
  PID:1380
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2848
- C:\Windows\System32\CompPkgSrv.exe
  "C:\Windows\System32\CompPkgSrv.exe"
  2⤵
  PID:2624
- C:\Windows\System32\ComputerDefaults.exe
  "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  PID:1420
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    PID:3048
- C:\Windows\System32\consent.exe
  "C:\Windows\System32\consent.exe"
  2⤵
  PID:2816
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - Modifies registry class
  PID:2516
- C:\Windows\System32\convert.exe
  "C:\Windows\System32\convert.exe"
  2⤵
  PID:3848
- C:\Windows\System32\convertvhd.exe
  "C:\Windows\System32\convertvhd.exe"
  2⤵
  PID:2848
- C:\Windows\System32\coredpussvr.exe
  "C:\Windows\System32\coredpussvr.exe"
  2⤵
  PID:224
- C:\Windows\System32\CredentialEnrollmentManager.exe
  "C:\Windows\System32\CredentialEnrollmentManager.exe"
  2⤵
  PID:336
- C:\Windows\System32\CredentialUIBroker.exe
  "C:\Windows\System32\CredentialUIBroker.exe"
  2⤵
  PID:3476
- C:\Windows\System32\credwiz.exe
  "C:\Windows\System32\credwiz.exe"
  2⤵
  PID:1052
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe"
  2⤵
  PID:4440
- C:\Windows\System32\csrss.exe
  "C:\Windows\System32\csrss.exe"
  2⤵
  PID:1772
- C:\Windows\System32\ctfmon.exe
  "C:\Windows\System32\ctfmon.exe"
  2⤵
  PID:2176
- C:\Windows\System32\cttune.exe
  "C:\Windows\System32\cttune.exe"
  2⤵
  PID:5004
- C:\Windows\System32\cttunesvr.exe
  "C:\Windows\System32\cttunesvr.exe"
  2⤵
  PID:2612
- C:\Windows\System32\curl.exe
  "C:\Windows\System32\curl.exe"
  2⤵
  PID:3220
- C:\Windows\System32\CustomInstallExec.exe
  "C:\Windows\System32\CustomInstallExec.exe"
  2⤵
  PID:5860
- C:\Windows\System32\CustomShellHost.exe
  "C:\Windows\System32\CustomShellHost.exe"
  2⤵
  PID:5876
- - C:\Windows\explorer.exe
    explorer.exe /NoShellRegistrationCheck
    3⤵
    PID:5936
- C:\Windows\System32\dasHost.exe
  "C:\Windows\System32\dasHost.exe"
  2⤵
  PID:5908
- C:\Windows\System32\DataExchangeHost.exe
  "C:\Windows\System32\DataExchangeHost.exe"
  2⤵
  PID:6072
- C:\Windows\System32\DataStoreCacheDumpTool.exe
  "C:\Windows\System32\DataStoreCacheDumpTool.exe"
  2⤵
  PID:6136
- C:\Windows\System32\dccw.exe
  "C:\Windows\System32\dccw.exe"
  2⤵
  PID:788
- C:\Windows\System32\dcomcnfg.exe
  "C:\Windows\System32\dcomcnfg.exe"
  2⤵
  PID:1116
- - C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
    3⤵
    PID:3704
- C:\Windows\System32\ddodiag.exe
  "C:\Windows\System32\ddodiag.exe"
  2⤵
  PID:3260
- C:\Windows\System32\Defrag.exe
  "C:\Windows\System32\Defrag.exe"
  2⤵
  PID:4236
- C:\Windows\System32\deploymentcsphelper.exe
  "C:\Windows\System32\deploymentcsphelper.exe"
  2⤵
  PID:5236
- C:\Windows\System32\desktopimgdownldr.exe
  "C:\Windows\System32\desktopimgdownldr.exe"
  2⤵
  PID:5256
- C:\Windows\System32\DeviceCensus.exe
  "C:\Windows\System32\DeviceCensus.exe"
  2⤵
  PID:5452
- C:\Windows\System32\DeviceCredentialDeployment.exe
  "C:\Windows\System32\DeviceCredentialDeployment.exe"
  2⤵
  PID:5472
- C:\Windows\System32\DeviceEject.exe
  "C:\Windows\System32\DeviceEject.exe"
  2⤵
  PID:5588
- C:\Windows\System32\DeviceEnroller.exe
  "C:\Windows\System32\DeviceEnroller.exe"
  2⤵
  PID:5576
- C:\Windows\System32\DevicePairingWizard.exe
  "C:\Windows\System32\DevicePairingWizard.exe"
  2⤵
  PID:5552
- C:\Windows\System32\DeviceProperties.exe
  "C:\Windows\System32\DeviceProperties.exe"
  2⤵
  PID:5648
- C:\Windows\System32\DFDWiz.exe
  "C:\Windows\System32\DFDWiz.exe"
  2⤵
  PID:5716
- C:\Windows\System32\dfrgui.exe
  "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:5712
- C:\Windows\System32\dialer.exe
  "C:\Windows\System32\dialer.exe"
  2⤵
  PID:5372
- C:\Windows\System32\directxdatabaseupdater.exe
  "C:\Windows\System32\directxdatabaseupdater.exe"
  2⤵
  PID:412
- C:\Windows\System32\diskpart.exe
  "C:\Windows\System32\diskpart.exe"
  2⤵
  PID:5836
- C:\Windows\System32\diskperf.exe
  "C:\Windows\System32\diskperf.exe"
  2⤵
  PID:2900
- C:\Windows\System32\diskraid.exe
  "C:\Windows\System32\diskraid.exe"
  2⤵
  PID:5896
- C:\Windows\System32\DiskSnapshot.exe
  "C:\Windows\System32\DiskSnapshot.exe"
  2⤵
  PID:5900
- C:\Windows\System32\diskusage.exe
  "C:\Windows\System32\diskusage.exe"
  2⤵
  PID:5916
- C:\Windows\System32\Dism.exe
  "C:\Windows\System32\Dism.exe"
  2⤵
  PID:5892
- C:\Windows\System32\dispdiag.exe
  "C:\Windows\System32\dispdiag.exe"
  2⤵
  PID:6212
- C:\Windows\System32\DisplaySwitch.exe
  "C:\Windows\System32\DisplaySwitch.exe"
  2⤵
  PID:6224
- C:\Windows\System32\djoin.exe
  "C:\Windows\System32\djoin.exe"
  2⤵
  PID:6952
- C:\Windows\System32\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:6960
- C:\Windows\System32\dllhst3g.exe
  "C:\Windows\System32\dllhst3g.exe"
  2⤵
  PID:6968
- C:\Windows\System32\dmcertinst.exe
  "C:\Windows\System32\dmcertinst.exe"
  2⤵
  PID:6136
- C:\Windows\System32\dmcfghost.exe
  "C:\Windows\System32\dmcfghost.exe"
  2⤵
  PID:6204
- C:\Windows\System32\dmclient.exe
  "C:\Windows\System32\dmclient.exe"
  2⤵
  PID:6316
- C:\Windows\System32\DmNotificationBroker.exe
  "C:\Windows\System32\DmNotificationBroker.exe"
  2⤵
  PID:6348
- C:\Windows\System32\DmOmaCpMo.exe
  "C:\Windows\System32\DmOmaCpMo.exe"
  2⤵
  PID:6380
- C:\Windows\System32\dnscacheugc.exe
  "C:\Windows\System32\dnscacheugc.exe"
  2⤵
  PID:6328
- C:\Windows\System32\doskey.exe
  "C:\Windows\System32\doskey.exe"
  2⤵
  PID:6404
- C:\Windows\System32\dpapimig.exe
  "C:\Windows\System32\dpapimig.exe"
  2⤵
  PID:1612
- C:\Windows\System32\DpiScaling.exe
  "C:\Windows\System32\DpiScaling.exe"
  2⤵
  PID:4340
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" ms-settings:display
    3⤵
    PID:6992
- C:\Windows\System32\driverquery.exe
  "C:\Windows\System32\driverquery.exe"
  2⤵
  PID:4328
- C:\Windows\System32\drvinst.exe
  "C:\Windows\System32\drvinst.exe"
  2⤵
  PID:2380
- C:\Windows\System32\DsmUserTask.exe
  "C:\Windows\System32\DsmUserTask.exe"
  2⤵
  PID:6872
- C:\Windows\System32\dsregcmd.exe
  "C:\Windows\System32\dsregcmd.exe"
  2⤵
  PID:6356
- C:\Windows\System32\dstokenclean.exe
  "C:\Windows\System32\dstokenclean.exe"
  2⤵
  PID:6412
- C:\Windows\System32\dtdump.exe
  "C:\Windows\System32\dtdump.exe"
  2⤵
  PID:6400
- C:\Windows\System32\dusmtask.exe
  "C:\Windows\System32\dusmtask.exe"
  2⤵
  PID:6364
- C:\Windows\System32\dvdplay.exe
  "C:\Windows\System32\dvdplay.exe"
  2⤵
  PID:6328
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    /device:dvd
    3⤵
    PID:5544
  - - C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      4⤵
      PID:560
    - - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        5⤵
        
        PID:5536
- C:\Windows\System32\dwm.exe
  "C:\Windows\System32\dwm.exe"
  2⤵
  PID:6284
- C:\Windows\System32\DWWIN.EXE
  "C:\Windows\System32\DWWIN.EXE"
  2⤵
  PID:6320
- C:\Windows\System32\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:1796
- C:\Windows\System32\dxgiadaptercache.exe
  "C:\Windows\System32\dxgiadaptercache.exe"
  2⤵
  PID:6300
- C:\Windows\System32\Dxpserver.exe
  "C:\Windows\System32\Dxpserver.exe"
  2⤵
  PID:5948
- C:\Windows\System32\Eap3Host.exe
  "C:\Windows\System32\Eap3Host.exe"
  2⤵
  PID:2316
- C:\Windows\System32\EaseOfAccessDialog.exe
  "C:\Windows\System32\EaseOfAccessDialog.exe"
  2⤵
  PID:6536
- C:\Windows\System32\easinvoker.exe
  "C:\Windows\System32\easinvoker.exe"
  2⤵
  PID:6296
- C:\Windows\System32\EASPolicyManagerBrokerHost.exe
  "C:\Windows\System32\EASPolicyManagerBrokerHost.exe"
  2⤵
  PID:6336
- C:\Windows\System32\EDPCleanup.exe
  "C:\Windows\System32\EDPCleanup.exe"
  2⤵
  PID:6592
- C:\Windows\System32\edpnotify.exe
  "C:\Windows\System32\edpnotify.exe"
  2⤵
  PID:5228
- C:\Windows\System32\EduPrintProv.exe
  "C:\Windows\System32\EduPrintProv.exe"
  2⤵
  PID:3848
- C:\Windows\System32\efsui.exe
  "C:\Windows\System32\efsui.exe"
  2⤵
  PID:5900
- C:\Windows\System32\EhStorAuthn.exe
  "C:\Windows\System32\EhStorAuthn.exe"
  2⤵
  PID:6376
- C:\Windows\System32\EM.exe
  "C:\Windows\System32\EM.exe"
  2⤵
  PID:6216
- C:\Windows\System32\EoAExperiences.exe
  "C:\Windows\System32\EoAExperiences.exe"
  2⤵
  PID:6304
- C:\Windows\System32\esentutl.exe
  "C:\Windows\System32\esentutl.exe"
  2⤵
  PID:6308
- C:\Windows\System32\eudcedit.exe
  "C:\Windows\System32\eudcedit.exe"
  2⤵
  PID:2412
- C:\Windows\System32\eventcreate.exe
  "C:\Windows\System32\eventcreate.exe"
  2⤵
  PID:6220
- C:\Windows\System32\eventvwr.exe
  "C:\Windows\System32\eventvwr.exe"
  2⤵
  PID:4236
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
    3⤵
    PID:6272
- C:\Windows\System32\expand.exe
  "C:\Windows\System32\expand.exe"
  2⤵
  PID:7352
- C:\Windows\System32\extrac32.exe
  "C:\Windows\System32\extrac32.exe"
  2⤵
  PID:7472
- C:\Windows\System32\fc.exe
  "C:\Windows\System32\fc.exe"
  2⤵
  PID:7484
- C:\Windows\System32\fhmanagew.exe
  "C:\Windows\System32\fhmanagew.exe"
  2⤵
  PID:7496
- C:\Windows\System32\FileHistory.exe
  "C:\Windows\System32\FileHistory.exe"
  2⤵
  PID:7504
- C:\Windows\System32\find.exe
  "C:\Windows\System32\find.exe"
  2⤵
  PID:7512
- C:\Windows\System32\findstr.exe
  "C:\Windows\System32\findstr.exe"
  2⤵
  PID:7528
- C:\Windows\System32\finger.exe
  "C:\Windows\System32\finger.exe"
  2⤵
  PID:7536
- C:\Windows\System32\fixmapi.exe
  "C:\Windows\System32\fixmapi.exe"
  2⤵
  PID:7544
- C:\Windows\System32\fltMC.exe
  "C:\Windows\System32\fltMC.exe"
  2⤵
  PID:7556
- C:\Windows\System32\fodhelper.exe
  "C:\Windows\System32\fodhelper.exe"
  2⤵
  PID:7576
- C:\Windows\System32\Fondue.exe
  "C:\Windows\System32\Fondue.exe"
  2⤵
  PID:7592
- C:\Windows\System32\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  PID:7600
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe"
  2⤵
  PID:7616
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe"
  2⤵
  PID:7640
- - C:\Windows\System32\cmd.exe
    /c echo ".ses"
    3⤵
    PID:7988
- - C:\Windows\System32\cmd.exe
    /c echo "13D559A7-7D55-4B4C-9E65-1D577FCA06B3"
    3⤵
    PID:8016
- - C:\Windows\System32\cmd.exe
    /c echo "2163551507"
    3⤵
    PID:8048
- - C:\Windows\System32\cmd.exe
    /c echo "acrocef_low"
    3⤵
    PID:8096
- - C:\Windows\System32\cmd.exe
    /c echo "AdobeSFX.log"
    3⤵
    PID:8160
- - C:\Windows\System32\cmd.exe
    /c echo "aria-debug-1984.log"
    3⤵
    PID:7228
- - C:\Windows\System32\cmd.exe
    /c echo "BroadcastMsg_1728302633.txt"
    3⤵
    PID:7420
- - C:\Windows\System32\cmd.exe
    /c echo "chrome_installer.log"
    3⤵
    PID:7632
- - C:\Windows\System32\cmd.exe
    /c echo "ddodiag.xml"
    3⤵
    PID:7652
- - C:\Windows\System32\cmd.exe
    /c echo "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
    3⤵
    PID:7820
- - C:\Windows\System32\cmd.exe
    /c echo "dd_vcredistMSI3511.txt"
    3⤵
    PID:7496
- - C:\Windows\System32\cmd.exe
    /c echo "dd_vcredistMSI352F.txt"
    3⤵
    PID:7876
- - C:\Windows\System32\cmd.exe
    /c echo "dd_vcredistUI3511.txt"
    3⤵
    PID:7528
- - C:\Windows\System32\cmd.exe
    /c echo "dd_vcredistUI352F.txt"
    3⤵
    PID:7772
- - C:\Windows\System32\cmd.exe
    /c echo "DispDiag-20241130-214832-6212-6216.dat"
    3⤵
    PID:7988
- - C:\Windows\System32\cmd.exe
    /c echo "hsperfdata_Admin"
    3⤵
    PID:8100
- - C:\Windows\System32\cmd.exe
    /c echo "JavaDeployReg.log"
    3⤵
    PID:8144
- - C:\Windows\System32\cmd.exe
    /c echo "jawshtml.html"
    3⤵
    PID:7580
- - C:\Windows\System32\cmd.exe
    /c echo "jusched.log"
    3⤵
    PID:8012
- - C:\Windows\System32\cmd.exe
    /c echo "Low"
    3⤵
    PID:6608
- - C:\Windows\System32\cmd.exe
    /c echo "mapping.csv"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:7348
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft .NET Framework 4.7.2 Setup_20241007_120026274.html"
    3⤵
    PID:7604
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219"
    3⤵
    PID:7728
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219"
    3⤵
    PID:7652
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007120045.log"
    3⤵
    PID:7868
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007120045_000_dotnet_runtime_6.0.27_win_x64.msi.log"
    3⤵
    - System Time Discovery
    PID:6516
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007120045_001_dotnet_hostfxr_6.0.27_win_x64.msi.log"
    3⤵
    PID:7876
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007120045_002_dotnet_host_6.0.27_win_x64.msi.log"
    3⤵
    PID:8000
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007120045_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log"
    3⤵
    PID:7700
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007120106.log"
    3⤵
    PID:8112
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007120106_000_dotnet_runtime_7.0.16_win_x64.msi.log"
    3⤵
    - System Time Discovery
    PID:7604
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007120106_001_dotnet_hostfxr_7.0.16_win_x64.msi.log"
    3⤵
    PID:7624
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007120106_002_dotnet_host_7.0.16_win_x64.msi.log"
    3⤵
    PID:7648
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007120106_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log"
    3⤵
    PID:6516
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007120124.log"
    3⤵
    PID:7876
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007120124_000_dotnet_runtime_8.0.2_win_x64.msi.log"
    3⤵
    - System Time Discovery
    PID:7556
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007120124_001_dotnet_hostfxr_8.0.2_win_x64.msi.log"
    3⤵
    PID:8020
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007120124_002_dotnet_host_8.0.2_win_x64.msi.log"
    3⤵
    PID:8108
- - C:\Windows\System32\cmd.exe
    /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007120124_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log"
    3⤵
    PID:7796
- - C:\Windows\System32\cmd.exe
    /c echo "mozilla-temp-files"
    3⤵
    PID:7820
- - C:\Windows\System32\cmd.exe
    /c echo "msedge_installer.log"
    3⤵
    PID:7920
- - C:\Windows\System32\cmd.exe
    /c echo "OneNote"
    3⤵
    PID:7228
- - C:\Windows\System32\cmd.exe
    /c echo "OZYSBZXK-20241007-1204.log"
    3⤵
    PID:7580
- - C:\Windows\System32\cmd.exe
    /c echo "OZYSBZXK-20241007-1204a.log"
    3⤵
    PID:8164
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8C74.tmp"
    3⤵
    PID:7496
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8C75.tmp"
    3⤵
    PID:7732
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8C76.tmp"
    3⤵
    PID:8704
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8C97.tmp"
    3⤵
    PID:8728
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8D83.tmp"
    3⤵
    PID:8748
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8DB4.tmp"
    3⤵
    PID:8760
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8DC6.tmp"
    3⤵
    PID:8772
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8DF7.tmp"
    3⤵
    PID:8804
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8E08.tmp"
    3⤵
    PID:8816
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8E58.tmp"
    3⤵
    PID:8828
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8E5A.tmp"
    3⤵
    PID:8848
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8EE9.tmp"
    3⤵
    PID:8864
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8F1A.tmp"
    3⤵
    PID:8884
- - C:\Windows\System32\cmd.exe
    /c echo "TCD8FA9.tmp"
    3⤵
    PID:8900
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9037.tmp"
    3⤵
    PID:8916
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9087.tmp"
    3⤵
    PID:8932
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9099.tmp"
    3⤵
    PID:8948
- - C:\Windows\System32\cmd.exe
    /c echo "TCD90AB.tmp"
    3⤵
    PID:8964
- - C:\Windows\System32\cmd.exe
    /c echo "TCD90EB.tmp"
    3⤵
    PID:8992
- - C:\Windows\System32\cmd.exe
    /c echo "TCD90FD.tmp"
    3⤵
    PID:9012
- - C:\Windows\System32\cmd.exe
    /c echo "TCD916C.tmp"
    3⤵
    PID:9036
- - C:\Windows\System32\cmd.exe
    /c echo "TCD919E.tmp"
    3⤵
    PID:9080
- - C:\Windows\System32\cmd.exe
    /c echo "TCD919F.tmp"
    3⤵
    PID:9104
- - C:\Windows\System32\cmd.exe
    /c echo "TCD91B1.tmp"
    3⤵
    PID:9124
- - C:\Windows\System32\cmd.exe
    /c echo "TCD91D2.tmp"
    3⤵
    PID:9148
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9241.tmp"
    3⤵
    PID:9168
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9262.tmp"
    3⤵
    PID:9180
- - C:\Windows\System32\cmd.exe
    /c echo "TCD92F2.tmp"
    3⤵
    PID:8428
- - C:\Windows\System32\cmd.exe
    /c echo "TCD92F3.tmp"
    3⤵
    PID:8560
- - C:\Windows\System32\cmd.exe
    /c echo "TCD93C0.tmp"
    3⤵
    PID:8732
- - C:\Windows\System32\cmd.exe
    /c echo "TCD945E.tmp"
    3⤵
    PID:8252
- - C:\Windows\System32\cmd.exe
    /c echo "TCD949F.tmp"
    3⤵
    PID:8768
- - C:\Windows\System32\cmd.exe
    /c echo "TCD94C0.tmp"
    3⤵
    PID:8800
- - C:\Windows\System32\cmd.exe
    /c echo "TCD954F.tmp"
    3⤵
    PID:8820
- - C:\Windows\System32\cmd.exe
    /c echo "TCD961C.tmp"
    3⤵
    PID:8828
- - C:\Windows\System32\cmd.exe
    /c echo "TCD963D.tmp"
    3⤵
    PID:8848
- - C:\Windows\System32\cmd.exe
    /c echo "TCD963F.tmp"
    3⤵
    PID:8864
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9671.tmp"
    3⤵
    PID:8884
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9672.tmp"
    3⤵
    PID:8660
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9684.tmp"
    3⤵
    PID:8908
- - C:\Windows\System32\cmd.exe
    /c echo "TCD96A5.tmp"
    3⤵
    PID:8916
- - C:\Windows\System32\cmd.exe
    /c echo "TCD96E5.tmp"
    3⤵
    PID:9052
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9708.tmp"
    3⤵
    PID:9044
- - C:\Windows\System32\cmd.exe
    /c echo "TCD9709.tmp"
    3⤵
    PID:8680
- - C:\Windows\System32\cmd.exe
    /c echo "TCD995C.tmp"
    3⤵
    PID:7552
- - C:\Windows\System32\cmd.exe
    /c echo "TCD997E.tmp"
    3⤵
    PID:8732
- - C:\Windows\System32\cmd.exe
    /c echo "TCD99AF.tmp"
    3⤵
    PID:8816
- - C:\Windows\System32\cmd.exe
    /c echo "temAC2E.tmp"
    3⤵
    PID:7192
- - C:\Windows\System32\cmd.exe
    /c echo "untitled.exe"
    3⤵
    PID:8868
- - C:\Windows\System32\cmd.exe
    /c echo "VBE"
    3⤵
    PID:8212
- - C:\Windows\System32\cmd.exe
    /c echo "wct2888.tmp"
    3⤵
    PID:8592
- - C:\Windows\System32\cmd.exe
    /c echo "wct5812.tmp"
    3⤵
    PID:8976
- - C:\Windows\System32\cmd.exe
    /c echo "wct6C08.tmp"
    3⤵
    PID:8944
- - C:\Windows\System32\cmd.exe
    /c echo "wct6ED8.tmp"
    3⤵
    PID:8404
- - C:\Windows\System32\cmd.exe
    /c echo "wct830A.tmp"
    3⤵
    PID:9188
- - C:\Windows\System32\cmd.exe
    /c echo "wctCA16.tmp"
    3⤵
    PID:9000
- - C:\Windows\System32\cmd.exe
    /c echo "wmsetup.log"
    3⤵
    PID:9124
- - C:\Windows\System32\cmd.exe
    /c echo "{11DE8E9D-D333-404F-934C-C863A13F8D6F} - OProcSessId.dat"
    3⤵
    PID:8996
- - C:\Windows\System32\cmd.exe
    /c echo "{189A8009-91AB-4FB8-8568-9A118CCCAB91}"
    3⤵
    PID:8020
- C:\Windows\System32\fsavailux.exe
  "C:\Windows\System32\fsavailux.exe"
  2⤵
  PID:7648
- C:\Windows\System32\FsIso.exe
  "C:\Windows\System32\FsIso.exe"
  2⤵
  PID:7668
- C:\Windows\System32\fsquirt.exe
  "C:\Windows\System32\fsquirt.exe"
  2⤵
  PID:7740
- C:\Windows\System32\fsutil.exe
  "C:\Windows\System32\fsutil.exe"
  2⤵
  PID:7756
- C:\Windows\System32\ftp.exe
  "C:\Windows\System32\ftp.exe"
  2⤵
  PID:8064
- C:\Windows\System32\fvenotify.exe
  "C:\Windows\System32\fvenotify.exe"
  2⤵
  PID:7932
- C:\Windows\System32\fveprompt.exe
  "C:\Windows\System32\fveprompt.exe"
  2⤵
  PID:8020
- C:\Windows\System32\FXSCOVER.exe
  "C:\Windows\System32\FXSCOVER.exe"
  2⤵
  PID:7988
- C:\Windows\System32\FXSSVC.exe
  "C:\Windows\System32\FXSSVC.exe"
  2⤵
  PID:7512
- C:\Windows\System32\FXSUNATD.exe
  "C:\Windows\System32\FXSUNATD.exe"
  2⤵
  PID:7976
- C:\Windows\System32\GameBarPresenceWriter.exe
  "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  PID:7284
- C:\Windows\System32\GamePanel.exe
  "C:\Windows\System32\GamePanel.exe"
  2⤵
  PID:7920
- C:\Windows\System32\GenValObj.exe
  "C:\Windows\System32\GenValObj.exe"
  2⤵
  PID:7768
- C:\Windows\System32\getmac.exe
  "C:\Windows\System32\getmac.exe"
  2⤵
  PID:7996
- C:\Windows\System32\gpresult.exe
  "C:\Windows\System32\gpresult.exe"
  2⤵
  PID:7992
- C:\Windows\System32\gpscript.exe
  "C:\Windows\System32\gpscript.exe"
  2⤵
  PID:7764
- C:\Windows\System32\gpupdate.exe
  "C:\Windows\System32\gpupdate.exe"
  2⤵
  PID:7876
- C:\Windows\System32\grpconv.exe
  "C:\Windows\System32\grpconv.exe"
  2⤵
  PID:7700
- C:\Windows\System32\hdwwiz.exe
  "C:\Windows\System32\hdwwiz.exe"
  2⤵
  PID:8144
- C:\Windows\System32\help.exe
  "C:\Windows\System32\help.exe"
  2⤵
  PID:7520
- C:\Windows\System32\HOSTNAME.EXE
  "C:\Windows\System32\HOSTNAME.EXE"
  2⤵
  PID:6608
- C:\Windows\System32\hvax64.exe
  "C:\Windows\System32\hvax64.exe"
  2⤵
  PID:8108
- C:\Windows\System32\hvix64.exe
  "C:\Windows\System32\hvix64.exe"
  2⤵
  PID:8124
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe"
  2⤵
  - Modifies file permissions
  PID:7604
- C:\Windows\System32\IcsEntitlementHost.exe
  "C:\Windows\System32\IcsEntitlementHost.exe"
  2⤵
  PID:7552
- C:\Windows\System32\icsunattend.exe
  "C:\Windows\System32\icsunattend.exe"
  2⤵
  PID:7696
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe"
  2⤵
  PID:7228
- C:\Windows\System32\ie4ushowIE.exe
  "C:\Windows\System32\ie4ushowIE.exe"
  2⤵
  PID:8096
- C:\Windows\System32\IESettingSync.exe
  "C:\Windows\System32\IESettingSync.exe"
  2⤵
  PID:8264
- C:\Windows\System32\ieUnatt.exe
  "C:\Windows\System32\ieUnatt.exe"
  2⤵
  PID:8980
- C:\Windows\System32\iexpress.exe
  "C:\Windows\System32\iexpress.exe"
  2⤵
  PID:9192
- C:\Windows\System32\immersivetpmvscmgrsvr.exe
  "C:\Windows\System32\immersivetpmvscmgrsvr.exe"
  2⤵
  PID:9200
- C:\Windows\System32\InfDefaultInstall.exe
  "C:\Windows\System32\InfDefaultInstall.exe"
  2⤵
  PID:9212
- C:\Windows\System32\InputSwitchToastHandler.exe
  "C:\Windows\System32\InputSwitchToastHandler.exe"
  2⤵
  PID:7928
- C:\Windows\System32\iotstartup.exe
  "C:\Windows\System32\iotstartup.exe"
  2⤵
  PID:8004
- C:\Windows\System32\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:7760
- C:\Windows\System32\iscsicli.exe
  "C:\Windows\System32\iscsicli.exe"
  2⤵
  PID:8260
- C:\Windows\System32\iscsicpl.exe
  "C:\Windows\System32\iscsicpl.exe"
  2⤵
  PID:8248
- C:\Windows\System32\ISM.exe
  "C:\Windows\System32\ISM.exe"
  2⤵
  PID:7228
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe"
  2⤵
  PID:8096
- C:\Windows\System32\j7xqt2.exe
  "C:\Windows\System32\j7xqt2.exe"
  2⤵
  PID:7700
- C:\Windows\System32\klist.exe
  "C:\Windows\System32\klist.exe"
  2⤵
  PID:8400
- C:\Windows\System32\ksetup.exe
  "C:\Windows\System32\ksetup.exe"
  2⤵
  PID:8564
- C:\Windows\System32\ktmutil.exe
  "C:\Windows\System32\ktmutil.exe"
  2⤵
  PID:8920
- C:\Windows\System32\la57setup.exe
  "C:\Windows\System32\la57setup.exe"
  2⤵
  PID:8932
- - C:\Users\Admin\AppData\Local\Temp\A3FA5573-B8C9-4B15-B4F6-1274DCBCFAB6\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\A3FA5573-B8C9-4B15-B4F6-1274DCBCFAB6\dismhost.exe {45DBC38F-1D82-4547-8CC9-3E93B1FB2DFC}
    3⤵
    PID:8760
- C:\Windows\System32\label.exe
  "C:\Windows\System32\label.exe"
  2⤵
  PID:7992
- C:\Windows\System32\LanguageComponentsInstallerComHandler.exe
  "C:\Windows\System32\LanguageComponentsInstallerComHandler.exe"
  2⤵
  PID:9096
- C:\Windows\System32\LaunchTM.exe
  "C:\Windows\System32\LaunchTM.exe"
  2⤵
  PID:9116
- - C:\Windows\System32\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    PID:6652
- C:\Windows\System32\LaunchWinApp.exe
  "C:\Windows\System32\LaunchWinApp.exe"
  2⤵
  PID:8980
- C:\Windows\System32\LegacyNetUXHost.exe
  "C:\Windows\System32\LegacyNetUXHost.exe"
  2⤵
  PID:7896
- C:\Windows\System32\LicenseManagerShellext.exe
  "C:\Windows\System32\LicenseManagerShellext.exe"
  2⤵
  PID:7912
- C:\Windows\System32\licensingdiag.exe
  "C:\Windows\System32\licensingdiag.exe"
  2⤵
  PID:8568
- C:\Windows\System32\LicensingUI.exe
  "C:\Windows\System32\LicensingUI.exe"
  2⤵
  PID:8376
- C:\Windows\System32\LocationNotificationWindows.exe
  "C:\Windows\System32\LocationNotificationWindows.exe"
  2⤵
  PID:8400
- C:\Windows\System32\Locator.exe
  "C:\Windows\System32\Locator.exe"
  2⤵
  PID:8772
- C:\Windows\System32\LockAppHost.exe
  "C:\Windows\System32\LockAppHost.exe"
  2⤵
  PID:9136
- C:\Windows\System32\LockScreenContentServer.exe
  "C:\Windows\System32\LockScreenContentServer.exe"
  2⤵
  PID:9168
- C:\Windows\System32\lodctr.exe
  "C:\Windows\System32\lodctr.exe"
  2⤵
  PID:9120
- C:\Windows\System32\logagent.exe
  "C:\Windows\System32\logagent.exe"
  2⤵
  PID:8368
- C:\Windows\System32\logman.exe
  "C:\Windows\System32\logman.exe"
  2⤵
  PID:8404
- C:\Windows\System32\logoff.exe
  "C:\Windows\System32\logoff.exe"
  2⤵
  PID:8908
- C:\Windows\System32\LogonUI.exe
  "C:\Windows\System32\LogonUI.exe"
  2⤵
  PID:9212
- C:\Windows\System32\lpkinstall.exe
  "C:\Windows\System32\lpkinstall.exe"
  2⤵
  PID:9024
- C:\Windows\System32\lpksetup.exe
  "C:\Windows\System32\lpksetup.exe"
  2⤵
  PID:8996
- C:\Windows\System32\lpremove.exe
  "C:\Windows\System32\lpremove.exe"
  2⤵
  PID:6516
- C:\Windows\System32\LsaIso.exe
  "C:\Windows\System32\LsaIso.exe"
  2⤵
  PID:8100
- C:\Windows\System32\lsass.exe
  "C:\Windows\System32\lsass.exe"
  2⤵
  PID:5784
- C:\Windows\System32\Magnify.exe
  "C:\Windows\System32\Magnify.exe"
  2⤵
  PID:3980
- C:\Windows\System32\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:480
- C:\Windows\System32\manage-bde.exe
  "C:\Windows\System32\manage-bde.exe"
  2⤵
  PID:5632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C0
1⤵
PID:1044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:1012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3020

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1452

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:5428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:5604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5148
- C:\Windows\system32\dashost.exe
  dashost.exe {44cb9b05-3a9f-4a30-978630c7da8bdfa7}
  2⤵
  PID:5664
- C:\Windows\system32\dashost.exe
  dashost.exe {4e87e64a-9e68-435f-833f9f86f37edd89}
  2⤵
  PID:6256
- C:\Windows\system32\dashost.exe
  dashost.exe {ba798ad0-3368-4c66-b231d25d6d0b6c96}
  2⤵
  PID:6748

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:5988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:6424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc
1⤵
PID:6676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicePickerUserSvc
1⤵
PID:6704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:7128

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:7112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
PID:5176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
PID:6212

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:5132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:8168

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:7376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:7512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38b5055 /state1:0x41c64e6d
1⤵
PID:8280

C:\Windows\system32\lpksetup.exe
"C:\Windows\system32\lpksetup.exe" -Embedding
1⤵
PID:6880

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000154 0000008c
1⤵
PID:1420

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000bc 0000008c
1⤵
PID:2612

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 0000008c
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\2b9afc56d7186b09\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
bb4433054c0f620b652b0b1b534f431e

SHA1
4a3317da88b40331d8437632eddf777e4e28591d

SHA256
dec21a4b197280eb09300dad7251445b88f65520f18983ee8e3fbfd2a3788d33

SHA512
b57b44ee8a15e803721d8bfa16a06e969a9dae138f7abf6551d648002bbdbdccd01d057e32f5d0cee276d3e0ee9a07b494cd9869fe3a752e395f08b4573c172d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
291be6ff5bd5960da9baad21a65c42f7

SHA1
3338e72024d1fe5ce7a412b872857179821d7357

SHA256
ae014ebdc11bec23677366a9ea613bf2c87c042b228c825e90e74a6bd25169b1

SHA512
b8dfef2bfe9df1ea9c03aa1c5f438ce442e47566b7cff76988cd5d47417d9dd3331855a063ce77b9480adfe8b273326ad4b933a60f5b7be5a89b09d368445fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\AppxProvider.dll

Filesize
664KB

MD5
a31cb807bf0ab4ddbbe2b6bb96ae6cd1

SHA1
cf63765b41aee9cd7ae76c04dfbb6151e909b3c9

SHA256
37f45e6fc1e531279dcffed70c420df7b073504efe43bbb99a33a9ec24b75a47

SHA512
6a83378c7e88fe04dde20685889d76fd7efdf4e02342a952ba2e6ab0fa354e3293560986e5fded00718e4c14417970db0c06e6384277ae1e50021bb4dc87fad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\AssocProvider.dll

Filesize
136KB

MD5
702f9c8fb68fd19514c106e749ec357d

SHA1
7c141106e4ae8f3a0e5f75d8277ec830fc79eccc

SHA256
21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358

SHA512
2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\CbsProvider.dll

Filesize
1004KB

MD5
f51151b2d8d84cddbedbeffebdc6ec6a

SHA1
adc9c19aa0663e65997f54835228968e13532198

SHA256
7fe4e4924fbbfdf6d772cb9d0a4963d49f6aa18b3c86a2e8df6ca49e22f79884

SHA512
802b58617be5e92bfc0c7f8c8d7443128d81908ae99d9a4ce0a785f858dc7832c70dc305f2ad39c9f57db01c05f483f6bf949ad8811fc6fb255c5aee88c729b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\DismCore.dll

Filesize
444KB

MD5
c73ee8f61bce89d1edad64d16fedcdd6

SHA1
e8fe02e68fd278fd4af501e350d412a5a91b269f

SHA256
b1045fc7dce8fcf5612f82f8f97f8d243008e4c6b7389187e6babc554dd1e413

SHA512
8a5960e6bf35cf07e555558db13c89bf940c92d206adae0eb6e28404b7e499500a8158d29f3400f0b24ab8cedbacb75a28b0138be2e029b70a5cc66cce7cef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\DismProv.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\DmiProvider.dll

Filesize
436KB

MD5
e54120aa50f14e0d3d257e77db46ece5

SHA1
922203542962ec5f938dcb3c876f060ecf17f9dc

SHA256
b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54

SHA512
fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\EdgeProvider.dll

Filesize
200KB

MD5
c22cc16103ee51ba59b765c6b449bddb

SHA1
b0683f837e1e44c46c9a050e0a3753893ece24ad

SHA256
eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b

SHA512
2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\FfuProvider.dll

Filesize
680KB

MD5
a41b0e08419de4d9874893b813dccb5c

SHA1
2390e00f2c2bc9779e99a669193666688064ea77

SHA256
57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3

SHA512
bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\FolderProvider.dll

Filesize
92KB

MD5
0e6d074c223b6706c29de2e9d6d9d05c

SHA1
c4758d6e444b5f943c9ae8570c6d1945d7b2ab8f

SHA256
3129bd336b26f9da626189a2386c362584204a5d24ec0733be3cf0c8f5d855e2

SHA512
fa48aa14b7e66749a34a7195944966b670649935f1eef9d6f17cf7d9893dc83339fed4bcfeb5c5be0be8f4c0a250cf71e4e0bbc6456017890b8b5ef0ee2d885b

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\GenericProvider.dll

Filesize
172KB

MD5
20fb116831396d9477e352d42097741c

SHA1
7e063ac9bc173a81dc56dc5864f912041e2c725a

SHA256
6a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4

SHA512
851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\IBSProvider.dll

Filesize
84KB

MD5
f6b7301c18f651567a5f816c2eb7384d

SHA1
40cd6efc28aa7efe86b265af208b0e49bec09ae4

SHA256
8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61

SHA512
4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\ImagingProvider.dll

Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\IntlProvider.dll

Filesize
312KB

MD5
34035aed2021763bec1a7112d53732f1

SHA1
7132595f73755c3ae20a01b6863ac9518f7b75a4

SHA256
aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731

SHA512
ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\MsiProvider.dll

Filesize
208KB

MD5
eb171b7a41a7dd48940f7521da61feb0

SHA1
9f2a5ddac7b78615f5a7af753d835aaa41e788fc

SHA256
56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55

SHA512
5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\OfflineSetupProvider.dll

Filesize
213KB

MD5
3437087e6819614a8d54c9bc59a23139

SHA1
ae84efe44b02bacdb9da876e18715100a18362be

SHA256
8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74

SHA512
018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\ProvProvider.dll

Filesize
800KB

MD5
2ef388f7769205ca319630dd328dcef1

SHA1
6dc9ed84e72af4d3e7793c07cfb244626470f3b6

SHA256
4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf

SHA512
b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\SetupPlatformProvider.dll

Filesize
192KB

MD5
3c9f121f5e3a6f1eafafdd8a1223a197

SHA1
5921441e91b96e05c7ecbb75224eaeeedc37fc56

SHA256
9f86bdfd3ddb0e67820d7418334bc76b701dce9ad8414bb14480830e4656bbd8

SHA512
cfe36a2035855ce94b6ecfa5b87f92c98f46f63ef5fe228d315244add9323f810b4c9244338974f88903d2817184c634a3133496b3a36ca2d3123c3a585f9603

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\SmiProvider.dll

Filesize
272KB

MD5
46e3e59dbf300ae56292dea398197837

SHA1
78636b25fdb32c8fcdf5fe73cac611213f13a8be

SHA256
5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339

SHA512
e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\SysprepProvider.dll

Filesize
820KB

MD5
4dfa1eeec0822bfcfb95e4fa8ec6c143

SHA1
54251e697e289020a72e1fd412e34713f2e292cf

SHA256
901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494

SHA512
5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\UnattendProvider.dll

Filesize
256KB

MD5
7c61284580a6bc4a4c9c92a39bd9ea08

SHA1
4579294e3f3b6c03b03b15c249b9cac66e730d2a

SHA256
3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8

SHA512
b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\AppxProvider.dll.mui

Filesize
23KB

MD5
f70750a86cda23a3ced4a7ecf03feebd

SHA1
1c2d9d79974338ce21561b916130e696236fbb48

SHA256
8038c5177461aef977ac6e526ac0851bf7eff5928972462657176ff6b6d06050

SHA512
cfb6b5cdb451b12e7aee6e69ab743b91bec8bd417d4d2384def03010851fef0d7f2a65ff6349c4e62e564b44e742597aeb108e71a962a48020b1988a6c6f1a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
3a26818c500fb74f13342f44c5213114

SHA1
af1bfc2ca2a1dcbc7037f61f80a949b67a2c9602

SHA256
421bbff0c63377b5fd85591530f4c28d0109bc1ff39162a42eb294f0d0e7c6bb

SHA512
afa1d62788d24cd6d739ad78cff19e455b776a71904af1400a44e54e56b55b149eca456db9c686c3a0b515d7fd49d96dc77b217ec769e879b0937bedad53de7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
8644aa200968ce8dfe182f775e1d65c4

SHA1
060149f78e374f2983abde607066f2e07e9b0861

SHA256
46b59cfae0ea50c722718cdb8c07b3f5d6f02174cc599cd19a157eb6016c6030

SHA512
29b4299ae749587c4fc9fd4b9cf3bbe3e9677088b159a40506a2cbd5796808e7432e7af08f0a2eef6c26bacb39b23afa65d0143c72774f38d55dedaef36eba1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\DismCore.dll.mui

Filesize
7KB

MD5
0a4338fdfb1adaa6592b8f1023ced5cf

SHA1
b96bd2067f43e5142e19f9c66e4db7d317d9cd2e

SHA256
0b6ac5a720dc9163dea36e565c82da1e375041688e6594de15d97652ab7aca80

SHA512
cf8cbb592dc5f09a95892d897680d4ca4f59e74afaeea2701d7258ace84c4c1182e032e7dd76cbd52a77ea08c8d3858e9b5f900691a6d80c728f5e56701382db

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
3b3ac59021e9dc8918647b454a1f5024

SHA1
cf36a48398e2823f7d9b684d9aacf3a0a4d54d06

SHA256
a5cd6429d6be85895c4589e08cb33075041a13d93fca69084ffeb4213bb0d4ff

SHA512
4eeaaaf3d8a466c0b1723ae97e1ecd1c3f6b8751ddc1ec314a04192e088a38ee5f29f16541ef27a56f2f26c6d146c7f9fc581680ec69ff02843580be525a2b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\EdgeProvider.dll.mui

Filesize
6KB

MD5
305a69cdd335dcca15d48f044c89badd

SHA1
97db8ee824b8e5d2787cfa1004747b4e8a6ca9d9

SHA256
a82cd208624572c3258795a4d097b48ec2dcf1bcbc817445025f059768719e65

SHA512
3e13bd38ac4a8411391bd65791a9a82f191b699e857c02c6a86ca464c64f814a11f280f142c2cfb1231cadad0c160a933216b9623561942deaedaa9b6b03bb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
445554611dc7e6011492db086ba6e64e

SHA1
829493e8554113942ebe5035ea7d8a6e70c29041

SHA256
8625973391145207eb8dcc0d9f8f7fb555808fa58d2a07237f68b1d9e08dfa11

SHA512
6e69a532bb92d03a507e897130f3765049e1ec7893c7174c3a82332f575f78cfd301d1d502c3b124f8b9d915016fd94a50821a7dd295e125232bb3b064f34b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
b6968d5f3d3cf05ad37edb013c929494

SHA1
66b4b6e47add2b5dff62efc9003782d0dd39b255

SHA256
0e4f5bdc9ba2430ff266e89f6e44017604c14e72e5427cafcb6074c855169524

SHA512
d566f1f017216a1259877c5c36bcc277197e2e61b6a05cae135023da2b07ecac96e3800c11fa60fdc6835bbe5620b3d967a1f9d3a9c4535a3f99996d09d1cb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\GenericProvider.dll.mui

Filesize
5KB

MD5
9f2f931b1976909b88fb24e24334a4d2

SHA1
43a5bb922ec1ccd751405dd44cf2ee57706484ca

SHA256
21eb6be50350e296f140c7a877923c7b8b6824d0ae983c899f3543a2fe26e681

SHA512
9b60018330e1ec830e3c23ce49c1b0a4106dcd5251dd69a5ed8373f7f3341a120977efac37bc4644c59ae06733e5ebd97fe6d1198dd0ba711cecba1bec3c9613

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\IBSProvider.dll.mui

Filesize
2KB

MD5
fb17429f4d39fe142e5b682f180a9e7d

SHA1
165e81224b64775364e8f5e4bfc952b65d5a5b56

SHA256
a48e621724c5a977373d10de1420d7e5a8b902b2a3896d9b00b53ae8adffe071

SHA512
374c6223cef75443fe35198d352e7b27b6958f69cc035e01a0b560085bacd19ad7f61ed890f6055c238f41cccbbb8f4a9b674c6903edcf347a1c26eab03ce00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\ImagingProvider.dll.mui

Filesize
18KB

MD5
b86f01d8b143161859fd34ccf7882530

SHA1
ad843023f035b83fadf1caf305892d9e6d31500b

SHA256
cb1a0d62b5b8368926833d4dceb594ecd20c661ed0d8ac111615699aa3fe2442

SHA512
bb4f7f8012930d3e548f8d70f698c3e272b470055dd13a7f728a7fd8f732e891e559307ffa1f4e25091f8b73f8321906d3a773b21350324452ad0aeeb8b222f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\IntlProvider.dll.mui

Filesize
27KB

MD5
60506e35e0d0b89a2a606634223e491a

SHA1
4f05b7eb26746dc50c0bda286d2c9cf213177cd2

SHA256
a3458c824e987b2327a3853601206e21a66ac075e63c294e31277724fc0afa86

SHA512
1b87dc05963c7fc6dd48453e86d7b230757e2de3c171fa489605317558bab7c1ecf515b2194fec7f6a322b26ad0d73965539bebeacf43082c27dc16c353db80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\LogProvider.dll.mui

Filesize
6KB

MD5
a6886158d0b23f0198efb318211fd7d7

SHA1
86d859973a14599d5aa18afa24296c3668dea127

SHA256
e7df3f5235b90541090811aa896596ee4e4dcd515adc79c83f0b6a7a84a97adb

SHA512
7d5890947105db2fde29ab9b85ebd435b4576027479b440b09576c86b840e6484f86a4f29be859d04fc840dabb0c227d3e1f3f8bd8e37fee7d94631c3fe8f60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\MsiProvider.dll.mui

Filesize
15KB

MD5
cea3a44e41797d33cc2a834f7cc8a412

SHA1
203f532d6b1874ca42936a7bfc197572bc51c6e5

SHA256
572e5f8c5ce65404714f328d86a1386102995498d71538dc0db45a9d60cd692d

SHA512
90f2b7a9ad08e7c01ea53e3b2501d28f864e4cce3ff082e1d021d8170d23625c44b7dfa371db38b47f63628d50231d06c848734c091e7c641b2a33fd2c93c58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\OSProvider.dll.mui

Filesize
3KB

MD5
1ee141f9431a2af3dd512b04055610c2

SHA1
f8ef46dc21fec452cda8d73dad14c055613f28b1

SHA256
b8573936e990b8e55290a943490dbfe94bc49f58a4d9de1836bd7ff7dffe7ff6

SHA512
40eed3683efdb9f6528e11e80ab35a3103387d36033faaedc22024ac594fb5eab787a5e4a0825d092fc91c2f3ead73d3dd6f4629bd0baedd56b189d391c4a083

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\OfflineSetupProvider.dll.mui

Filesize
2KB

MD5
ae0676524e95d0e7e4370722efa3a773

SHA1
f8205f04661335dab1e8fc23e24ea1cf96511737

SHA256
9f93067d93529189ca6f64c44de2e813d30b0b8a20181a6e56180d4951c0bc61

SHA512
83a754db5fa94471be16a660b9a2284f1a46de02a23f8c675d002ca64e365b5e9d52e3660a463bcfa0e430f98285fac451508a93b1a7cfded1e5b67d83f5a7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\ProvProvider.dll.mui

Filesize
4KB

MD5
bc35aae56857c817097331a65d7769d1

SHA1
cb992cb30dc75b93f547c13f8b9be1278e7394da

SHA256
7fb6900ebb304df91cdc53d50687eed5269e74615cca7e76f4598721294022dc

SHA512
5be9fb550f6cd8508d49ae6bde29b1fb6a951fefa16f5f8fc3a515f557d35f413dde71c9637292f5f8e282c66d9134b02f41267544874c976635f9b4e06e8c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\SetupPlatformProvider.dll.mui

Filesize
5KB

MD5
2e9a8c5abecfa6e5c412222df813cbc2

SHA1
7c5874ef08d9af001eabee9c70e32a2a7f375448

SHA256
e708b5b5628f236cd1d41b864a3ef8ee401cb6f7b5f12c1cd8b76d2277c101f3

SHA512
c03f0120386d7b3ca0bc93652bace096090d9f0e23e83a8345e390405a2a46bb75f07f2b1d8988b7820b74d3d01f9634e13405337dbb4623e16c7909675b071d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\SmiProvider.dll.mui

Filesize
2KB

MD5
d316bf2ee142352ab8a66e634599d542

SHA1
f1d94c822af18899a622400a14cef1cded21983a

SHA256
631f0b431e7296a03ae309d573f1c1c09467d1c0badea7456b1bebe44cd2eae0

SHA512
133b90143b40c19eec6ce1cf2d196391d159e0be040240d780abf8f090be32c9b39b879da11c2c605677bf01e6d88f7e97b1c92d7c6a27359a9e44988fcc5097

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\SysprepProvider.dll.mui

Filesize
3KB

MD5
a71ef2e202f70dfe443001aaa0eb4cde

SHA1
bd3e1662696f413584ef4c704e98c99369724b24

SHA256
e3d22713daa426992f2efffafda6dc59ee32502c4f10a0330770de2a3144d654

SHA512
f39e2ee6b956b4a373fb22198b1cd0c248372c9d7e3ac2e4eb34b9a1e9417c02e323d369a889e37596c54050c871a4c437398138989ba0db3b6b76326ffa361b

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\TransmogProvider.dll.mui

Filesize
16KB

MD5
77c25ed6331316ae69c991eaf48c61f5

SHA1
aee136b521992cfe3dd37bfca3682b865404d86a

SHA256
a1dd6b743961ddb20c3ff40f9227008d97ea7dc6e6ccde0918dc37f8bb79fe2d

SHA512
76eee57583215ad4cbd9a2dffd15f8f4e2f3a36acb5c86b6f28f4cf3cec7fc6483a7a155c7b7e7cfe7f0a19e26c4b4bcfd5d20ad0fd81b8d47f1694eee51de68

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D559A7-7D55-4B4C-9E65-1D577FCA06B3\en-US\dismprov.dll.mui

Filesize
2KB

MD5
bff1ff3b5a6dba20ce82214fd626dc2b

SHA1
affa7a6f6f1bec42dafe0ca868463eddffcc17e0

SHA256
f307033265151affded4af3dbc2527bc16479468af740ea913f84a2a3a557c46

SHA512
20dfc62f92fc8ab8c7f757a078103414c4e359b744a603f8b655dcd2340677fa7d5fd2acf3c544a3409d31194df788e764c262ea7c625019276e1d00d3f6de19

Download Submit
C:\Users\Admin\AppData\Local\Temp\temAC2E.tmp

Filesize
1KB

MD5
99ef38f2d6af1b8785722e3a42eb0976

SHA1
048884451f2d857fc872a2b0d7aa1b9dab295ef3

SHA256
1cd710b5b4076483a6ff9077907e3dad6551a472b1251ea8b72bd299115e3ed2

SHA512
8e370440dc18b34cfeef32af023ccc2ecbca3e58b7fa08be18a86f39476c0204923ef152a25f176db2fcfc64a25e62c46d0732780ad44780c4d70c15ea5acb15

Download Submit
C:\Users\Admin\Documents\Fax\Personal CoverPages\desktop.ini

Filesize
83B

MD5
598e1a868a65c0b66b59c088f52360ba

SHA1
54418059a2190ee09d84dd1dfb80ce44f1fc661e

SHA256
c183370acb893e1c862bb094ffa9abc34af886933ef45a572d4bcf52f845bbb2

SHA512
dce894ce4ffd8c2cc14a83d1416c0a2ea2d4abe02eda88cee571ecdba094c2d458b4f6644969cf0e96baf3367c286bfa01099400ae5d0cbe0b3ed97f8e803edd

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
265KB

MD5
2fc00523293cd7e0517f91a880649b17

SHA1
d6bcb9442385843cb19370dcfd613afcdb9d1c11

SHA256
47d649118368bdcf689b8c32007b243427b5333479950ab4fd6322a30056c9f7

SHA512
15f94e6b5c21e94283f8f0a78951e94e765327ff254df92204b3a82cd0ed623e420c8f034c8ba9a7f58153bb32dae0117f5751f636bbcebbe1b890c946499241

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
264KB

MD5
dcddd52ad744602d685e09444321bf5e

SHA1
9d84557b9e29ed46e30ccf9630cac74e9a961b6d

SHA256
f261182fbaed8ed366c555c3725a8adb9bdcece37076ded01ebaab2e1b781199

SHA512
507885684299b3f4cd56021a112b15697363d9cfb93ae6483e2cdbdb8545b7e2607cb30aac561f14da3423e3147caae44c51e5053631b2084d33d526300a7e67

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
273KB

MD5
36c56946fc3af284bfba647f76b095e5

SHA1
ad0615e8de3814fb48bda3d2c9e19dca0ba6089c

SHA256
3526532a1ce5dcef91ba205785eb620ed90f9125e64f326d7b326e92eb1007b9

SHA512
927e0727373c499d13b167f272d842a602c639a2c6935ad3dab1706fc50734b936a89fac64581a23f27265cebc66234f81b914402ac64f3229c058df373017ee

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
13KB

MD5
cfb4def0353f87c00db2fcefb4a9680f

SHA1
9de42809432d89b7be819d738e28bd41766eec88

SHA256
8e87e19341be085b6f1da42e49b75da244ccc3a99151d96fabae705a95c1debc

SHA512
9b72c95ffee1ceeeb3d5931823b8af00fbd0e61f92dfe9c9a55ffd9b79c771f00b0e25b168b05643056de5aa723e728e409c5528d309301c07786b5e14d6ad86

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
13KB

MD5
0e2e733c9de5e2bf48b0bc69e140a2a9

SHA1
8b06c458377bf364e800ab054fa020cdb825ded4

SHA256
0306e62615591d586698e1ba83f7bbfb49e67e741bdf37d65a4cd91bfdfc33eb

SHA512
7d19c04896248a54a6bb35f348b2f995e2a77dc74adb9f2b43994c2775354641e9bd46b5dc127900f55bcdda2bf97701cd1ffacc8429d69d37b0f1e0d4e5569d

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
15KB

MD5
b299213b3d6df785a9a7d3f3859d1bf6

SHA1
b7e9766ac16b2f3cacc79baff9d771d59e56b291

SHA256
c0adfbedf8b3ff5519e345ffee93d3e8da55b1c4d8debdd0c808477adb1cbbe1

SHA512
cd43e943534a53102555f5e1e44d054b0cba2c86d1fb42220ec4b97c170227c7a7d0d0afe16f66d1234e4b85ada2bee5b29cc4bbb4986e0e2c031627e49709ff

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
5b8c5cfcca765dd805d098cb0309b4d9

SHA1
5369521d1ef441a16069ddb6cd4b6f6a369a05ef

SHA256
f83e496fa91fd680254de29a345e3d917251254047dad4894ca815e0bdc37188

SHA512
e9d0248f60ede60bd101285939f93a109ec573bf148e80e242428ddfdca1a231f5edd690263290a516e4f132045a05ed30af14685a63794fab34d4934f5b6ab4

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
16KB

MD5
63ed14c2dd8c5d8e0cc23d0c8a231d2e

SHA1
9b4a2b7de880e44611acb2b4c48c8ba0690702f9

SHA256
d6add93984042de64c2f3e7e74b1eb78808abfcf099f7304a4e9a62e7ae39c1a

SHA512
2d63f05c2a485e332c0fde79feedf943f7cca01211157ce580e770de0d781588879bb38cc28ff6b6243bfe96bd176400d8a422f1c498548de3d891a1947f0967

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
45KB

MD5
47cc91a1f734a1516c04f9d30659e758

SHA1
d7bf83ebd8810729daaea1b8a61c73ca07e17358

SHA256
e91e05049574ef29a6d09c0bc4e9a9b8d04e3e246e6f604e61362dfaa719547f

SHA512
76122356ba00cce5b265b2555984499b7f57146d65f5fa7c7c1c45a8d156c77feefe3b6892f930e1b31d3425d0a4317d5748078d6da1140930ba35488bee3df5

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
46KB

MD5
d87caefa6f03199d287898af74d0ab6a

SHA1
b7292db225520457c3420ac94a9e72fde92f9a3a

SHA256
bbcb71dfe7d924e23c32f7d2baffaaa21577ec75fa2f51a2fddc29d73567eb62

SHA512
9dcddb99f3faef47a76b99d35b18ed46c76c31e9040b58efcbb9aac915ecc09e2cc402bb8ccb29ead97ff801f2e7fe2add96f5edcd8a56a7047cb33a74180e00

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
466B

MD5
33e1b75d98649d7911f4d96b76445882

SHA1
8ee98abf3f762afb7e641b31d6bd3be573afbccc

SHA256
e8c6c98d6b3020af486c1ec96db02f2b82f039d100016ef733cbf78af107ec07

SHA512
d6a4f6918debc06e1712b6e037118c45532f0ada5556ff97f84c1e707897cdb886b86810e37c89813e751f054d02dcadd2a78ff6c39f47d299dfa0eec63598a5

Download Submit
memory/1036-18-0x00000240FADC0000-0x00000240FADD0000-memory.dmp

Filesize
64KB

Download
memory/1036-20-0x00000240FADC0000-0x00000240FADD0000-memory.dmp

Filesize
64KB

Download
memory/1036-17-0x00000240FADC0000-0x00000240FADD0000-memory.dmp

Filesize
64KB

Download
memory/2728-229-0x00007FF675A10000-0x00007FF675A4F000-memory.dmp

Filesize
252KB

Download
memory/4872-15-0x0000028C2C440000-0x0000028C2C450000-memory.dmp

Filesize
64KB

Download
memory/4872-16-0x0000028C2C440000-0x0000028C2C450000-memory.dmp

Filesize
64KB

Download
memory/4872-22-0x0000028C2C440000-0x0000028C2C450000-memory.dmp

Filesize
64KB

Download
memory/5176-313-0x00000145A2720000-0x00000145A2721000-memory.dmp

Filesize
4KB

Download
memory/5176-300-0x00000145A2710000-0x00000145A2711000-memory.dmp

Filesize
4KB

Download
memory/5176-299-0x00000145A2680000-0x00000145A2681000-memory.dmp

Filesize
4KB

Download
memory/5176-301-0x00000145A2710000-0x00000145A2711000-memory.dmp

Filesize
4KB

Download
memory/5176-312-0x00000145A2720000-0x00000145A2721000-memory.dmp

Filesize
4KB

Download
memory/5176-285-0x00000145999B0000-0x00000145999C0000-memory.dmp

Filesize
64KB

Download
memory/5176-292-0x00000145A2600000-0x00000145A2601000-memory.dmp

Filesize
4KB

Download
memory/5176-282-0x0000014599980000-0x0000014599990000-memory.dmp

Filesize
64KB

Download
memory/5176-294-0x00000145A2680000-0x00000145A2681000-memory.dmp

Filesize
4KB

Download
memory/5452-239-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-245-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-238-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-240-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-250-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-249-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-248-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-247-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-246-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/5452-244-0x0000017F32640000-0x0000017F32641000-memory.dmp

Filesize
4KB

Download
memory/6300-307-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/6300-297-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/6300-310-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/6300-308-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/6300-309-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/6300-296-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/6300-305-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/6300-306-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/6300-298-0x000001CF73630000-0x000001CF73631000-memory.dmp

Filesize
4KB

Download
memory/7504-428-0x00000283D48A0000-0x00000283D4982000-memory.dmp

Filesize
904KB

Download
memory/7504-431-0x00000283BA710000-0x00000283BA71A000-memory.dmp

Filesize
40KB

Download
memory/7504-430-0x00000283BA700000-0x00000283BA710000-memory.dmp

Filesize
64KB

Download
memory/7504-436-0x00000283D4E90000-0x00000283D4EA9000-memory.dmp

Filesize
100KB

Download
memory/7504-437-0x00000283D50C0000-0x00000283D50E6000-memory.dmp

Filesize
152KB

Download
memory/7504-427-0x00007FF7DC270000-0x00007FF7DC2B0000-memory.dmp

Filesize
256KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads