Resubmissions
02-09-2022 02:49
220902-dbgmjafabp 1002-09-2022 02:36
220902-c3scnshbc7 1012-08-2022 07:02
220812-httr2aceh7 10Analysis
-
max time kernel
732s -
max time network
760s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
02-09-2022 02:36
Errors
Reason
Machine shutdown
General
-
Target
csrss.exe
-
Size
4.5MB
-
MD5
2f29ebdaf7b3395ebdadb13f453177c7
-
SHA1
20913d2d3c145adf43af7f13108cd1eb974862ca
-
SHA256
5d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
-
SHA512
27c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
SSDEEP
98304:477X24Nev1+NrGJ4FSBiD+Fon/wpCmreluztZi3:kX243NrGk+F+/wYmt
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 8 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Blocklisted process makes network request 4 IoCs
-
Executes dropped EXE 7 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 38 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 16 IoCs
-
Drops file in Windows directory 12 IoCs
-
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 57 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 21 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 48 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 31 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 9042⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2436 -ip 24361⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵
-
C:\Windows\System32\mode.commode 102, 343⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start WinMgmt3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\on5bnpf4\on5bnpf4.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC6C.tmp" "c:\Users\Admin\AppData\Local\Temp\on5bnpf4\CSC5C9FD00F3D23453785393C0794026AE.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "3⤵
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 licensing.mp.microsoft.com3⤵
-
C:\Windows\System32\PING.EXEping -n 1 licensing.mp.microsoft.com4⤵
- Runs ping.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc config wuauserv start= demand3⤵
- Launches sc.exe
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$b=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd')-split'[:]batfile[:].*';iex $b[1]; B 1"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\zpjkrj4f\zpjkrj4f.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES262C.tmp" "c:\Windows\Temp\zpjkrj4f\CSC97CDE1E45BA04913B28CDE86983A7C12.TMP"5⤵
-
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA1|findstr /i /v CertUtil3⤵
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA14⤵
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd') -split ':hex\:.*';iex ($f[1]);"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA1|findstr /i /v CertUtil3⤵
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exe"C:\Windows\Temp\_Temp/gatherosstatemodified.exe" Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;DownlevelGenuineState=13⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\net.exenet stop ClipSVC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ClipSVC /y4⤵
-
C:\Windows\System32\net.exenet start ClipSVC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start ClipSVC /y4⤵
-
C:\Windows\System32\ClipUp.execlipup -v -o -altto C:\Windows\Temp\_Temp\3⤵
-
C:\Windows\System32\clipup.execlipup -v -o -altto C:\Windows\Temp\_Temp\ -ppl C:\Users\Admin\AppData\Local\Temp\tem44B0.tmp4⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\byeaw3dm\byeaw3dm.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4898.tmp" "c:\Users\Admin\AppData\Local\Temp\byeaw3dm\CSC19AFD72FBC9047C98B6154CD3A45FC34.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵
-
C:\Windows\System32\mode.commode con cols=100 lines=323⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
-
C:\Windows\System32\net.exenet start sppsvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵
-
C:\Windows\System32\cscript.execscript //nologo slmgr.vbs /dli3⤵
-
C:\Windows\System32\cscript.execscript //nologo slmgr.vbs /xpr3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
-
C:\Windows\System32\cscript.execscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
- Modifies registry key
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵
-
C:\Windows\System32\mode.commode con cols=100 lines=323⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\find.exefind /i "ComputerSystem"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\sc.exesc query osppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\net.exenet start sppsvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value3⤵
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value3⤵
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵
-
C:\Windows\System32\findstr.exefindstr =4⤵
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 10740664333⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵
-
C:\Windows\System32\findstr.exefindstr =4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 10740654723⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell "$([DateTime]::Now.addMinutes(229408)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$([DateTime]::Now.addMinutes(229408)).ToString('yyyy-MM-dd HH:mm:ss')"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil5⤵
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA15⤵
-
C:\Windows\System32\findstr.exefindstr =4⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345 /N3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\System32\mode.commode 98, 303⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start WinMgmt3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DISM /English /Online /Get-CurrentEdition 2>nul | find /i "Current Edition :"3⤵
-
C:\Windows\System32\Dism.exeDISM /English /Online /Get-CurrentEdition4⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\dismhost.exeC:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\dismhost.exe {681D46E5-5C8B-4918-831F-9AE0F9E7FEA4}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\find.exefind /i "Current Edition :"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2h0jf1hq\2h0jf1hq.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB382.tmp" "c:\Users\Admin\AppData\Local\Temp\2h0jf1hq\CSCCE1722809C4B47B0834C796AA463C2FD.TMP"6⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $ExecutionContext.SessionState.LanguageMode3⤵
-
C:\Windows\System32\find.exefind /i "Full"3⤵
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /dlv3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dism /online /english /Get-TargetEditions | findstr /i /c:"Target Edition : "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProfessionalEducation "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProfessionalWorkstation "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Education "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProfessionalCountrySpecific "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProfessionalSingleLanguage "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ServerRdsh "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo IoTEnterprise "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Enterprise "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "CountrySpecific CloudEdition"3⤵
-
C:\Windows\System32\mode.commode 98, 303⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="DXG7C-N36C4-C4HTG-X4T3X-2YV77"3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345 /N3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵
-
C:\Windows\System32\mode.commode 102, 343⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start WinMgmt3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vju1wjci\vju1wjci.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B52.tmp" "c:\Users\Admin\AppData\Local\Temp\vju1wjci\CSC38087004DFB0494BAB80A4AE19D99977.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro for Workstations" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵
-
C:\Windows\System32\find.exefind /i "eb6d346f-1c60-4643-b960-40ec31596c45"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 licensing.mp.microsoft.com3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc config wuauserv start= demand3⤵
- Launches sc.exe
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="DXG7C-N36C4-C4HTG-X4T3X-2YV77"3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$b=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd')-split'[:]batfile[:].*';iex $b[1]; B 1"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\f2frke3i\f2frke3i.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES5C94.tmp" "c:\Windows\Temp\f2frke3i\CSC57858E7FE824431F848DECBF8A58A8E.TMP"5⤵
-
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA1|findstr /i /v CertUtil3⤵
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA14⤵
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd') -split ':hex\:.*';iex ($f[1]);"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA1|findstr /i /v CertUtil3⤵
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exe"C:\Windows\Temp\_Temp/gatherosstatemodified.exe" Pfn=Microsoft.Windows.161.X21-43626_8wekyb3d8bbwe;DownlevelGenuineState=13⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\net.exenet stop ClipSVC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ClipSVC /y4⤵
-
C:\Windows\System32\net.exenet start ClipSVC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start ClipSVC /y4⤵
-
C:\Windows\System32\ClipUp.execlipup -v -o -altto C:\Windows\Temp\_Temp\3⤵
-
C:\Windows\System32\clipup.execlipup -v -o -altto C:\Windows\Temp\_Temp\ -ppl C:\Users\Admin\AppData\Local\Temp\tem75B9.tmp4⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xhxzf42c\xhxzf42c.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78E6.tmp" "c:\Users\Admin\AppData\Local\Temp\xhxzf42c\CSC95E2E59CF1CC490787ADEA73C7E25DE.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro for Workstations" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵
-
C:\Windows\System32\mode.commode 76, 253⤵
-
C:\Windows\System32\choice.exechoice /C:1234 /N3⤵
-
C:\Windows\System32\choice.exechoice /C:12 /N /M "> [1] Continue [2] Go back : "3⤵
-
C:\Windows\System32\mode.commode 102, 343⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start WinMgmt3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b0nuj2oy\b0nuj2oy.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F18.tmp" "c:\Users\Admin\AppData\Local\Temp\b0nuj2oy\CSC5E274B54BDB945D4B65374BC254C2D75.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro for Workstations" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵
-
C:\Windows\System32\choice.exechoice /C:12 /N /M "> [1] Activate [2] Go back : "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" Get ProductKeyChannel /value4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "3⤵
-
C:\Windows\System32\find.exefind /i "82bbc092-bc50-4e16-8e18-b74fc486aec3"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start4⤵
- Modifies registry key
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="NRG8B-VKK3Q-CXVCJ-9G2XF-6Q84J"3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get ID /VALUE4⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"3⤵
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\82bbc092-bc50-4e16-8e18-b74fc486aec3" /f /v KeyManagementServiceName /t REG_SZ /d "127.0.0.2"3⤵
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\82bbc092-bc50-4e16-8e18-b74fc486aec3" /f /v KeyManagementServicePort /t REG_SZ /d "1688"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$b=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd')-split'[:]batfile[:].*';iex $b[1]; B 1"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\lyfghkbh\lyfghkbh.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES6D87.tmp" "c:\Windows\Temp\lyfghkbh\CSC762429CE9F9D46CEB7B92548D523FFF4.TMP"5⤵
-
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA1|findstr /i /v CertUtil3⤵
-
C:\Windows\System32\findstr.exefindstr /i /v CertUtil4⤵
-
C:\Windows\System32\certutil.execertutil -hashfile "C:\Windows\Temp\_Temp\gatherosstate.exe" SHA14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS.cmd') -split ':hex\:.*';iex ($f[1]);"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Windows\Temp\_Temp\gatherosstatemodified.exe" SHA1|findstr /i /v CertUtil3⤵
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exe"C:\Windows\Temp\_Temp/gatherosstatemodified.exe" GVLKExp=2038-01-19T03:14:07Z;DownlevelGenuineState=13⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\net.exenet stop sppsvc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sppsvc /y4⤵
-
C:\Windows\System32\sc.exesc stop sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\ClipUp.execlipup -v -o -altto C:\Windows\Temp\_Temp\3⤵
-
C:\Windows\System32\clipup.execlipup -v -o -altto C:\Windows\Temp\_Temp\ -ppl C:\Users\Admin\AppData\Local\Temp\tem840C.tmp4⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\net.exenet stop ClipSVC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ClipSVC /y4⤵
-
C:\Windows\System32\net.exenet start ClipSVC /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start ClipSVC /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AP=Add-Type -Member '[DllImport(\"winbrand\",CharSet=CharSet.Unicode)]public static extern string BrandingFormatString(string s);' -Name D1 -PassThru; $AP::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awrwx5va\awrwx5va.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B3E.tmp" "c:\Users\Admin\AppData\Local\Temp\awrwx5va\CSC82661CCA90B2403DB9A5C276E7D8BB70.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro for Workstations" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$([DateTime]::Now.addMinutes(8089390)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$([DateTime]::Now.addMinutes(8089390)).ToString('yyyy-MM-dd HH:mm:ss')"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $A='HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f','','S-1-5-32-544','','Deny','SetValue,Delete';iex(([io.file]::ReadAllText($env:0)-split':Own1\:.*')[1])3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "2⤵
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "MAS.cmd"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS.cmd" "3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:12345678 /N3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3892 -ip 38921⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3892 -s 8601⤵
- Program crash
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultded56bd8h7303h4cbchaa0eh34efe2fffc421⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa060446f8,0x7ffa06044708,0x7ffa060447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,3714111735257564862,9043394802423864,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,3714111735257564862,9043394802423864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,3714111735257564862,9043394802423864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6be75dcbh1239h47f9h92cfhde274cd4aca31⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa060446f8,0x7ffa06044708,0x7ffa060447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17063526308423671223,11834150051933312868,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17063526308423671223,11834150051933312868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17063526308423671223,11834150051933312868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:32⤵
-
C:\Windows\System32\PING.EXEping -n 1 licensing.mp.microsoft.com3⤵
- Runs ping.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem3CC1.tmp2⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn1⤵
-
C:\Users\Admin\AppData\Local\Temp\94927D95-095E-48A4-A99A-0C4DA9AFB852\dismhost.exeC:\Users\Admin\AppData\Local\Temp\94927D95-095E-48A4-A99A-0C4DA9AFB852\dismhost.exe {773ED874-169C-4653-82AA-1B2B33001EAB}1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\findstr.exefindstr /i /c:"Target Edition : "1⤵
-
C:\Windows\System32\Dism.exedism /online /english /Get-TargetEditions1⤵
- Drops file in Windows directory
-
C:\Windows\system32\DeviceCensus.exeC:\Windows\system32\DeviceCensus.exe1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem6E18.tmp2⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem8FF3.tmp2⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /ChangeSetting updatesEnabled=True 162⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /ChangeSetting updatesEnabled=False 162⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa060446f8,0x7ffa06044708,0x7ffa060447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5140 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5508 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6656 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9012 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9628 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9132 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7892 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6788 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5027780227536704692,7382267517761578696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9552 /prefetch:82⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3fa1855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Impair Defenses
1Install Root Certificate
1Modify Registry
4Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\ClipSvc\GenuineTicket\GenuineTicket.xmlFilesize
1KB
MD5652a56b106f16db440e06153a6f54c27
SHA1409805f97a5a5212dadb7d0cdb27a41220a14a84
SHA2564e60b41c213680ab2a962a39d623fbaeab89bfc66ea1182b9d902deddc43c854
SHA512342b8524536933ff2f90672751166d76cb3ab73e37c2dd485822b3769a6facf1b9870b2690f93606a92405d1a34defefbd5b750eb82da49c0ba66c2a963b154c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
3KB
MD548421f0e1f6821c9b6478da6f0bc9820
SHA1cd17e517fd219e2665eeefeaa88e042233fcbc21
SHA2567659042867197af28f9b6a6d412be2c3b1ed0dc1e9f75bf01006d980e62448b4
SHA512bc34720fd0b3826cc4ea4af2eeacd02f6d9ea74c53e0d463f6ae2ba8617188969a225ad76e388a00610fae626dba42dbabc85b2b75b83416ec8d90d6774eeb3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5560a2502dde75fec74de22b903d93ec2
SHA1e6f7af6dd8cbeeb38114587e0672de73462c82a2
SHA25641fd9e065ebdf6a510cd279a8669a080075ec406911cb5d7bf21913dc9117cf5
SHA512f8e420aa7f1c617f9a5ef63add8e5d356cdcf5dfc9a724b70534087d2723a28b303cad7bb611811035e77d0dc9a0cba6f8303c4bc0a982ee65cf9f6df442cb51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD583a7045cacc9daf48ebff4f2ecc9e5e2
SHA11e7fd8fbcc90bf69f7d5ae42aab814c8d9ee00e2
SHA256c3e56ed416df1de5a67d241489c778e2841d0791e86f4eecce2da76cde3bf059
SHA5121a2983b9992817031ae4dd4d1b3ae1b790f394b638915d1902cde5f4210233b0ba6f31722238908fe83bb9dff7704e1ecc69fb90095287b8938ecc78ef2a6dcb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
3KB
MD503cbc96ae454cfd8d9c4f62b32493235
SHA13384fc9d4cfaecdea3f93e2f658f22f44320d99e
SHA2566ed0f581124a90e8c5ee5fddeecc3c7a7e313573895955669a5f9bd511fb69b8
SHA5120e6deacb72d52a3bfcdf0986c9ca73a504f8930c29458290f873fc4ba2633a3edf5fbc196dcc8ec57f2beb43bb933064ed56eff9c0b7907c17fcd0aa035a0292
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ef5ef35c3059825861b16409862d0e3d
SHA1cde5311765478b1bcf309219c1a86a0238612099
SHA25653df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b
SHA5123c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD537448333923114cfe038f85c04b87175
SHA1325970da7764916e40ae025d5a70541d44b2185b
SHA256ff8242c314415438f56ac8273584d397f871a1b9f6899536510377ba6e567466
SHA512651d77fc097381812b07eed940e952c12ed6135fba4cfb19f6e4e2b0c9afff02f78f5558e75a6ccfade5415562ebf6ce6141335c4b95d5fc538fa5a84cb6ac03
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fc28168b916bf9744961653d503e1164
SHA171deadab13b81a414582f931e9af010152463644
SHA256a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9
SHA51208d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56f3ec531d9232f4a9ff1e0d9a1a0eec3
SHA1d34256535b5ba7ce88f3546856bb6afba61e2dc2
SHA256d27a54c6c57bce9006bd291b87e4a1e5bcfe8c950b5a6c99d92543e7c182530b
SHA512eb259fe12551144eafc85c8552dee0fed49320de7431b41c2689efbff66940372d8ea50f448212b3da7a0a0482085924e5ec2c5ab511838009bf6390a8cfd284
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD543fa7c1a39a72ed005902ff119d9c9b9
SHA10e8f1335d4d0ed4d6f60e99c1de87f468010021f
SHA25653075b5e1f235c4beefc339d664390213712f0c3ff9063f8e65998c15d828785
SHA512328099faad3ca2ff661bd2ce756bf8e521bf4cc4a16c23db6993112dde2172c1415297a9c5b3721ec04699123d0c0289e5abfe6dc75d9c368911bbdec9fc4e8f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52ad33642f863ae14ee53bc6853ee330e
SHA1ca81cc7d8c33a46ebe97bc1d3db55e41a813029e
SHA25617c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19
SHA51252c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\AppxProvider.dllFilesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\CbsProvider.dllFilesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\CbsProvider.dllFilesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\DismCorePS.dllFilesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\DismCorePS.dllFilesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\DismHost.exeFilesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\DismProv.dllFilesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\LogProvider.dllFilesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\LogProvider.dllFilesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\OSProvider.dllFilesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\OSProvider.dllFilesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
C:\Users\Admin\AppData\Local\Temp\FCF43918-55D1-4947-9E01-5B54362AC21A\dismprov.dllFilesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
C:\Users\Admin\AppData\Local\Temp\MAS.cmdFilesize
568KB
MD51a3c418a19dec8b84aaf0201e0eaeaca
SHA105073108beec6f35374cbdde14dba327011889b6
SHA2568e94eefe902028aabf791aeacd0f021c08b8298f1fc845fbbebe460f66a8d4cb
SHA5126fafa36c2092ed11a65cb38ab64e6c6aa6c3cd9e91b3685cd666a77b301f088ba1fabe1e7e8501d8033e173786d471913fff2a6abee905cb154a5aa1dd3f0047
-
C:\Users\Admin\AppData\Local\Temp\RES4898.tmpFilesize
1KB
MD53c177e4276e84c481d6de8d829109573
SHA1537151f52ce0f20704b8121b74fa445eba34f71c
SHA25695d700ed4db35c440ef4873aa7156c6c81433403746daa330bd67ae3556cddfc
SHA512fef86e2104092f35364925f74684c564b04767816901794f81fcf180198d211dad12664d5f28af650f5053906d1de118dfb134f135778bb9b8f5838da3d8917b
-
C:\Users\Admin\AppData\Local\Temp\RESFC6C.tmpFilesize
1KB
MD5a142acb15e323e1dd97ea11c95914736
SHA19d2012a82ecb5d4282702331bec3b08d40c3ae8d
SHA2565406120aa8d4c79ceb66cc2d5fb410120f4a5a0f3d81258d2d2b1e61d397d367
SHA5121239ec86e18e5d1f915c6c5edb651ac98103408971634068202866d5ba4d11fd2c7fa99fec466766280562a32c9604a6ef919bbe9a1b23e3ffd9832769f4448e
-
C:\Users\Admin\AppData\Local\Temp\byeaw3dm\byeaw3dm.dllFilesize
3KB
MD5b45bc7eec81b96b703068fd70a2e10d4
SHA153994f0975fdde14b6ce465dd3d65844faf16239
SHA2567bbd2b32303ae8d9b26a6d5888e64c4fbc32df1eaab5b96dbc85f21f98795c62
SHA5123e6b6f99935cbbcc78a8e17e379998e2fb4dbd6033ee677c29c01608cf9341dd198776a0da4c827d6ec6a7ea768e483c8ea874203333d1207cf7aeb7216d6424
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\on5bnpf4\on5bnpf4.dllFilesize
3KB
MD587b7798dde12c82015aac1f893c0cbd4
SHA13bd8bfdd4cd82db9ca9eedeb8fc9e1ac1e09a9de
SHA2568a03bcc8567f4f84708178898e099db397d839e9f7debe922032855aff5bbe08
SHA512b6a34a494e4c2f139ce17aa628aac60f573c6e4e181f1028469813dc93f53cc755df6696467d7fba4a5f7baffd2d64acfacdf448dcaa7c2554747528f320ba63
-
C:\Users\Admin\AppData\Local\Temp\slmgr.vbsFilesize
139KB
MD53903bcab32a4a853dfa54962112d4d02
SHA1ba6433fba48797cd43463441358004ac81b76a8b
SHA25695fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816
SHA512db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a
-
C:\Users\Admin\AppData\Local\Temp\tem44B0.tmpFilesize
582B
MD52422816ec81a765f182844814023b7f8
SHA10598b43c2503dc2689b1e79be4eb259d11f4a415
SHA25618b8a74337da97ac449034d016770e0d068e2e3e65ac075c2ccd7f6e4ea94aae
SHA512dd1792aed7377dffff2c3dfd5b1af7af5d44e0d5a0f3f9afca64177fe0b5a3f1d7e606e141214caac4cf1bb57fbe5f357bc1d3528538c5ce8090a7e72b1708e3
-
C:\Windows\Logs\DISM\dism.logFilesize
190KB
MD581a1da9690c900dd951f164e2d7ddd1b
SHA180c0e8542fa678b7f45b03198ef5b78afd814923
SHA2562913e250b3c465013eed8b940f9fe618998a0b0aad9d01d8c18a0975b5e635b2
SHA512769f4922dca9ceac8908282b2b065d952e9c550e71a42fe45d84870c2983bf8c7d8608920860fdc8c9165ac61af08e8f8597b0965eebc460d8c05aeb08db5ef1
-
C:\Windows\TEMP\tem3CC1.tmpFilesize
206B
MD5b13af738aa8be55154b2752979d76827
SHA164a5f927720af02a367c105c65c1f5da639b7a93
SHA256663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b
SHA512cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4
-
C:\Windows\Temp\RES262C.tmpFilesize
1KB
MD562869b753537e8f47dc35bf4fd7514b7
SHA1485e66946ee06656afc81f21d9f88e4dcd09d283
SHA256781eb97d320ff93f4c3e74684c70111d5ce32f7963424ea53438b5ebfb28e406
SHA512d2a2493fd80951fe91bd9f931e907997c3a1636b2d70f32394840edd8864da218799af78c38b64a82e5a7e620ac49e8d00f3cb34993dac421e46ee51e66ea8fa
-
C:\Windows\Temp\_Temp\1Filesize
163KB
MD55e292f7adc1325ff1939720eeee7e084
SHA1add8d84766814d242cd4a18e68221ab1c0aa8c2b
SHA256f0b5aea982431d2ab5f1af9531e673c2255e574001cc405a36deb453f685f046
SHA51278fa465e048ac9cd906bc023f585d1504b09cddb57f2859de39660de9e0bf47f6fcfad65528d8f54b22efe16d19133a9344eb597952a33f69bee7a4c38aa4d27
-
C:\Windows\Temp\_Temp\GenuineTicket.xmlFilesize
1KB
MD5652a56b106f16db440e06153a6f54c27
SHA1409805f97a5a5212dadb7d0cdb27a41220a14a84
SHA2564e60b41c213680ab2a962a39d623fbaeab89bfc66ea1182b9d902deddc43c854
SHA512342b8524536933ff2f90672751166d76cb3ab73e37c2dd485822b3769a6facf1b9870b2690f93606a92405d1a34defefbd5b750eb82da49c0ba66c2a963b154c
-
C:\Windows\Temp\_Temp\gatherosstate.exeFilesize
330KB
MD515ce0753a16dd4f9b9f0f9926dd37c4e
SHA1fabb5a0fc1e6a372219711152291339af36ed0b5
SHA256028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d
SHA5124e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exeFilesize
330KB
MD5892fae48577e46eabd9fbbc4107d924c
SHA13fccb9c359edb9527c9f5688683f8b3c5910e75d
SHA2565b8d76ee9a57fa2592f480f1c5035d45946304cae7899279857126cd48f601d7
SHA51249f9237657b77b789edc54563b6500787905429673ffa3797a4a2d50ae25eaab3c684890847a0a790361ef3c525c432712cc4e00e98de3912ff13a0c3d5c252d
-
C:\Windows\Temp\_Temp\gatherosstatemodified.exeFilesize
330KB
MD5892fae48577e46eabd9fbbc4107d924c
SHA13fccb9c359edb9527c9f5688683f8b3c5910e75d
SHA2565b8d76ee9a57fa2592f480f1c5035d45946304cae7899279857126cd48f601d7
SHA51249f9237657b77b789edc54563b6500787905429673ffa3797a4a2d50ae25eaab3c684890847a0a790361ef3c525c432712cc4e00e98de3912ff13a0c3d5c252d
-
C:\Windows\Temp\zpjkrj4f\zpjkrj4f.dllFilesize
3KB
MD5d6e3848d9245ec37fec4956075afb63b
SHA15fba3912006d1f1e618f4d0e97049d88e686a350
SHA256313502db57676d5dca897288d8cb83e34c8e909b17c5a205c4020ee5c3c1cbda
SHA512fba7cbc0c8497693ca566d2affacbda351c27df6a8f3d74b8f4872ffe69cdeeba45baa3186fcd087bc2c1b1ee5a4dc495d4fd53fb39ff30ffcd364064023b972
-
C:\Windows\rss\csrss.exeFilesize
4.5MB
MD52f29ebdaf7b3395ebdadb13f453177c7
SHA120913d2d3c145adf43af7f13108cd1eb974862ca
SHA2565d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
SHA51227c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
C:\Windows\rss\csrss.exeFilesize
4.5MB
MD52f29ebdaf7b3395ebdadb13f453177c7
SHA120913d2d3c145adf43af7f13108cd1eb974862ca
SHA2565d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
SHA51227c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
\??\c:\Users\Admin\AppData\Local\Temp\byeaw3dm\CSC19AFD72FBC9047C98B6154CD3A45FC34.TMPFilesize
652B
MD5d6d383b96a777dbb487ed2fb438ebe00
SHA1009987b279ba9946a160c8d43de82b0bffe19e7e
SHA2562f1232a001abfbbb7b881b35a5014ba01af8444b8d74563c0971949070a8b0a7
SHA51262d0b91fd35576649c57bf7a15a5059b261512072f59a46980ebb81e186c8be15d9532f928b2da4dbd522893cb21e29b13651fc14b5739d0e0e129a19a0e7c1f
-
\??\c:\Users\Admin\AppData\Local\Temp\byeaw3dm\byeaw3dm.0.csFilesize
272B
MD5188a35f3c29c637f10acb64368535fdf
SHA1284ef2a0dbcfff8ee45d709037a200bc064e19bf
SHA25610965c488921948f6a22135f6aa84bc4e6464343f6703516f62d126cecd9097b
SHA5120026ee29515799302293231e264262f9bd2c6144ad8871d6b1efa303f81e4a80c6d611cd9a7aefd3efe8e15d6b7c462f71713b5100807009673dcfd6ee4b0b94
-
\??\c:\Users\Admin\AppData\Local\Temp\byeaw3dm\byeaw3dm.cmdlineFilesize
369B
MD5dcb1509bc8439f98079e44c158ec943d
SHA1abaa0db37109239ec87d09ee78f383b3034b403e
SHA25629ec969b00c4469604e0785943ac4113ed6d658e79b39ce9e43a38a6b9dd3622
SHA512f8e0fc31eeec58aa29cbb46922c7d48a3602173127420dd535bf62fdef4fb888b23c9f03a15409801e3b876ba31270a7b88e398fa460259fcfedc517db853942
-
\??\c:\Users\Admin\AppData\Local\Temp\on5bnpf4\CSC5C9FD00F3D23453785393C0794026AE.TMPFilesize
652B
MD5b63f28b541bba5be432850021feb5a36
SHA1ad69deab09476662d83f8d99c2436e74e07ee8bf
SHA2561a458bef51e01be19a4f6177ba4609b0e027416e634264da9e15893cbe28831c
SHA512164d80e80af0390db25064f3cba943240c4e358efbe89ed82a06a503bed2cd38a01f409a7b938ed3681c441b6aa544421ab734af56cdf3bb90b3043da53f53ed
-
\??\c:\Users\Admin\AppData\Local\Temp\on5bnpf4\on5bnpf4.0.csFilesize
272B
MD5188a35f3c29c637f10acb64368535fdf
SHA1284ef2a0dbcfff8ee45d709037a200bc064e19bf
SHA25610965c488921948f6a22135f6aa84bc4e6464343f6703516f62d126cecd9097b
SHA5120026ee29515799302293231e264262f9bd2c6144ad8871d6b1efa303f81e4a80c6d611cd9a7aefd3efe8e15d6b7c462f71713b5100807009673dcfd6ee4b0b94
-
\??\c:\Users\Admin\AppData\Local\Temp\on5bnpf4\on5bnpf4.cmdlineFilesize
369B
MD5fa8ccaa212844b82737b145661fa59ba
SHA1cd58f797f6433ee800af7623acce3e70fc05cc97
SHA2564c4facb7cec62187360f5e0bc7bbb0233c548bbda5a2af5dd51e8b4a07251c2a
SHA512deaf6d179e1f522520f7157d4266b2a2c56a3caa2b36ea1825a2722d9e343d0b40d4d1b598953f7b7aa1ce7d327d693a62c4c7507eb376c4080d95116fd9d108
-
\??\c:\Windows\Temp\zpjkrj4f\CSC97CDE1E45BA04913B28CDE86983A7C12.TMPFilesize
652B
MD5b9d18ca701f1ba26407ae19c0c72d4e2
SHA1fb67cbd0cf27a38589da0956f3e6e2ef2211b5e5
SHA256ef476b47f354df25a6cbbcf8dfd88412791640368744723155e23b20b4e0c2aa
SHA5126a2a5ce6f6f0797c3f5396bd554c93c04a131d8b096abfbddbce63276aabc651e043f95c0a54c63918b23df785db8bc732cb8605ddf29a0fbb2bc798d3235b4b
-
\??\c:\Windows\Temp\zpjkrj4f\zpjkrj4f.0.csFilesize
522B
MD52e6c19c5992b1e58c8f6f98bb426ced9
SHA163fd7179df39870be99efc9faeddd69991639cdd
SHA256cca4fca9d50e7adead3201fdaead6abc5391b1e575ab33e4725eef731a4d1ac7
SHA512ead127d9b08050f9726fa23be2beed3afdcafe12327f64ab21c902a953b691b8dafd003872b448942d5b95d27cd90aed9a1a721db4a2637eddde135f6c290ab1
-
\??\c:\Windows\Temp\zpjkrj4f\zpjkrj4f.cmdlineFilesize
131B
MD5fb836eda0a7d3a145c501d094b7e1571
SHA1406a27acd0a2f7742689ab275debebbdf3af9961
SHA256fc1585b9767f14a7c782e5aa8f7f6d95a45dbc2ebb84e704c60f726b2e08c100
SHA512ef7cfdc5c9d9c20252d31396074573cb89947f3ea893269bf06fcfa119996e536fe1c4884c08e5c373f483e21186d47f1f72c5daafe31b5ab951d4e24773020a
-
\??\pipe\LOCAL\crashpad_4084_FKIXYECAWEZTHEPCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_5812_EJUJUYLWEYZZRRNUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/444-340-0x000001D3CC1A0000-0x000001D3CC1B0000-memory.dmpFilesize
64KB
-
memory/444-341-0x000001D3CC1A0000-0x000001D3CC1B0000-memory.dmpFilesize
64KB
-
memory/444-342-0x000001D3CC1A0000-0x000001D3CC1B0000-memory.dmpFilesize
64KB
-
memory/444-343-0x000001D3CC1A0000-0x000001D3CC1B0000-memory.dmpFilesize
64KB
-
memory/532-198-0x0000000000000000-mapping.dmp
-
memory/556-175-0x0000000000000000-mapping.dmp
-
memory/592-336-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/592-335-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/720-347-0x000001DF04CB0000-0x000001DF04CC0000-memory.dmpFilesize
64KB
-
memory/720-352-0x000001DF04CB0000-0x000001DF04CC0000-memory.dmpFilesize
64KB
-
memory/720-346-0x000001DF04CB0000-0x000001DF04CC0000-memory.dmpFilesize
64KB
-
memory/720-353-0x000001DF04CB0000-0x000001DF04CC0000-memory.dmpFilesize
64KB
-
memory/860-170-0x0000000000000000-mapping.dmp
-
memory/948-150-0x0000000000000000-mapping.dmp
-
memory/1056-171-0x0000000000000000-mapping.dmp
-
memory/1164-165-0x0000000000000000-mapping.dmp
-
memory/1264-153-0x0000000000000000-mapping.dmp
-
memory/1420-327-0x0000023E52150000-0x0000023E52160000-memory.dmpFilesize
64KB
-
memory/1420-328-0x0000023E52150000-0x0000023E52160000-memory.dmpFilesize
64KB
-
memory/1420-325-0x0000023E52150000-0x0000023E52160000-memory.dmpFilesize
64KB
-
memory/1420-326-0x0000023E52150000-0x0000023E52160000-memory.dmpFilesize
64KB
-
memory/1788-285-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/1808-227-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/1808-222-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/1808-217-0x0000000000000000-mapping.dmp
-
memory/1840-213-0x0000000000000000-mapping.dmp
-
memory/1852-216-0x0000000000000000-mapping.dmp
-
memory/1852-160-0x0000000000000000-mapping.dmp
-
memory/1908-169-0x0000000000000000-mapping.dmp
-
memory/1944-164-0x0000000000000000-mapping.dmp
-
memory/2100-254-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-255-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-253-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-256-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-264-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2100-263-0x000001DE928E0000-0x000001DE928F0000-memory.dmpFilesize
64KB
-
memory/2164-140-0x0000000000000000-mapping.dmp
-
memory/2184-261-0x000001A4340C0000-0x000001A4340D0000-memory.dmpFilesize
64KB
-
memory/2184-258-0x000001A4340C0000-0x000001A4340D0000-memory.dmpFilesize
64KB
-
memory/2184-260-0x000001A4340C0000-0x000001A4340D0000-memory.dmpFilesize
64KB
-
memory/2184-257-0x000001A4340C0000-0x000001A4340D0000-memory.dmpFilesize
64KB
-
memory/2224-309-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2224-310-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2232-267-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2232-274-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2232-265-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2232-273-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2232-266-0x000002693FD80000-0x000002693FD90000-memory.dmpFilesize
64KB
-
memory/2272-135-0x0000000000000000-mapping.dmp
-
memory/2272-144-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2272-137-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2272-138-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2364-287-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2364-289-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2436-132-0x0000000003000000-0x000000000343C000-memory.dmpFilesize
4.2MB
-
memory/2436-148-0x000001CFFA240000-0x000001CFFA2B6000-memory.dmpFilesize
472KB
-
memory/2436-134-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2436-133-0x0000000003500000-0x0000000003E26000-memory.dmpFilesize
9.1MB
-
memory/2436-146-0x000001CFFA170000-0x000001CFFA1B4000-memory.dmpFilesize
272KB
-
memory/2436-147-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2436-145-0x000001CFF8FE0000-0x000001CFF9002000-memory.dmpFilesize
136KB
-
memory/2436-151-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2436-136-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2436-379-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2468-246-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2468-239-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2484-368-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-369-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-365-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmpFilesize
64KB
-
memory/2484-364-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmpFilesize
64KB
-
memory/2484-370-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-367-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-359-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-360-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-363-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-362-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2484-361-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/2600-172-0x0000000000000000-mapping.dmp
-
memory/2608-228-0x0000000000000000-mapping.dmp
-
memory/2676-174-0x0000000000000000-mapping.dmp
-
memory/2680-308-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2680-307-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/2908-231-0x0000000000000000-mapping.dmp
-
memory/3048-139-0x0000000000000000-mapping.dmp
-
memory/3056-159-0x0000000000000000-mapping.dmp
-
memory/3244-354-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3244-355-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3412-161-0x0000000000000000-mapping.dmp
-
memory/3456-214-0x0000000000000000-mapping.dmp
-
memory/3536-168-0x0000000000000000-mapping.dmp
-
memory/3556-358-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3556-357-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3656-212-0x0000000000000000-mapping.dmp
-
memory/3708-156-0x0000000000000000-mapping.dmp
-
memory/3776-319-0x000002702E440000-0x000002702E450000-memory.dmpFilesize
64KB
-
memory/3776-318-0x000002702E440000-0x000002702E450000-memory.dmpFilesize
64KB
-
memory/3776-317-0x000002702E440000-0x000002702E450000-memory.dmpFilesize
64KB
-
memory/3776-320-0x000002702E440000-0x000002702E450000-memory.dmpFilesize
64KB
-
memory/3784-162-0x0000000000000000-mapping.dmp
-
memory/3816-345-0x00000232650E0000-0x00000232650F0000-memory.dmpFilesize
64KB
-
memory/3816-339-0x00000232650E0000-0x00000232650F0000-memory.dmpFilesize
64KB
-
memory/3816-338-0x00000232650E0000-0x00000232650F0000-memory.dmpFilesize
64KB
-
memory/3816-344-0x00000232650E0000-0x00000232650F0000-memory.dmpFilesize
64KB
-
memory/3844-196-0x0000000000000000-mapping.dmp
-
memory/3876-324-0x000001E7B6470000-0x000001E7B6480000-memory.dmpFilesize
64KB
-
memory/3876-330-0x000001E7B6470000-0x000001E7B6480000-memory.dmpFilesize
64KB
-
memory/3876-329-0x000001E7B6470000-0x000001E7B6480000-memory.dmpFilesize
64KB
-
memory/3876-323-0x000001E7B6470000-0x000001E7B6480000-memory.dmpFilesize
64KB
-
memory/3908-311-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3908-208-0x0000000000000000-mapping.dmp
-
memory/3908-312-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/3948-209-0x0000000000000000-mapping.dmp
-
memory/4012-331-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4012-332-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4080-315-0x0000012405780000-0x0000012405790000-memory.dmpFilesize
64KB
-
memory/4080-322-0x0000012405780000-0x0000012405790000-memory.dmpFilesize
64KB
-
memory/4080-321-0x0000012405780000-0x0000012405790000-memory.dmpFilesize
64KB
-
memory/4080-316-0x0000012405780000-0x0000012405790000-memory.dmpFilesize
64KB
-
memory/4152-197-0x0000000000000000-mapping.dmp
-
memory/4168-230-0x0000000000000000-mapping.dmp
-
memory/4172-163-0x0000000000000000-mapping.dmp
-
memory/4204-199-0x0000000000000000-mapping.dmp
-
memory/4232-314-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4232-313-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4236-158-0x0000000000000000-mapping.dmp
-
memory/4256-236-0x0000000000000000-mapping.dmp
-
memory/4296-195-0x0000000000000000-mapping.dmp
-
memory/4436-349-0x00000228B9070000-0x00000228B9080000-memory.dmpFilesize
64KB
-
memory/4436-348-0x00000228B9070000-0x00000228B9080000-memory.dmpFilesize
64KB
-
memory/4436-351-0x00000228B9070000-0x00000228B9080000-memory.dmpFilesize
64KB
-
memory/4436-350-0x00000228B9070000-0x00000228B9080000-memory.dmpFilesize
64KB
-
memory/4552-141-0x0000000000000000-mapping.dmp
-
memory/4552-149-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/4552-152-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/4580-337-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4676-166-0x0000000000000000-mapping.dmp
-
memory/4696-333-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4696-334-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4732-167-0x0000000000000000-mapping.dmp
-
memory/4928-237-0x0000000000000000-mapping.dmp
-
memory/4928-283-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/4928-281-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5100-305-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5100-306-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5124-229-0x0000000000000000-mapping.dmp
-
memory/5168-233-0x0000000000000000-mapping.dmp
-
memory/5212-207-0x0000000000000000-mapping.dmp
-
memory/5232-268-0x0000013F96EF0000-0x0000013F96F00000-memory.dmpFilesize
64KB
-
memory/5232-269-0x0000013F96EF0000-0x0000013F96F00000-memory.dmpFilesize
64KB
-
memory/5232-270-0x0000013F96EF0000-0x0000013F96F00000-memory.dmpFilesize
64KB
-
memory/5232-271-0x0000013F96EF0000-0x0000013F96F00000-memory.dmpFilesize
64KB
-
memory/5252-235-0x0000000000000000-mapping.dmp
-
memory/5280-177-0x0000000000000000-mapping.dmp
-
memory/5284-234-0x0000000000000000-mapping.dmp
-
memory/5328-200-0x0000000000000000-mapping.dmp
-
memory/5380-201-0x0000000000000000-mapping.dmp
-
memory/5400-211-0x0000000000000000-mapping.dmp
-
memory/5404-210-0x0000000000000000-mapping.dmp
-
memory/5412-249-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5412-282-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5472-202-0x0000000000000000-mapping.dmp
-
memory/5496-203-0x0000000000000000-mapping.dmp
-
memory/5520-204-0x0000000000000000-mapping.dmp
-
memory/5540-205-0x0000000000000000-mapping.dmp
-
memory/5680-206-0x0000000000000000-mapping.dmp
-
memory/5728-291-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5780-215-0x0000000000000000-mapping.dmp
-
memory/5824-356-0x00007FFA02F90000-0x00007FFA03A51000-memory.dmpFilesize
10.8MB
-
memory/5828-179-0x0000000000000000-mapping.dmp
-
memory/5836-219-0x0000000000000000-mapping.dmp
-
memory/5840-232-0x0000000000000000-mapping.dmp
-
memory/6036-185-0x0000000000000000-mapping.dmp
-
memory/6068-187-0x0000000000000000-mapping.dmp
-
memory/6076-223-0x0000000000000000-mapping.dmp
-
memory/6084-192-0x0000000000000000-mapping.dmp