njrat | 3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8

Analysis

max time kernel
250s
max time network
263s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
22/03/2025, 09:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

pisun.exe
Size

54KB
MD5

45140e967970cd63521eaa76dc4db7d7
SHA1

aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
SHA256

3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
SHA512

d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129
SSDEEP

768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg

Score

10^/10

njrat ramnit banker bootkit defense_evasion discovery persistence privilege_escalation spyware stealer trojan upx worm

Malware Config

Signatures

Njrat family
njrat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b786525d676d42989eac1bb8bc2bd979.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 2 IoCs

pid	Process
3572	b786525d676d42989eac1bb8bc2bd979.exe
3124	617eb3977e934031b15cb6e45e2fdea9.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
8984	icacls.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1400	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b786525d676d42989eac1bb8bc2bd979.exe
File opened for modification	\??\PhysicalDrive0	617eb3977e934031b15cb6e45e2fdea9.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000200000002a370-158.dat	upx
behavioral1/memory/8520-161-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x000200000002a9ec-165.dat	upx
behavioral1/memory/8552-166-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/8520-212-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x0004000000025cd8-402.dat	upx
behavioral1/memory/8984-405-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/8584-451-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/8984-463-0x0000000000400000-0x00000000006D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5708	5508	WerFault.exe	164
8624	8552	WerFault.exe	284
3064	3604	WerFault.exe	478
6780	1908	WerFault.exe	448

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pisun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b786525d676d42989eac1bb8bc2bd979.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	617eb3977e934031b15cb6e45e2fdea9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6712	PATHPING.EXE
484	PING.EXE
648	cmd.exe

System Time Discovery 1 TTPs 3 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2624	cmd.exe
4848	cmd.exe
3504	cmd.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
8276	ipconfig.exe
8680	NETSTAT.EXE

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
484	PING.EXE

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	pisun.exe
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: SeSystemtimePrivilege	3572	b786525d676d42989eac1bb8bc2bd979.exe
Token: 33	3268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3268	AUDIODG.EXE
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: SeSystemtimePrivilege	3572	b786525d676d42989eac1bb8bc2bd979.exe
Token: SeSystemtimePrivilege	3572	b786525d676d42989eac1bb8bc2bd979.exe
Token: 33	2192	pisun.exe
Token: SeIncBasePriorityPrivilege	2192	pisun.exe
Token: SeSystemtimePrivilege	3572	b786525d676d42989eac1bb8bc2bd979.exe
Token: SeSystemtimePrivilege	3572	b786525d676d42989eac1bb8bc2bd979.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3572	2192	pisun.exe	82
PID 2192 wrote to memory of 3572	2192	pisun.exe	82
PID 2192 wrote to memory of 3572	2192	pisun.exe	82
PID 2192 wrote to memory of 3124	2192	pisun.exe	85
PID 2192 wrote to memory of 3124	2192	pisun.exe	85
PID 2192 wrote to memory of 3124	2192	pisun.exe	85
PID 3124 wrote to memory of 2996	3124	617eb3977e934031b15cb6e45e2fdea9.exe	86
PID 3124 wrote to memory of 2996	3124	617eb3977e934031b15cb6e45e2fdea9.exe	86
PID 3124 wrote to memory of 2996	3124	617eb3977e934031b15cb6e45e2fdea9.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5024	attrib.exe

C:\Users\Admin\AppData\Local\Temp\pisun.exe
"C:\Users\Admin\AppData\Local\Temp\pisun.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\b786525d676d42989eac1bb8bc2bd979.exe
  "C:\Users\Admin\AppData\Local\Temp\b786525d676d42989eac1bb8bc2bd979.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- - C:\Windows\SysWOW64\agentactivationruntimestarter.exe
    "C:\Windows\System32\agentactivationruntimestarter.exe"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\appidtel.exe
    "C:\Windows\System32\appidtel.exe"
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\ARP.EXE
    "C:\Windows\System32\ARP.EXE"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\at.exe
    "C:\Windows\System32\at.exe"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\AtBroker.exe
    "C:\Windows\System32\AtBroker.exe"
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe"
    3⤵
    - Views/modifies file attributes
    PID:5024
- - C:\Windows\SysWOW64\auditpol.exe
    "C:\Windows\System32\auditpol.exe"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\autochk.exe
    "C:\Windows\System32\autochk.exe"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\backgroundTaskHost.exe
    "C:\Windows\System32\backgroundTaskHost.exe"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\BackgroundTransferHost.exe
    "C:\Windows\System32\BackgroundTransferHost.exe"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe"
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\bthudtask.exe
    "C:\Windows\System32\bthudtask.exe"
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\ByteCodeGenerator.exe
    "C:\Windows\System32\ByteCodeGenerator.exe"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe"
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\CameraSettingsUIHost.exe
    "C:\Windows\System32\CameraSettingsUIHost.exe"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\CertEnrollCtrl.exe
    "C:\Windows\System32\CertEnrollCtrl.exe"
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\certreq.exe
    "C:\Windows\System32\certreq.exe"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\System32\certutil.exe"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\charmap.exe
    "C:\Windows\System32\charmap.exe"
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    "C:\Windows\System32\CheckNetIsolation.exe"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\chkdsk.exe
    "C:\Windows\System32\chkdsk.exe"
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\chkntfs.exe
    "C:\Windows\System32\chkntfs.exe"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\choice.exe
    "C:\Windows\System32\choice.exe"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\cipher.exe
    "C:\Windows\System32\cipher.exe"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\cleanmgr.exe
    "C:\Windows\System32\cleanmgr.exe"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\cliconfg.exe
    "C:\Windows\System32\cliconfg.exe"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\System32\clip.exe"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\CloudNotifications.exe
    "C:\Windows\System32\CloudNotifications.exe"
    3⤵
    PID:628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:744
- - C:\Windows\SysWOW64\cmdkey.exe
    "C:\Windows\System32\cmdkey.exe"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\System32\cmdl32.exe"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\cmmon32.exe
    "C:\Windows\System32\cmmon32.exe"
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\cmstp.exe
    "C:\Windows\System32\cmstp.exe"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\colorcpl.exe
    "C:\Windows\System32\colorcpl.exe"
    3⤵
    PID:776
- - C:\Windows\SysWOW64\comp.exe
    "C:\Windows\System32\comp.exe"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\compact.exe
    "C:\Windows\System32\compact.exe"
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\ComputerDefaults.exe
    "C:\Windows\System32\ComputerDefaults.exe"
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\convert.exe
    "C:\Windows\System32\convert.exe"
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\CredentialUIBroker.exe
    "C:\Windows\System32\CredentialUIBroker.exe"
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\credwiz.exe
    "C:\Windows\System32\credwiz.exe"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\System32\cscript.exe"
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\ctfmon.exe
    "C:\Windows\System32\ctfmon.exe"
    3⤵
    PID:5508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 740
      4⤵
      Program crash
      PID:5708
- - C:\Windows\SysWOW64\cttune.exe
    "C:\Windows\System32\cttune.exe"
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\cttunesvr.exe
    "C:\Windows\System32\cttunesvr.exe"
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\curl.exe
    "C:\Windows\System32\curl.exe"
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\dccw.exe
    "C:\Windows\System32\dccw.exe"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\dcomcnfg.exe
    "C:\Windows\System32\dcomcnfg.exe"
    3⤵
    PID:5972
  - - C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
      4⤵
      PID:5984
- - C:\Windows\SysWOW64\ddodiag.exe
    "C:\Windows\System32\ddodiag.exe"
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\DevicePairingWizard.exe
    "C:\Windows\System32\DevicePairingWizard.exe"
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\dfrgui.exe
    "C:\Windows\System32\dfrgui.exe"
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\System32\dialer.exe"
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\diskpart.exe
    "C:\Windows\System32\diskpart.exe"
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\System32\diskperf.exe"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\diskusage.exe
    "C:\Windows\System32\diskusage.exe"
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\Dism.exe
    "C:\Windows\System32\Dism.exe"
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\dllhost.exe
    "C:\Windows\System32\dllhost.exe"
    3⤵
    PID:6540
- - C:\Windows\SysWOW64\dllhst3g.exe
    "C:\Windows\System32\dllhst3g.exe"
    3⤵
    PID:6784
- - C:\Windows\SysWOW64\doskey.exe
    "C:\Windows\System32\doskey.exe"
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\dpapimig.exe
    "C:\Windows\System32\dpapimig.exe"
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\DpiScaling.exe
    "C:\Windows\System32\DpiScaling.exe"
    3⤵
    PID:6180
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" ms-settings:display
      4⤵
      PID:6632
- - C:\Windows\SysWOW64\driverquery.exe
    "C:\Windows\System32\driverquery.exe"
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\dtdump.exe
    "C:\Windows\System32\dtdump.exe"
    3⤵
    PID:6304
- - C:\Windows\SysWOW64\dvdplay.exe
    "C:\Windows\System32\dvdplay.exe"
    3⤵
    PID:4148
  - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      /device:dvd
      4⤵
      PID:6032
    - - C:\Windows\SysWOW64\unregmp2.exe
        
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        5⤵
        
        PID:6996
      - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        6⤵
        
        PID:6184
- - C:\Windows\SysWOW64\DWWIN.EXE
    "C:\Windows\System32\DWWIN.EXE"
    3⤵
    PID:7044
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\System32\dxdiag.exe"
    3⤵
    PID:6304
- - C:\Windows\SysWOW64\EaseOfAccessDialog.exe
    "C:\Windows\System32\EaseOfAccessDialog.exe"
    3⤵
    PID:7228
- - C:\Windows\SysWOW64\edpnotify.exe
    "C:\Windows\System32\edpnotify.exe"
    3⤵
    PID:7380
- - C:\Windows\SysWOW64\efsui.exe
    "C:\Windows\System32\efsui.exe"
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    PID:7672
- - C:\Windows\SysWOW64\esentutl.exe
    "C:\Windows\System32\esentutl.exe"
    3⤵
    PID:7704
- - C:\Windows\SysWOW64\eudcedit.exe
    "C:\Windows\System32\eudcedit.exe"
    3⤵
    PID:7820
- - C:\Windows\SysWOW64\eventcreate.exe
    "C:\Windows\System32\eventcreate.exe"
    3⤵
    PID:7848
- - C:\Windows\SysWOW64\eventvwr.exe
    "C:\Windows\System32\eventvwr.exe"
    3⤵
    PID:7912
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
      4⤵
      PID:7940
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
        5⤵
        
        PID:7964
- - C:\Windows\SysWOW64\expand.exe
    "C:\Windows\System32\expand.exe"
    3⤵
    PID:7984
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    PID:8052
- - C:\Windows\SysWOW64\extrac32.exe
    "C:\Windows\System32\extrac32.exe"
    3⤵
    PID:8128
- - C:\Windows\SysWOW64\fc.exe
    "C:\Windows\System32\fc.exe"
    3⤵
    PID:8180
- - C:\Windows\SysWOW64\find.exe
    "C:\Windows\System32\find.exe"
    3⤵
    PID:7196
- - C:\Windows\SysWOW64\findstr.exe
    "C:\Windows\System32\findstr.exe"
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\finger.exe
    "C:\Windows\System32\finger.exe"
    3⤵
    PID:7368
- - C:\Windows\SysWOW64\fixmapi.exe
    "C:\Windows\System32\fixmapi.exe"
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\fltMC.exe
    "C:\Windows\System32\fltMC.exe"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\Fondue.exe
    "C:\Windows\System32\Fondue.exe"
    3⤵
    PID:7564
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe"
    3⤵
    PID:7612
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe"
    3⤵
    PID:7536
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "35d9a2406e244fa7bc3017ff84a74b98.exe"
      4⤵
      PID:7764
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "3750976607"
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "47543be9-7d70-49b6-ab34-e50c071fdec7.tmp"
      4⤵
      PID:5192
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "5accac62-a115-465f-9dfb-55da5d51e527.tmp"
      4⤵
      PID:6660
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "617eb3977e934031b15cb6e45e2fdea9.exe"
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "81e4f4fc-dcb0-403c-8e39-1816ccb5a35b.tmp"
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "acrocef_low"
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "AdobeSFX.log"
      4⤵
      PID:9136
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "aria-debug-3708.log"
      4⤵
      PID:6368
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "b786525d676d42989eac1bb8bc2bd979.exe"
      4⤵
      PID:5904
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "BIT8731.tmp"
      4⤵
      PID:8620
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "c8c126e8-ce65-4fcf-a1e4-4a2a0d3ee1c7.tmp"
      4⤵
      PID:7756
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "ddodiag.xml"
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "dd_vcredistMSI2535.txt"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "dd_vcredistMSI254F.txt"
      4⤵
      PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "dd_vcredistUI2535.txt"
      4⤵
      PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "dd_vcredistUI254F.txt"
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "DefaultApps.xml"
      4⤵
      PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "DefaultAppsNew.xml"
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "hsperfdata_Admin"
      4⤵
      PID:8092
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "JavaDeployReg.log"
      4⤵
      PID:8156
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "jawshtml.html"
      4⤵
      PID:8992
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "jusched.log"
      4⤵
      PID:5368
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "LDRRRRTK-20250313-1746.log"
      4⤵
      PID:5160
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "LDRRRRTK-20250313-1746a.log"
      4⤵
      PID:8616
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Low"
      4⤵
      PID:6640
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "mapping.csv"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:648
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft .NET Framework 4.7.2 Setup_20250313_174153332.html"
      4⤵
      PID:7360
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219"
      4⤵
      PID:7220
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219"
      4⤵
      PID:9148
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250313174216.log"
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250313174216_000_dotnet_runtime_6.0.27_win_x64.msi.log"
      4⤵
      System Time Discovery
      PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250313174216_001_dotnet_hostfxr_6.0.27_win_x64.msi.log"
      4⤵
      PID:5240
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250313174216_002_dotnet_host_6.0.27_win_x64.msi.log"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250313174216_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log"
      4⤵
      PID:7012
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250313174237.log"
      4⤵
      PID:7796
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250313174237_000_dotnet_runtime_7.0.16_win_x64.msi.log"
      4⤵
      System Time Discovery
      PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250313174237_001_dotnet_hostfxr_7.0.16_win_x64.msi.log"
      4⤵
      PID:9028
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250313174237_002_dotnet_host_7.0.16_win_x64.msi.log"
      4⤵
      PID:8980
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250313174237_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log"
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250313174258.log"
      4⤵
      PID:6400
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250313174258_000_dotnet_runtime_8.0.2_win_x64.msi.log"
      4⤵
      System Time Discovery
      PID:3504
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250313174258_001_dotnet_hostfxr_8.0.2_win_x64.msi.log"
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250313174258_002_dotnet_host_8.0.2_win_x64.msi.log"
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250313174258_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log"
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "mozilla-temp-files"
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "msdtadmin"
      4⤵
      PID:8336
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "msedge_installer.log"
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "OneNote"
      4⤵
      PID:8564
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "pisun.exe"
      4⤵
      PID:8664
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8576.tmp"
      4⤵
      PID:7968
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8586.tmp"
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8587.tmp"
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8588.tmp"
      4⤵
      PID:8588
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8599.tmp"
      4⤵
      PID:8924
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD859A.tmp"
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD859B.tmp"
      4⤵
      PID:6232
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD859C.tmp"
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD859D.tmp"
      4⤵
      PID:8996
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD859E.tmp"
      4⤵
      PID:9024
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD85B0.tmp"
      4⤵
      PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD85E1.tmp"
      4⤵
      PID:5624
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8611.tmp"
      4⤵
      PID:8932
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8623.tmp"
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8625.tmp"
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD864C.tmp"
      4⤵
      PID:7744
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD864D.tmp"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD864E.tmp"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD864F.tmp"
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8660.tmp"
      4⤵
      PID:8244
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8661.tmp"
      4⤵
      PID:8388
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8662.tmp"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD86A2.tmp"
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD878F.tmp"
      4⤵
      PID:8124
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD880E.tmp"
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD881F.tmp"
      4⤵
      PID:8112
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD896A.tmp"
      4⤵
      PID:8624
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8A27.tmp"
      4⤵
      PID:8708
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8B90.tmp"
      4⤵
      PID:6224
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8BA2.tmp"
      4⤵
      PID:8232
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8C80.tmp"
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8C90.tmp"
      4⤵
      PID:7672
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8F90.tmp"
      4⤵
      PID:6944
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD8FC1.tmp"
      4⤵
      PID:5496
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD97B2.tmp"
      4⤵
      PID:8820
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCD9C96.tmp"
      4⤵
      PID:5508
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "TCDA245.tmp"
      4⤵
      PID:1068
- - C:\Windows\SysWOW64\fsquirt.exe
    "C:\Windows\System32\fsquirt.exe"
    3⤵
    PID:6184
- - C:\Windows\SysWOW64\fsutil.exe
    "C:\Windows\System32\fsutil.exe"
    3⤵
    PID:7776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ftp://ftp.exe/
    3⤵
    PID:7936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x370,0x7ffab1ecf208,0x7ffab1ecf214,0x7ffab1ecf220
      4⤵
      PID:7944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1656,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=2728 /prefetch:11
      4⤵
      PID:7216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2428,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:2
      4⤵
      PID:6612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2112,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=2740 /prefetch:13
      4⤵
      PID:7588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3328,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:7632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3336,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:6568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4028,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:1
      4⤵
      PID:3412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4052,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=4880 /prefetch:9
      4⤵
      PID:2036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4064,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=4884 /prefetch:1
      4⤵
      PID:5256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4080,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:9
      4⤵
      PID:5768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5028,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:14
      4⤵
      PID:8552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:14
      4⤵
      PID:8776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4640,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:14
      4⤵
      PID:7276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4676,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:14
      4⤵
      PID:4088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=4580,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:1
      4⤵
      PID:9060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5940,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:14
      4⤵
      PID:244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4656,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:14
      4⤵
      PID:8500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4568,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:14
      4⤵
      PID:6256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4044,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:14
      4⤵
      PID:5304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6136,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:14
      4⤵
      PID:3660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1124
        5⤵
        
        PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5940,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:14
      4⤵
      PID:5804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4964,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:14
      4⤵
      PID:2556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=872,i,2174773179173482588,7595852244436160559,262144 --variations-seed-version --mojo-platform-channel-handle=5852 /prefetch:14
      4⤵
      PID:1604
- - C:\Windows\SysWOW64\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe"
    3⤵
    PID:6316
- - C:\Windows\SysWOW64\GamePanel.exe
    "C:\Windows\System32\GamePanel.exe"
    3⤵
    PID:7360
- - C:\Windows\SysWOW64\getmac.exe
    "C:\Windows\System32\getmac.exe"
    3⤵
    PID:7556
- - C:\Windows\SysWOW64\gpresult.exe
    "C:\Windows\System32\gpresult.exe"
    3⤵
    PID:8248
- - C:\Windows\SysWOW64\gpscript.exe
    "C:\Windows\System32\gpscript.exe"
    3⤵
    PID:8376
- - C:\Windows\SysWOW64\gpupdate.exe
    "C:\Windows\System32\gpupdate.exe"
    3⤵
    PID:8464
- - C:\Windows\SysWOW64\grpconv.exe
    "C:\Windows\System32\grpconv.exe"
    3⤵
    PID:8616
- - C:\Windows\SysWOW64\hdwwiz.exe
    "C:\Windows\System32\hdwwiz.exe"
    3⤵
    PID:8728
- - C:\Windows\SysWOW64\help.exe
    "C:\Windows\System32\help.exe"
    3⤵
    PID:8848
- - C:\Windows\SysWOW64\hh.exe
    "C:\Windows\System32\hh.exe"
    3⤵
    PID:8912
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    "C:\Windows\System32\HOSTNAME.EXE"
    3⤵
    PID:8964
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe"
    3⤵
    - Modifies file permissions
    PID:8984
- - C:\Windows\SysWOW64\icsunattend.exe
    "C:\Windows\System32\icsunattend.exe"
    3⤵
    PID:9068
- - C:\Windows\SysWOW64\ieUnatt.exe
    "C:\Windows\System32\ieUnatt.exe"
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\iexpress.exe
    "C:\Windows\System32\iexpress.exe"
    3⤵
    PID:8380
- - C:\Windows\SysWOW64\InfDefaultInstall.exe
    "C:\Windows\System32\InfDefaultInstall.exe"
    3⤵
    PID:8472
- - C:\Windows\SysWOW64\InputSwitchToastHandler.exe
    "C:\Windows\System32\InputSwitchToastHandler.exe"
    3⤵
    PID:8696
- - C:\Windows\SysWOW64\instnm.exe
    "C:\Windows\System32\instnm.exe"
    3⤵
    PID:9128
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe"
    3⤵
    - Gathers network information
    PID:8276
- - C:\Windows\SysWOW64\iscsicli.exe
    "C:\Windows\System32\iscsicli.exe"
    3⤵
    PID:8992
- - C:\Windows\SysWOW64\iscsicpl.exe
    "C:\Windows\System32\iscsicpl.exe"
    3⤵
    PID:1456
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
      4⤵
      PID:432
- - C:\Windows\SysWOW64\isoburn.exe
    "C:\Windows\System32\isoburn.exe"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\ktmutil.exe
    "C:\Windows\System32\ktmutil.exe"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\label.exe
    "C:\Windows\System32\label.exe"
    3⤵
    PID:8988
- - C:\Windows\SysWOW64\LaunchTM.exe
    "C:\Windows\System32\LaunchTM.exe"
    3⤵
    PID:5132
  - - C:\Windows\SysWOW64\Taskmgr.exe
      "C:\Windows\System32\Taskmgr.exe"
      4⤵
      PID:9100
- - C:\Windows\SysWOW64\LaunchWinApp.exe
    "C:\Windows\System32\LaunchWinApp.exe"
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\System32\lodctr.exe"
    3⤵
    PID:7444
- - C:\Windows\SysWOW64\logagent.exe
    "C:\Windows\System32\logagent.exe"
    3⤵
    PID:8844
- - C:\Windows\SysWOW64\logman.exe
    "C:\Windows\System32\logman.exe"
    3⤵
    PID:8788
- - C:\Windows\SysWOW64\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    PID:8772
- - C:\Windows\SysWOW64\makecab.exe
    "C:\Windows\System32\makecab.exe"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\mavinject.exe
    "C:\Windows\System32\mavinject.exe"
    3⤵
    PID:628
- - C:\Windows\SysWOW64\mcbuilder.exe
    "C:\Windows\System32\mcbuilder.exe"
    3⤵
    PID:8588
- - C:\Windows\SysWOW64\mfpmp.exe
    "C:\Windows\System32\mfpmp.exe"
    3⤵
    PID:8680
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    PID:8276
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      PID:8896
- - C:\Windows\SysWOW64\mmgaserver.exe
    "C:\Windows\System32\mmgaserver.exe"
    3⤵
    PID:8908
- - C:\Windows\SysWOW64\mobsync.exe
    "C:\Windows\System32\mobsync.exe"
    3⤵
    PID:8576
- - C:\Windows\SysWOW64\mountvol.exe
    "C:\Windows\System32\mountvol.exe"
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\MRINFO.EXE
    "C:\Windows\System32\MRINFO.EXE"
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\msdt.exe
    "C:\Windows\System32\msdt.exe"
    3⤵
    PID:8508
- - C:\Windows\SysWOW64\msfeedssync.exe
    "C:\Windows\System32\msfeedssync.exe"
    3⤵
    PID:8788
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe"
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\msinfo32.exe
    "C:\Windows\System32\msinfo32.exe"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\msra.exe
    "C:\Windows\System32\msra.exe"
    3⤵
    PID:8580
  - - C:\Windows\system32\msra.exe
      "C:\Windows\system32\msra.exe"
      4⤵
      PID:6872
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:4848
  - - C:\Windows\system32\mstsc.exe
      "C:\Windows\System32\mstsc.exe"
      4⤵
      PID:6856
- - C:\Windows\SysWOW64\mtstocom.exe
    "C:\Windows\System32\mtstocom.exe"
    3⤵
    PID:7104
- - C:\Windows\SysWOW64\MuiUnattend.exe
    "C:\Windows\System32\MuiUnattend.exe"
    3⤵
    PID:7228
- - C:\Windows\SysWOW64\ndadmin.exe
    "C:\Windows\System32\ndadmin.exe"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe"
    3⤵
    PID:4288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1
      4⤵
      PID:4864
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\System32\net1.exe"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\netbtugc.exe
    "C:\Windows\System32\netbtugc.exe"
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
    "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\netiougc.exe
    "C:\Windows\System32\netiougc.exe"
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\Netplwiz.exe
    "C:\Windows\System32\Netplwiz.exe"
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe"
    3⤵
    PID:8824
- - C:\Windows\SysWOW64\NETSTAT.EXE
    "C:\Windows\System32\NETSTAT.EXE"
    3⤵
    - Gathers network information
    PID:8680
- - C:\Windows\SysWOW64\newdev.exe
    "C:\Windows\System32\newdev.exe"
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:8540
- - C:\Windows\SysWOW64\nslookup.exe
    "C:\Windows\System32\nslookup.exe"
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\ntprint.exe
    "C:\Windows\System32\ntprint.exe"
    3⤵
    PID:6460
- - C:\Windows\SysWOW64\odbcad32.exe
    "C:\Windows\System32\odbcad32.exe"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\odbcconf.exe
    "C:\Windows\System32\odbcconf.exe"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\System32\OneDriveSetup.exe"
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1508
      4⤵
      Program crash
      PID:6780
- - C:\Windows\SysWOW64\openfiles.exe
    "C:\Windows\System32\openfiles.exe"
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\OpenWith.exe
    "C:\Windows\System32\OpenWith.exe"
    3⤵
    PID:7352
- - C:\Windows\SysWOW64\OposHost.exe
    "C:\Windows\System32\OposHost.exe"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\PackagedCWALauncher.exe
    "C:\Windows\System32\PackagedCWALauncher.exe"
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
    "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\PATHPING.EXE
    "C:\Windows\System32\PATHPING.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6712
- - C:\Windows\SysWOW64\pcaui.exe
    "C:\Windows\System32\pcaui.exe"
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\perfhost.exe
    "C:\Windows\System32\perfhost.exe"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\perfmon.exe
    "C:\Windows\System32\perfmon.exe"
    3⤵
    PID:7488
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
      4⤵
      PID:396
- - C:\Windows\SysWOW64\PickerHost.exe
    "C:\Windows\System32\PickerHost.exe"
    3⤵
    PID:8352
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\System32\PING.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:484
- - C:\Windows\SysWOW64\PkgMgr.exe
    "C:\Windows\System32\PkgMgr.exe"
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\poqexec.exe
    "C:\Windows\System32\poqexec.exe"
    3⤵
    PID:7772
- - C:\Windows\SysWOW64\powercfg.exe
    "C:\Windows\System32\powercfg.exe"
    3⤵
    - Power Settings
    PID:1400
- - C:\Windows\SysWOW64\PresentationHost.exe
    "C:\Windows\System32\PresentationHost.exe"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\prevhost.exe
    "C:\Windows\System32\prevhost.exe"
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\print.exe
    "C:\Windows\System32\print.exe"
    3⤵
    PID:9188
- - C:\Windows\SysWOW64\printui.exe
    "C:\Windows\System32\printui.exe"
    3⤵
    PID:8976
- - C:\Windows\SysWOW64\proquota.exe
    "C:\Windows\System32\proquota.exe"
    3⤵
    PID:4816
- C:\Users\Admin\AppData\Local\Temp\617eb3977e934031b15cb6e45e2fdea9.exe
  "C:\Users\Admin\AppData\Local\Temp\617eb3977e934031b15cb6e45e2fdea9.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- C:\Users\Admin\AppData\Local\Temp\35d9a2406e244fa7bc3017ff84a74b98.exe
  "C:\Users\Admin\AppData\Local\Temp\35d9a2406e244fa7bc3017ff84a74b98.exe"
  2⤵
  PID:5348
- C:\Users\Admin\AppData\Local\Temp\ca840b85c4034b56919bdcd5ef7af806.exe
  "C:\Users\Admin\AppData\Local\Temp\ca840b85c4034b56919bdcd5ef7af806.exe"
  2⤵
  PID:8520
- - C:\Users\Admin\AppData\Local\Temp\ca840b85c4034b56919bdcd5ef7af806Srv.exe
    C:\Users\Admin\AppData\Local\Temp\ca840b85c4034b56919bdcd5ef7af806Srv.exe
    3⤵
    PID:8552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8552 -s 324
      4⤵
      Program crash
      PID:8624
- C:\Users\Admin\AppData\Local\Temp\965cef0662324ee7ad0386b95bdab9ea.exe
  "C:\Users\Admin\AppData\Local\Temp\965cef0662324ee7ad0386b95bdab9ea.exe"
  2⤵
  PID:8984
- C:\Users\Admin\AppData\Local\Temp\bc75a35d6e6c48fdb8300ae6906d320f.exe
  "C:\Users\Admin\AppData\Local\Temp\bc75a35d6e6c48fdb8300ae6906d320f.exe"
  2⤵
  PID:4576
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2008.tmp\2018.bat C:\Users\Admin\AppData\Local\Temp\bc75a35d6e6c48fdb8300ae6906d320f.exe"
    3⤵
    PID:2980
- C:\Users\Admin\AppData\Local\Temp\6f56f8e33f6a4e64b0696213d524372e.exe
  "C:\Users\Admin\AppData\Local\Temp\6f56f8e33f6a4e64b0696213d524372e.exe"
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 512
    3⤵
    - Program crash
    PID:3064
- C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe
  "C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe"
  2⤵
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe
    "C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe"
    3⤵
    PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe
      "C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe"
      4⤵
      PID:8248
    - - C:\Users\Admin\AppData\Local\Temp\sys3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\sys3.exe
        5⤵
        
        PID:7236
- - C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe
    "C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe"
    3⤵
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe
      "C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe"
      4⤵
      PID:4424
- - C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe
    "C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe"
    3⤵
    PID:9192
  - - C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe
      "C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe"
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe
    "C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe"
    3⤵
    PID:3008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
PID:4700

C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
1⤵
PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5508 -ip 5508
1⤵
PID:5676

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5684
- C:\Windows\system32\dashost.exe
  dashost.exe {6d23c418-1fb1-40a3-83719e01bf66122b}
  2⤵
  PID:5148
- C:\Windows\system32\dashost.exe
  dashost.exe {a8574fed-1c14-4720-97a045db048be376}
  2⤵
  PID:5172
- C:\Windows\system32\dashost.exe
  dashost.exe {9ebc8787-60da-42fe-b97ce36cf28b28f3}
  2⤵
  PID:6732

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:6216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:6388

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6460

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:6620

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:1392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:7300

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:7264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 8552 -ip 8552
1⤵
PID:8584

C:\Users\Admin\AppData\Local\Temp\0C7DD863-1AE1-4490-B95A-2E693F69D222\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\0C7DD863-1AE1-4490-B95A-2E693F69D222\dismhost.exe {8759721A-2968-451B-BBA5-A991B87E4BA9}
1⤵
PID:7916

C:\Users\Admin\AppData\Local\Temp\965cef0662324ee7ad0386b95bdab9ea.exe
C:\Users\Admin\AppData\Local\Temp\965cef0662324ee7ad0386b95bdab9ea.exe explorer.exe
1⤵
PID:8584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3604 -ip 3604
1⤵
PID:2548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c0855 /state1:0x41c64e6d
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1908 -ip 1908
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
da91ecaa6b2e9994219377ad5a5dd326

SHA1
513c0be0b34f35b8325549a8601657042686b188

SHA256
b8410ea79c135f1616fbf9454c7bf223cfb93593c094665d1ef2ec324fe0dce9

SHA512
b39824dc3ed6dc6beffbf77b8ae0299513d2239d29886d959a01e0c46c0449b51a13ead4f6edbad62f4b01dd4191844c797bcd6cf0080eac686bd899f40b3861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5a975f.TMP

Filesize
3KB

MD5
6b47c7098ba079bf24af33f433369bb6

SHA1
70f92775a7b8dca3806f9ef5af45a5724d8a5e6f

SHA256
e273ea05c83bb56474dd2b4bb3f5c03540929d16cd7f8df6157c1f590215e328

SHA512
5f3295c49afc83380b4e8353e120f15909efc1abf7645b3ba6ce17a2a08e23271c5ecb1bbcf8d57e5d402b2a08fb95b8b24e258895d47089275fcc553d50cdb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4374158d7dfa88dec5876a72a28c07f5

SHA1
08f0330cd514a40e56aa8eff4720dce881760aba

SHA256
300b344ab5848c3d450d0bb4505093d8e98a60d1fb0068d3f7b0503758def84d

SHA512
4fb5df51b24ac0f8e4808d1421f409e42c2f2ce0dc2a44a6236c7f39bc617f4dcc97eade5d81074d4b91135edfad3edcbea702323fa733805b1703aa67719735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
a4190de75b19e82e6c994b9fcb6b481b

SHA1
0767f35f96c6f69289b8acde54f14fe36e4cf94a

SHA256
5553934d6892d1952582683d410efc4bb6e935673d933146064a7c6e4f52dbb7

SHA512
e31984a0c468993516100531fd124ac1002991e4a9ed20d399bfc0be11a39aa5574e4e0a9d83dcd615c2eeaff61caee0523937b9b09f3f9e983ec294b636dbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
ea874bc87bcf92ea11129260e567e5bd

SHA1
5a36a39de19c8662edabd6ee7e86cf670ae8100e

SHA256
bf789cc3e727638169955dcd45f7767d306e4fbf27d27f67fbdc17cb7c10a1a4

SHA512
949e4184d37494a1e8829795aca0c3715a4c202c46a677ecb4c15fbdc2ab91940069f3190cc72e8481e1ddfb654d0a67321475e03d32f28a4592fece14dc7902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
bdf4b987542c97701dab80af8cbc17ad

SHA1
2bbf08e7aff03afee466d3efce76a13d9f21048f

SHA256
065a42e872f2bfadc34a73d96c6b8ef18b24f105aa8bcf8bcb555cf0e1bba043

SHA512
cb531140f07fe92e6779416c6b85db53b96f18aedd5597189c85671fc8c8bd40a8eb91f768765d4d4596756dee14e3288ce1ee85f9639540314cb9a42fc19420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
d2ed95567a4a6bedbb47df96ae7efedc

SHA1
15c8a574c47bcd55ae144ca3a37174def58ca11f

SHA256
0adb7cba2000d3969d2ba452027d9cb3daaf7e17e907266a2e82ab9d4405487d

SHA512
60c70537c9539b9d8ec93932cc939c8ce6988704024b03e1c36d3e34b41da7931aca017231d8b717c968fa632d545f92a22a7da4ac79b3c14b3142efc796152d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
32KB

MD5
d70f07fb59646656972f33165ddd78b2

SHA1
932f088f05f686b2cac71eb67d248e9f81d99a85

SHA256
1d6d49366264dc0a54d2bd063efb49d68cb96a24e2adb7d1bdac5f8c65008374

SHA512
e2ae70ca07a3bdcfa61d12d1a39b3d222a66dd7c59a03149f7ae076b0b6ef6b2585862b8ce3ce689802dde0ec92810c52de0b7ef477a9120680c154667f2b328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
1KB

MD5
552372ab6a5ef0577c03f0c18274fa28

SHA1
5f8bea8130ab8ebbe04a434a5b1d580930f01f1c

SHA256
586acb98219cac08b4ce5f76463d32c099b5252e1a8c7902d65f11c9ef9bfacb

SHA512
495c714b1b050759f2523b41d1272b40163c4e4f3063f194c86d3285f2077a55fd858a7588f6292f7fb0c4192d8d3172fbfe03117a9ce14a2cf6edc16ce96cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
2KB

MD5
d5bc71cd61388c827ec54d3e5d890a9c

SHA1
cdd0deb19beeffe450b0d9e206c429438f4d5c60

SHA256
8f0f8c6b197d192ec1925056a07c52678395fed49afb4a2095df3cd492bebb2f

SHA512
3106a00dc402c88fedcd44ddc791811776d99581edd3d25324f3bba16de19f3ede47465d43fe33662358845f8cbed543be8cafe49e29043e505294bd929d6e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
701eae7826516f7d1bd859457e6758ba

SHA1
0ed31b88b0f0100116c933c30f7d8e940776c0c4

SHA256
c0a083d71a4334bd56c72fb78e4d0fdd305ee87b471fe3f2d9e4d564675a7e59

SHA512
503abb9b346c4c90daf426ce55b6034b3f236987356857dea313c4c6efcfbbff3129494b80dccb2788ea32c75ec3776fe6160e3a9c84d8a8f66494f05bbc869b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
54b063efce35975eae407914eb622aba

SHA1
b99aeccd5ae7c43bf654e62ac955dc23c8952654

SHA256
ce66f23fbc366d5cb5f495c2b0f585a04d42c4d0bdddc65c0acc9c375197640d

SHA512
57a7b384ddd03007b6fac1ae86ec79fd26c39d760e590119861617fee0374813eac697664633f618f06e31d702d0a3ced1787f8ceac364417ce368d3610791c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
fb1c6f3df22e4499055276c65c893fa2

SHA1
a9656416701ed8b4e59bf8bb787641f37a2ac784

SHA256
ad05a905b6ee5b32938489c227a471de575ebce36f2e21fa8176b7f992cf2c01

SHA512
a25f8ec939a0eff3e8db8109d5b7bec21154b1b7e7bd5a767935fe8dfd80c77f6b4161b75406ccf0c87b8bba0ca55b3619db62b7fc9d57710aa0c3ef32aa26e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6ba4c3f27c61e6eadcd713828d749060

SHA1
c52ca4e0cab500294ea051da0ed5b7fc278a29e8

SHA256
49961952e78ec83a59004427e9174880880de79b0625b8ab3d6bbfcc4df8c6fa

SHA512
df0a1131207ef7076dd8465558e4f805b42da3466680eefbb24e5fade3fbead363c694e0c4489b5959ec079d115440b84e15a2fe40e1623030c624ba700c1721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
3f9b61e51b50a784f74303a98ccbd1bc

SHA1
aa112d46793d55e04287e7964efc44e5b5a458f8

SHA256
1a34edba65c81ebe9cb6854d3abd6a7deb26e3e3085951a0cdae339bb86e79d6

SHA512
ecae41de6b72a6cf9f14ccdea9e4ece0de58bc3bd2df1abcd1f7cacf322645d8d2813a696645eb5e9d00db3df0cf8ecfe8ad8696a63076a1e6ce7757a0f22164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
32KB

MD5
e3c9dd257b0181d672dba8fbeca6604f

SHA1
95ac658d8d603a8fd9fbde2c921e3e97d5f905da

SHA256
090666903f2a1e1b23b7dd20ea88ae293527dd03b7c3a00dff407a2cd037c241

SHA512
87d2dc2ec041773550998639c51365b656fc2d09e29e89c5cee6fe0af7388a6dd5cff64afeec27cbda6e5f9450391f6b7d5f681905e2277c29280716bdd2022f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c9f3ffde87669a2f5b2e5a04d98c34cc

SHA1
a191a1e06ba2d2942194ecbb35f6a9eb3a73fca8

SHA256
d1f179e77b2f86814d699708e939c220310f01b82c272928c4cb23ff0954b1dd

SHA512
d5b945b9cf212cb35b30422b0f8a4d1fb9e74f2ad1db1dc84f09fde14065dfe6f620d125179aa3a424c93043fd0fcc573aa7a7028694fd4508a9140bfc6fe708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
1130463d3ca49591ad5d053379d7f654

SHA1
94f1221fc5e2945705133826760a6b529f0cf8ad

SHA256
1507695eda86532383e66466afd5b5fbdea2e7832e594c60d081bcb3d746e445

SHA512
beae456b3ff8d03ea366a1eada5df37b9c4201ee9b1a9b8874c126e2ed1b7b2e0ef0669f3ac7e8f92b7708e2455679572f5c28fb9edac032d463e0d212145821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\35d9a2406e244fa7bc3017ff84a74b98.exe

Filesize
28KB

MD5
62cbb85434223022a0b0e369b227a3d9

SHA1
4978b691168f16c678a1ffe53e126ba1d946bce0

SHA256
ea3087204e3ed644308a0a96bbf319590a9b2701ac850bb63f2ba3dc4955f1fd

SHA512
f76d281ce4c4401315f811dba1512757fa59a9c1ca6486c006f7861aed793a1f196fd66b772405374a751f383b5a234234e64de16f2fe9d613694e354b882f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\617eb3977e934031b15cb6e45e2fdea9.exe

Filesize
283KB

MD5
2b1e9226d7e1015552a21faca891ec41

SHA1
f87fcbe10fa9312048214d4473498ad4f9f331ce

SHA256
7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada

SHA512
1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f56f8e33f6a4e64b0696213d524372e.exe

Filesize
47KB

MD5
c61693e8d501dcdbcd2346853a80417a

SHA1
edf5803d2c9cc7807b571d9d081ca06387ee7cd9

SHA256
f0d5399c42971102e56abbcc9efd1d0b104ddb36da5bccd67e18850a1a21fad4

SHA512
8cc0fe94e144e754cf0fd0d4de2f4361adaf7fc83116fc3009272efa6df2eb0c60b04dc037ffde1581906471196ffae0cb51262a7ac731b515ff091a64da41d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\965cef0662324ee7ad0386b95bdab9ea.exe

Filesize
1.7MB

MD5
6e628c5531010f1053fff090a7699659

SHA1
237e5b8870092dd0e9a3b0fb76da93fcfce56516

SHA256
52d65a486dd027d9d6e3ca10ea808815ff0fda4e5032695333b7c2d5a5f95e41

SHA512
53eb023d70038b2820a6c0ed0a453307f90b22279e521fa8af3b6ef240ce022300a1d05794bf02d52f472c5adeb87c814373c5e29b3f13102c0128af06d5f0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b786525d676d42989eac1bb8bc2bd979.exe

Filesize
135KB

MD5
c971c68b4e58ccc82802b21ae8488bc7

SHA1
7305f3a0a0a0d489e0bcf664353289f61556de77

SHA256
cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce

SHA512
ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc75a35d6e6c48fdb8300ae6906d320f.exe

Filesize
69KB

MD5
57aefeb4dc6a62340c9cd1ee49d043d1

SHA1
e769b03d88cc128982f5394c28f6ba31cac957b7

SHA256
6f396703789bb1d26f98023d79f1a634dadc1cd5c2f3c096a42119e022381edd

SHA512
db2a5c757f9d90da18a48cd6fdec120439b1e3ae9552c76d433da890c68cb9ff65f9c35da5f97a4e9bfbda1feb214895e7121fe63dd4318149a6aedf348c2e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca840b85c4034b56919bdcd5ef7af806.exe

Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca840b85c4034b56919bdcd5ef7af806Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\db40d787aec546339e9c52ce40b459f9.exe

Filesize
10KB

MD5
76386705862925ccbf1e3f711a6e6b56

SHA1
2335fae9eb828b09930a2b01910b1b594395004e

SHA256
a62e7ad75ab140bf45272989ac9b9f5937298c8c5ffdccd19323452c0e793b90

SHA512
893000f32223c67dce85c7a9f0edd315743ce56372557d432a1c6fcb19b728e7110adee7e23f7de7b6ad59f48fe632d27ebafcb0fab00a3ecad01a23c7e6000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
70B

MD5
59c28856875645a307c85b03a5dc154d

SHA1
3ab00f472944e8553910c83e2c53856cadd02002

SHA256
c25e358d1689fb98acf6cea45ac4a3038e012b3bef561ffeb9c0ccd9e204d4b6

SHA512
37f126df88666119f7fe3a2b81040b7368115b59a914de72daa3ffb271f76abd7c6a39c75e7aa20c3b748180d30ebae2c3360b448466e71d0e6fc9854956f3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
a7d7df75551c960034e5d5c46b8a75b0

SHA1
fb07d859e968062c13d83a96b5e20ba3dc582f3f

SHA256
11bf8590d372b2137d4c784c956b41edb4f43ac89a211a99847b180645b9b350

SHA512
7004f7d8b810f6df291361e183d256f8a0b3a6447cb2bf96b63351edf5eed0c1ede65bc7a06bc0ac5a291505aed88ea2ec7e2a2b986d42a2a103583eb1547b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_9514ADB613D74EDDAC45978A606C0354.dat

Filesize
940B

MD5
bbae2629f8632f1ebd13cb0ebfb10381

SHA1
d639989712e2d7a0b017f358f1671c5b946ec63a

SHA256
0b05edd61fe27e73711dc988df97f614b02039717f814abf3dccdf291de18580

SHA512
176110f5cc38824e112290493c59089e95ae3a41fa4552e0e489305e5383179783855edf55797f5f09cbef1e18f02dcb69d3141ee629ac36d408127eb77b1433

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
285KB

MD5
713590c13cd3be50e35052f33cbdcf8d

SHA1
c60c187ca0fd25b2cb9f8c3df75531bdfa74d902

SHA256
3c3bf830e16efacc819cc9b952e2e01a51d29a2fac71eb2d2d23e6876ce9c8fb

SHA512
83dcdfa3e81ad0b334797330fab6c7433a29b5b44c11bc88a148f0a081c68eeb521bb3911c7a70b97481c11ff02862138645c4c96519eb4cf53aa52cb74d5e49

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
280KB

MD5
a96724b84ce88f4a6b0d032c4228b5af

SHA1
788c51fe36f3c6e92b815bf9115a504b88d830a4

SHA256
9194848e4fe2db944e216ec90d6043bd50837f1bd51f4aa291917de2a9bd6b22

SHA512
72915d6fb038818c03bbe4f7a7568f1b0169f4b70f0e7424691dbf379cc4c4e66705a63e38c5e71507be22b6ac8fe0b8f5099bba62c4ff420ff798a8ea25245a

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
11KB

MD5
f5297a5c9492123a9327d810eda09da4

SHA1
7d3dc291dd6389d8f33e3db7637bf7587812cc0a

SHA256
b875f1c8fd72e9ab8d7ba186219e67c11771a9f17328d75e2fb1ac4b86d72292

SHA512
925ac5a05b5e9746d03a8b7690cbd4d49c8190ed942531cb5793faf74df40f9cc787509d5023c7cbd1355be94ef7d447840a59939185e3eabfcbc49ec8889b68

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
14KB

MD5
d0a0fec569e0a71616458efd93679e5a

SHA1
9db24b24a51c07ef7c34921efaf0acc67e8f03c0

SHA256
2c4850d851e4b0a5c8e7aa1c54e2a0f7ceb615c7b5df4c67752bb0565961ce44

SHA512
bb411b98c56b998e7080118a3fe629000b67b7ebcdab97aa863387b5f2fd66924640fe15ba88a3a535836d6060da9ae9596f7398abde572b6e307ac3d3c1fd49

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
c322effd08794d98c2943616d1b11c1b

SHA1
32b000d175d8aee12e87cade47fff0920ed08bdd

SHA256
ddf03f68b4a5fa3e39da92a61e72ea5d86283a4a028f1fa93e8bdbc9b8d4d5cd

SHA512
53af703e68ddd70eac9080cf5f0ca0941795598794574b86146acab9bc565574e7505d5ab6dc4fe6a67107129510c48d7a33d89fced3d036b1c3e954aea60911

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
5c239d84e41e1df1ac18ec54c2f51a04

SHA1
60ee3155cb04b0da42f1127a3bb364a5e788d89e

SHA256
d250dda884cbbea6cc07a0f5ecabfe8ef0bc41cae1a4aaf6ffe6857aff08070c

SHA512
f66b4c55f51b63b3b45ab2cddb94c729bc28e02b269bc0a5d40df73769752f28063c020df1c3c084a8cc68d9227e15cf3db821e23761b6d732a691ba176e61ef

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
44KB

MD5
7c7f5285d19f6831b30466ad576caa7e

SHA1
6e9c7b483b0ed94b819f1cb5b014cb64a8f97c13

SHA256
43ddd46bdeda744c532aecaa9973fe56aae11f5b5d0b7c87877465cb68f2a7cc

SHA512
38ad90d252b630e5aa0a27f92f9f36f198125e377791cb32d34f4df0021695da0a07fb263016fb4119dbb833957a18c70e49ee093e3119baf85ff7e6828151c2

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
44KB

MD5
1d57431b3f12ac8f0382d88ae5df3646

SHA1
a0978da52cfa60ee5dcee839d1ff6a8745c565fb

SHA256
f0097037a33dec526144ab7e26312e97725a6c59d1488deb38d5c06796f53e4a

SHA512
e3a9d282059e38096e8f49b8245c962cf7c4eb278e1918751ef523e83dd54d404a5230ac55f376c95dd472e5c4f7047453a1952fd45de28dcfb98b2929ed3692

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
431B

MD5
1d188c2c3d6b9e27d11c00c3d4be613c

SHA1
32302a86dfa1dab63a3d4762b240c335a52859ec

SHA256
f0f0b8530ad966bdf67c4b5e7387d876c23d43f85cde0f0c00191e391098de39

SHA512
80088aba90a4964335f82feae1b54b0c3103999ab13afc6e7bed958a271b21dc20a11846779e043ef37aa1d16c817ed4ed71c2af68c22f58cd7279c3e466cefc

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
657B

MD5
555a72d6e798146e0ee8b37a5d32c152

SHA1
c1aa37cce25c9d166400ca5c823e6f9f3c258f3f

SHA256
a962aa441651c11a3f413f80a9a314d6e74133e98a3d93766b01a273c94b964b

SHA512
f88ea360e464847e74b86b5a6bf0856b55b8711250478ce0df0e0fdffb39f46f37c8355d11adcef5ef46fe908d928c462667c92d446aaafc2faa2e72f7ca8837

Download Submit
memory/2192-29-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2192-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2192-0-0x00000000750D1000-0x00000000750D2000-memory.dmp

Filesize
4KB

Download
memory/2192-3-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2192-4-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2192-5-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2192-6-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2192-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2192-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2776-658-0x0000000035890000-0x00000000358A0000-memory.dmp

Filesize
64KB

Download
memory/3756-659-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/4572-638-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/7236-671-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/7704-84-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/8520-212-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/8520-161-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/8552-166-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/8584-451-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/8984-405-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/8984-463-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads