hxxps://chromewebstore[.]google[.]com/detail/nbpmobgkahbnaojacpfmhigfofhbobja

Resubmissions

17/06/2024, 05:16

240617-fyms6szflm 8

30/01/2024, 12:36

240130-ptd5xafhg8 8

Analysis

max time kernel
1169s
max time network
1174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://chromewebstore.google.com/detail/nbpmobgkahbnaojacpfmhigfofhbobja

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 54 IoCs

flow	pid	Process
177	1476	PowerShell.exe
180	1476	PowerShell.exe
182	1476	PowerShell.exe
185	1476	PowerShell.exe
187	1476	PowerShell.exe
188	1476	PowerShell.exe
189	1476	PowerShell.exe
191	1476	PowerShell.exe
192	1476	PowerShell.exe
193	1476	PowerShell.exe
194	1476	PowerShell.exe
195	1476	PowerShell.exe
196	1476	PowerShell.exe
197	1476	PowerShell.exe
198	1476	PowerShell.exe
199	1476	PowerShell.exe
200	1476	PowerShell.exe
201	1476	PowerShell.exe
202	1476	PowerShell.exe
203	1476	PowerShell.exe
204	1476	PowerShell.exe
205	1476	PowerShell.exe
206	1476	PowerShell.exe
207	1476	PowerShell.exe
208	1476	PowerShell.exe
209	1476	PowerShell.exe
210	1476	PowerShell.exe
212	1476	PowerShell.exe
396	2944	PowerShell.exe
397	2944	PowerShell.exe
399	2944	PowerShell.exe
633	1084	powershell.exe
635	1084	powershell.exe
637	1084	powershell.exe
639	1084	powershell.exe
641	1084	powershell.exe
642	1084	powershell.exe
643	1084	powershell.exe
644	1084	powershell.exe
645	1084	powershell.exe
646	1084	powershell.exe
647	1084	powershell.exe
648	1084	powershell.exe
649	1084	powershell.exe
650	1084	powershell.exe
651	1084	powershell.exe
652	1084	powershell.exe
653	1084	powershell.exe
654	1084	powershell.exe
655	1084	powershell.exe
656	1084	powershell.exe
657	1084	powershell.exe
658	1084	powershell.exe
660	1084	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4084	dismhost.exe
4260	dismhost.exe

Loads dropped DLL 38 IoCs

pid	Process
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4084	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe
4260	dismhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
399	raw.githubusercontent.com
398	raw.githubusercontent.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\PSGetModuleInfo.xml	PowerShell.exe
File created	C:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll	powershell.exe
File opened for modification	C:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Buffers.dll	PowerShell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Principal.Windows.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Memory.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Principal.Windows.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Management.Automation.dll	PowerShell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Configuration.ConfigurationManager.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Numerics.Vectors.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4Powershell.psd1	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Runtime.CompilerServices.Unsafe.dll	PowerShell.exe
File created	C:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Memory.dll	PowerShell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Numerics.Vectors.dll	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Permissions.dll	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.pdb	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.AccessControl.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.pdb	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Management.Automation.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.dll	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.AccessControl.dll	PowerShell.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\sppcs.dll	cmd.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7z.dll	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4Powershell.psd1	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Runtime.CompilerServices.Unsafe.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Cryptography.ProtectedData.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\SevenZipSharp.dll	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Permissions.dll	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Principal.Windows.dll	PowerShell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\PSGetModuleInfo.xml	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4Powershell.psd1	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.AccessControl.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7z64.dll	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Configuration.ConfigurationManager.dll	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Numerics.Vectors.dll	PowerShell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Management.Automation.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\SevenZipSharp.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.deps.json	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7z.dll	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Memory.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Buffers.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\PSGetModuleInfo.xml	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.pdb	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7z64.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Permissions.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Cryptography.ProtectedData.dll	PowerShell.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.deps.json	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Runtime.CompilerServices.Unsafe.dll	powershell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7Zip4PowerShell.deps.json	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7z64.dll	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Buffers.dll	powershell.exe
File opened for modification	C:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\7z.dll	PowerShell.exe
File created	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\PSGetModuleInfo.xml	PowerShell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\SevenZipSharp.dll	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Configuration.ConfigurationManager.dll	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\7Zip4Powershell\2.4.0\System.Security.Cryptography.ProtectedData.dll	powershell.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
452	sc.exe
2164	sc.exe
3604	sc.exe
2936	sc.exe
4376	sc.exe
3524	sc.exe
64	sc.exe
4932	sc.exe
4704	sc.exe
1656	sc.exe
1060	sc.exe
5076	sc.exe
4376	sc.exe
1268	sc.exe
552	sc.exe
5076	sc.exe
656	sc.exe
4452	sc.exe
552	sc.exe
4840	sc.exe
3312	sc.exe
2044	sc.exe
4940	sc.exe
2432	sc.exe
4852	sc.exe
5068	sc.exe
1940	sc.exe
3288	sc.exe
1736	sc.exe
1984	sc.exe
5068	sc.exe
2832	sc.exe
4552	sc.exe
4808	sc.exe
656	sc.exe
452	sc.exe
4616	sc.exe
1572	sc.exe
1448	sc.exe
208	sc.exe
3616	sc.exe
3852	sc.exe
5004	sc.exe
1984	sc.exe
2432	sc.exe
1404	sc.exe
2176	sc.exe
1060	sc.exe
1648	sc.exe
1984	sc.exe
4132	sc.exe
1268	sc.exe
4456	sc.exe
2688	sc.exe
2000	sc.exe
4840	sc.exe
3096	sc.exe
3060	sc.exe
1648	sc.exe
644	sc.exe
4616	sc.exe
4748	sc.exe
4076	sc.exe
2788	sc.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1528	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133510920351147406"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3336304223-2978740688-3645194410-1000\{160CDBDE-C907-4354-BE3A-334E30799512}	chrome.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3816	reg.exe
4376	reg.exe
4224	reg.exe
5004	reg.exe
4616	reg.exe
4976	reg.exe
404	reg.exe
2000	reg.exe
3312	reg.exe
4008	reg.exe
816	reg.exe
4464	reg.exe
2108	reg.exe
452	reg.exe
2128	reg.exe
4956	reg.exe
2932	reg.exe
1740	reg.exe
5068	reg.exe
2852	reg.exe
3616	reg.exe
3776	reg.exe
1448	reg.exe
3176	reg.exe
4140	reg.exe
5100	reg.exe
5064	reg.exe
1496	reg.exe
1940	reg.exe
4264	reg.exe
64	reg.exe
4260	reg.exe
3136	reg.exe
3688	reg.exe
3616	reg.exe
4616	reg.exe
3816	reg.exe
1060	reg.exe
4412	reg.exe
3640	reg.exe
3776	reg.exe
452	reg.exe
3992	reg.exe
4540	reg.exe
1528	reg.exe
2176	reg.exe
3040	reg.exe
1292	reg.exe
2628	reg.exe
3524	reg.exe
2756	reg.exe
572	reg.exe
3440	reg.exe
3860	reg.exe
4064	reg.exe
2012	reg.exe
3388	reg.exe
3832	reg.exe
1140	reg.exe
1684	reg.exe
4748	reg.exe
2552	reg.exe
2324	reg.exe
4956	reg.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1836	NOTEPAD.EXE
5464	notepad.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2908	PING.EXE
64	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2956	vlc.exe
3652	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3240	chrome.exe
3240	chrome.exe
1476	PowerShell.exe
1476	PowerShell.exe
1480	mspaint.exe
1480	mspaint.exe
2412	mspaint.exe
2412	mspaint.exe
404	mspaint.exe
404	mspaint.exe
2068	PowerShell.exe
2068	PowerShell.exe
2068	PowerShell.exe
2944	PowerShell.exe
2944	PowerShell.exe
2944	PowerShell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
1240	powershell.exe
1240	powershell.exe
1240	powershell.exe
3176	taskmgr.exe
2164	cmd.exe
2164	cmd.exe
2164	powershell.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
3176	taskmgr.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
3312	powershell.exe
3312	powershell.exe
3176	taskmgr.exe
3312	powershell.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1548	OpenWith.exe
2956	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
2956	vlc.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe
3176	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1480	mspaint.exe
2412	mspaint.exe
1548	OpenWith.exe
1524	OpenWith.exe
404	mspaint.exe
4276	OpenWith.exe
2956	vlc.exe
3652	POWERPNT.EXE
3652	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 872	3240	chrome.exe	84
PID 3240 wrote to memory of 872	3240	chrome.exe	84
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2628	3240	chrome.exe	90
PID 3240 wrote to memory of 2160	3240	chrome.exe	86
PID 3240 wrote to memory of 2160	3240	chrome.exe	86
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87
PID 3240 wrote to memory of 4496	3240	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://chromewebstore.google.com/detail/nbpmobgkahbnaojacpfmhigfofhbobja
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e38a9758,0x7ff9e38a9768,0x7ff9e38a9778
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:2
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2360 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3084 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3052 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5408 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3024 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4628 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4756 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4692 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5624 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6092 --field-trial-handle=1860,i,17506928916705259595,11824294328898770036,131072 /prefetch:1
  2⤵
  PID:3328

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1532

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" irm revert8plus.gitlab.io|iex
1⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnlyzz3a\tnlyzz3a.cmdline"
  2⤵
  PID:908
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES231A.tmp" "c:\Users\Admin\AppData\Local\Temp\tnlyzz3a\CSC125F2AEE50524B8685A6D1EEC7ECCA44.TMP"
    3⤵
    PID:456

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WaitResize.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WaitResize.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WaitResize.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\FindGrant.mpe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\UpdateGroup.fon
1⤵
PID:4916

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\EnableWatch.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" irm massgrave.dev/get|irm
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" irm massgrave.dev/get|iex
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_16274055.cmd" "
  2⤵
  PID:1212
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:4452
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1284
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_16274055.cmd"
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2756
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:2932
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:2908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:2740
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_16274055.cmd" "
    3⤵
    PID:2540
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3176
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:3992
- - C:\Windows\System32\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    - Modifies registry key
    PID:4748
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4456
- - C:\Windows\System32\reg.exe
    reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
    3⤵
    PID:2628
- - C:\Windows\System32\cmd.exe
    cmd.exe /c ""C:\Windows\Temp\MAS_16274055.cmd" -qedit"
    3⤵
    - Drops file in Program Files directory
    PID:1200
  - - C:\Windows\System32\reg.exe
      reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
      4⤵
      PID:1268
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      PID:3288
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1700
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_16274055.cmd"
      4⤵
      PID:3940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:2544
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:1260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:2080
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:1696
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:3916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:1140
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:1476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_16274055.cmd" "
      4⤵
      PID:3020
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:4008
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:2932
  - - C:\Windows\System32\reg.exe
      reg query HKCU\Console /v QuickEdit
      4⤵
      PID:2852
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:4700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      PID:4240
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        Runs ping.exe
        
        PID:2908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
      4⤵
      PID:2540
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
      4⤵
      PID:452
  - - C:\Windows\System32\find.exe
      find "127.69.2.5"
      4⤵
      PID:4748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:4892
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:3388
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:5004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:4660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:1496
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:4988
  - - C:\Windows\System32\mode.com
      mode 76, 30
      4⤵
      PID:3004
  - - C:\Windows\System32\choice.exe
      choice /C:123456780 /N
      4⤵
      PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:4704
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:940
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:5112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:2852
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:4156
  - - C:\Windows\System32\mode.com
      mode 110, 34
      4⤵
      PID:4028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $ExecutionContext.SessionState.LanguageMode
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4932
  - - C:\Windows\System32\find.exe
      find /i "Full"
      4⤵
      PID:4552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:4540
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:2832
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:4948
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:4156
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
      4⤵
      PID:4700
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:3412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:208
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:1696
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        
        PID:3572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:4704
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:2852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:2520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
      4⤵
      PID:3704
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:4756
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:3060
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
      4⤵
      Modifies registry key
      PID:4224
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
      4⤵
      PID:5076
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
      4⤵
      PID:2740
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
      4⤵
      PID:912
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
      4⤵
      Modifies registry key
      PID:3136
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
      4⤵
      PID:4144
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:552
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
      4⤵
      PID:2432
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
      4⤵
      Modifies registry key
      PID:3176
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
      4⤵
      Modifies registry key
      PID:2552
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:3816
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
      4⤵
      PID:4748
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
      4⤵
      Modifies registry key
      PID:1740
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:2788
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      PID:1736
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      PID:4412
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      PID:3564
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      PID:1276
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:4008
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      Modifies registry key
      PID:1940
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
      4⤵
      PID:1300
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
      4⤵
      Modifies registry key
      PID:2012
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
      4⤵
      PID:2832
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
      4⤵
      PID:1312
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
      4⤵
      PID:4820
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
      4⤵
      Modifies registry key
      PID:4140
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
      4⤵
      Modifies registry key
      PID:3776
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:2688
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
      4⤵
      PID:4956
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:2936
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:4132
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      PID:4084
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
      4⤵
      Modifies registry key
      PID:5068
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
      4⤵
      Modifies registry key
      PID:2176
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
      4⤵
      Modifies registry key
      PID:1060
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
      4⤵
      PID:5076
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
      4⤵
      PID:4156
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
      4⤵
      PID:2740
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
      4⤵
      Modifies registry key
      PID:452
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:4840
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      PID:4988
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      PID:2080
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      PID:4208
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      Modifies registry key
      PID:5100
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      Modifies registry key
      PID:3816
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:1268
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
      4⤵
      PID:3332
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      PID:32
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      Modifies registry key
      PID:3388
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:3832
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      PID:4748
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      Modifies registry key
      PID:5064
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:5004
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      PID:1144
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:4456
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
      4⤵
      Modifies registry key
      PID:3992
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
      4⤵
      PID:5064
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
      4⤵
      Modifies registry key
      PID:2628
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
      4⤵
      PID:848
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:5004
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
      4⤵
      PID:1476
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:4540
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:3040
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
      4⤵
      Modifies registry key
      PID:1140
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
      4⤵
      PID:2240
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
      4⤵
      PID:1944
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      PID:4208
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:4552
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
      4⤵
      Modifies registry key
      PID:816
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      Launches sc.exe
      PID:4808
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:1984
  - - C:\Windows\System32\sc.exe
      sc query UsoSvc
      4⤵
      Launches sc.exe
      PID:656
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
      4⤵
      Modifies registry key
      PID:2852
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
      4⤵
      PID:404
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
      4⤵
      Modifies registry key
      PID:1528
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:1684
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
      4⤵
      PID:2164
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:1656
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:768
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
      4⤵
      Modifies registry key
      PID:2324
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
      4⤵
      Modifies registry key
      PID:4616
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
      4⤵
      PID:644
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      Launches sc.exe
      PID:4376
  - - C:\Windows\System32\sc.exe
      sc query CryptSvc
      4⤵
      PID:4956
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
      4⤵
      Modifies registry key
      PID:3524
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
      4⤵
      PID:4000
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
      4⤵
      Modifies registry key
      PID:3616
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
      4⤵
      PID:3860
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:3440
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
      4⤵
      Modifies registry key
      PID:4464
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
      4⤵
      PID:4224
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
      4⤵
      PID:768
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      PID:2432
  - - C:\Windows\System32\sc.exe
      sc query BITS
      4⤵
      Launches sc.exe
      PID:1268
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
      4⤵
      PID:4840
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
      4⤵
      PID:4580
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
      4⤵
      PID:2240
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
      4⤵
      PID:3688
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
      4⤵
      Modifies registry key
      PID:2108
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
      4⤵
      PID:5032
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
      4⤵
      PID:3588
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
      4⤵
      Modifies registry key
      PID:4976
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:3288
  - - C:\Windows\System32\sc.exe
      sc query TrustedInstaller
      4⤵
      Launches sc.exe
      PID:3096
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
      4⤵
      PID:1696
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
      4⤵
      PID:4240
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
      4⤵
      Modifies registry key
      PID:404
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
      4⤵
      PID:2220
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
      4⤵
      Modifies registry key
      PID:4264
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
      4⤵
      PID:1312
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
      4⤵
      Modifies registry key
      PID:1496
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
      4⤵
      PID:3776
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      PID:1444
  - - C:\Windows\System32\sc.exe
      sc query wuauserv
      4⤵
      Launches sc.exe
      PID:644
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      Modifies registry key
      PID:4376
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:4956
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      PID:2688
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      PID:4256
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      PID:1296
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      PID:4080
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:3860
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      PID:4784
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1448
  - - C:\Windows\System32\sc.exe
      sc query WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2000
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService
      4⤵
      PID:4156
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description
      4⤵
      PID:1816
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName
      4⤵
      PID:5000
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl
      4⤵
      PID:2240
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:3688
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName
      4⤵
      PID:5064
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start
      4⤵
      PID:4976
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type
      4⤵
      PID:2784
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:4852
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:4616
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1404
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:3060
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:4376
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:3524
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:552
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      Launches sc.exe
      PID:2176
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      Launches sc.exe
      PID:5068
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      Launches sc.exe
      PID:1060
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:5076
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      Launches sc.exe
      PID:2432
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:452
  - - C:\Windows\System32\sc.exe
      sc config DoSvc start= delayed-auto
      4⤵
      Launches sc.exe
      PID:4840
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      PID:1816
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1800
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      PID:5000
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      PID:2240
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3388
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:4748
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:1736
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4976
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1940
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1696
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:656
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:1648
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:2164
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:2220
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      PID:3128
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      PID:4412
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:2784
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      PID:4820
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:1656
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Start-Service DoSvc
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1240
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:208
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:2000
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:1648
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:2012
  - - C:\Windows\System32\sc.exe
      sc query UsoSvc
      4⤵
      Launches sc.exe
      PID:3852
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      PID:1476
  - - C:\Windows\System32\sc.exe
      sc query CryptSvc
      4⤵
      Launches sc.exe
      PID:3604
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3776
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      PID:4800
  - - C:\Windows\System32\sc.exe
      sc query BITS
      4⤵
      PID:1444
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4140
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      Launches sc.exe
      PID:3616
  - - C:\Windows\System32\sc.exe
      sc query TrustedInstaller
      4⤵
      PID:2740
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3860
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:64
  - - C:\Windows\System32\sc.exe
      sc query wuauserv
      4⤵
      Launches sc.exe
      PID:2432
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:552
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      Launches sc.exe
      PID:1984
  - - C:\Windows\System32\sc.exe
      sc query WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5068
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4000
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:656
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:2832
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:2000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16274055.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
      4⤵
      PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16274055.cmd') -split ':wpatest\:.*';iex ($f[1]);"
        5⤵
        
        PID:2164
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:4376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "13" "
      4⤵
      PID:908
  - - C:\Windows\System32\Dism.exe
      DISM /English /Online /Get-CurrentEdition
      4⤵
      Drops file in Windows directory
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\dismhost.exe {A5C60EDB-D355-479A-B498-74725527F5B3}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4084
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:3852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2164
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        5⤵
        
        PID:1444
  - - C:\Windows\System32\cscript.exe
      cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
      4⤵
      PID:1696
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:4140
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:1204
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:5076
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440"
      4⤵
      PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:2324
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:1296
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:1252
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:4820
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:4536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:4704
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:4132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:2832
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:1300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3312
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
      4⤵
      Modifies registry key
      PID:4412
  - - C:\Windows\System32\find.exe
      find /i "windowsupdate"
      4⤵
      PID:3704
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
      4⤵
      PID:4220
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
      4⤵
      PID:3996
  - - C:\Windows\System32\findstr.exe
      findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
      4⤵
      PID:1736
  - - C:\Windows\System32\find.exe
      find /i "wuauserv"
      4⤵
      PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo: "
      4⤵
      PID:4820
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
      4⤵
      PID:1448
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:1252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
      4⤵
      PID:1528
  - - C:\Windows\System32\find.exe
      find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
      4⤵
      PID:4000
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
      4⤵
      PID:2756
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:2000
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:3776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
      4⤵
      PID:4220
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        5⤵
        
        PID:3996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
      4⤵
      PID:1736
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        5⤵
        
        PID:2216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        
        PID:1448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
      4⤵
      PID:3400
  - - C:\Windows\System32\find.exe
      find "AAAA"
      4⤵
      PID:1984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Restart-Service ClipSVC
      4⤵
      PID:2280
  - - C:\Windows\System32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:1528
  - - C:\Windows\System32\ClipUp.exe
      clipup -v -o
      4⤵
      PID:1060
    - - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem1C6A.tmp
        5⤵
        Checks SCSI registry key(s)
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        
        PID:316
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:3636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:1084
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
      4⤵
      PID:4364
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:1696
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
      4⤵
      PID:2324
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:4820
  - - C:\Windows\System32\mode.com
      mode 76, 30
      4⤵
      PID:452
  - - C:\Windows\System32\choice.exe
      choice /C:123456780 /N
      4⤵
      PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:4172
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:2904
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:2044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:3948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:4788
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:1696
  - - C:\Windows\System32\mode.com
      mode 76, 25
      4⤵
      PID:1060
  - - C:\Windows\System32\choice.exe
      choice /C:1230 /N
      4⤵
      PID:4956
  - - C:\Windows\System32\mode.com
      mode 130, 32
      4⤵
      PID:3852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
      4⤵
      PID:5032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $ExecutionContext.SessionState.LanguageMode
      4⤵
      PID:2904
  - - C:\Windows\System32\find.exe
      find /i "Full"
      4⤵
      PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:3600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        
        PID:5076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:2756
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:572
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:3616
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:3400
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:1940
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:1572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:1296
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:2832
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:1984
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:3656
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:4140
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4616
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:4932
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      PID:3704
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      PID:3284
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:3776
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:2128
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      PID:644
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:452
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      PID:4256
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      PID:4900
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:4704
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:5076
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      PID:656
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      Modifies registry key
      PID:2756
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      Modifies registry key
      PID:572
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      PID:3460
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      PID:64
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      PID:4980
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      PID:4856
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      PID:5044
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:3312
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:1572
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1296
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      PID:2932
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:2832
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:1984
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1252
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:2904
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:4224
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:3284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16274055.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
      4⤵
      PID:3372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16274055.cmd') -split ':wpatest\:.*';iex ($f[1]);"
        5⤵
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "14" "
      4⤵
      PID:5032
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:3460
  - - C:\Windows\System32\Dism.exe
      DISM /English /Online /Get-CurrentEdition
      4⤵
      Drops file in Windows directory
      PID:3616
    - - C:\Users\Admin\AppData\Local\Temp\BEA262E6-B4B6-4866-8F60-EAFC0E129B49\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\BEA262E6-B4B6-4866-8F60-EAFC0E129B49\dismhost.exe {E8095801-242A-4F47-8909-6CAAA0105955}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4260
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
      4⤵
      PID:4080
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        5⤵
        
        PID:1296
  - - C:\Windows\System32\cscript.exe
      cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
      4⤵
      PID:3640
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:2784
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:4988
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:4852
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440"
      4⤵
      PID:4784
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:452
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:2936
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:2756
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:4172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:1648
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:3288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:4260
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      PID:4280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      PID:3852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      PID:2756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:2932
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:3616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:1984
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:3640
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
      4⤵
      Modifies registry key
      PID:2000
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
      4⤵
      PID:2044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""
      4⤵
      PID:1296
  - - C:\Windows\System32\find.exe
      find /i "Office"
      4⤵
      PID:1524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:4704
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:4064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:3288
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:64
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:4492
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:3312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:4856
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:4956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:4260
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
        5⤵
        
        PID:2756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:656
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
        5⤵
        Modifies registry key
        
        PID:2932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:2460
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
        5⤵
        
        PID:3636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
      4⤵
      PID:1940
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
        5⤵
        
        PID:4932
  - - C:\Windows\System32\sc.exe
      sc query ClickToRunSvc
      4⤵
      Launches sc.exe
      PID:2044
  - - C:\Windows\System32\sc.exe
      sc query OfficeSvc
      4⤵
      Launches sc.exe
      PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
      4⤵
      PID:4592
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
        5⤵
        
        PID:3600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
      4⤵
      PID:4080
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
        5⤵
        Modifies registry key
        
        PID:4616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
      4⤵
      PID:2364
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
        5⤵
        
        PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
      4⤵
      PID:4980
  - - C:\Windows\System32\find.exe
      find /i "Wow6432Node"
      4⤵
      PID:3852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"
      4⤵
      PID:3776
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
        5⤵
        
        PID:4364
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Retail Volume"
        5⤵
        
        PID:1292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "" "
      4⤵
      PID:5044
  - - C:\Windows\System32\find.exe
      find /i " ProPlusRetail.16 "
      4⤵
      PID:2760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "
      4⤵
      PID:2324
  - - C:\Windows\System32\find.exe
      find /i "2024"
      4⤵
      PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "
      4⤵
      PID:4140
  - - C:\Windows\System32\find.exe
      find /i "Subscription"
      4⤵
      PID:4260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
      4⤵
      PID:1252
  - - C:\Windows\System32\find.exe
      find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
      4⤵
      PID:3636
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"
      4⤵
      PID:3656
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:3400
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:652
  - - C:\Windows\System32\find.exe
      find /i "Error found"
      4⤵
      PID:3852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16274055.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16274055.cmd') -split ':hexedit\:.*';iex ($m[1]);"
      4⤵
      Drops file in Program Files directory
      PID:4980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul
      4⤵
      PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"
        5⤵
        
        PID:2080
  - - C:\Windows\System32\reg.exe
      reg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
      4⤵
      PID:1524
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:4236
  - - C:\Windows\System32\reg.exe
      reg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
      4⤵
      PID:1832
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:4320
  - - C:\Windows\System32\reg.exe
      reg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
      4⤵
      PID:776
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:4900
  - - C:\Windows\System32\reg.exe
      reg query HKU\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
      4⤵
      PID:4760
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:4492
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x2 0x3"
      4⤵
      PID:4732
  - - C:\Windows\System32\findstr.exe
      findstr /i "volume retail"
      4⤵
      PID:4920
  - - C:\Windows\System32\reg.exe
      reg query HKU\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext
      4⤵
      PID:2012
  - - C:\Windows\System32\reg.exe
      reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
      4⤵
      Modifies registry key
      PID:4260
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:2460
  - - C:\Windows\System32\reg.exe
      reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext
      4⤵
      Modifies registry key
      PID:1292
  - - C:\Windows\System32\findstr.exe
      findstr /i "volume retail"
      4⤵
      PID:3940
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x2 0x3"
      4⤵
      PID:1240
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
      4⤵
      PID:2932
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
      4⤵
      PID:3616
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
      4⤵
      PID:3196
  - - C:\Windows\System32\reg.exe
      reg delete HKU\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
      4⤵
      PID:3852
  - - C:\Windows\System32\reg.exe
      reg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
      4⤵
      PID:848
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-18\Volatile Environment"
      4⤵
      PID:644
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-19\Volatile Environment"
      4⤵
      PID:4940
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Volatile Environment"
      4⤵
      PID:4148
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-21-3336304223-2978740688-3645194410-1000\Volatile Environment"
      4⤵
      PID:1784
  - - C:\Windows\System32\reg.exe
      reg add HKU\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
      4⤵
      PID:1528
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Volatile Environment"
      4⤵
      PID:4932
  - - C:\Windows\System32\reg.exe
      reg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
      4⤵
      Modifies registry key
      PID:1448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "
      4⤵
      PID:4788
  - - C:\Windows\System32\find.exe
      find /i "Volume"
      4⤵
      PID:1296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:2080
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE
        5⤵
        
        PID:4064
  - - C:\Windows\System32\find.exe
      find /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"
      4⤵
      PID:4816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "
      4⤵
      PID:4084
  - - C:\Windows\System32\cscript.exe
      cscript //nologo C:\Windows\system32\slmgr.vbs /upk 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03
      4⤵
      PID:4000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "
      4⤵
      PID:2128
  - - C:\Windows\System32\find.exe
      find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
      4⤵
      PID:4172

C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
1⤵
- Runs ping.exe
PID:64

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3176

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:2240

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3440

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:2164
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem15E2.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:1300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff9e38a9758,0x7ff9e38a9768,0x7ff9e38a9778
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:2
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5132 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5296 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5712 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5696 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5808 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:2
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6048 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6084 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6104 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3212 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5816 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5488 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=1508 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5920 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5960 --field-trial-handle=1948,i,14278226321708019483,9926226079945714291,131072 /prefetch:1
  2⤵
  PID:5604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5108

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4f4
1⤵
PID:5300

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Revert8Plus.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1836

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\Revert8Plus.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:5464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\Revert8Plus.ps1'"
1⤵
PID:5728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qoqwxqqn\qoqwxqqn.cmdline"
  2⤵
  PID:2668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D09.tmp" "c:\Users\Admin\AppData\Local\Temp\qoqwxqqn\CSCD00842E523F458CB2417DBF45491BE.TMP"
    3⤵
    PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
9ef184f3eea81576682de3f1e893fd49

SHA1
58439f081b45eda903ce79ce4fb9c679c7a30a0e

SHA256
9c95606bd0c1d74833109aa17af2597afad294c059c9fecea8143f0bd6eb9c52

SHA512
451818cbf204a7acd08b28f9bf84a1e1543921a29a6cc6164c5c9ef674a697b27fd43c50722fe40b1ccf788b770d4f0b7bbe7c44f8c3e5df747ada4db8359513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e1e06f1bc2ea8efe486919db850c7c4e

SHA1
879c89d09ffdd29a18d65540f5caa2454795a89d

SHA256
d0446be9d39a2d354b4b305057a249a8c639b7c1cca804e380d4c71e56815b7d

SHA512
bc5c8d6ed0484f7f1814927a562c0eda12b856f97082be04d8ef99700a99dacb361bf83ca6db5ad4531bc9b1bbc20cf97e943b500f24e13784b6a4e375b73c45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
36KB

MD5
4eac6a9ac213ced7214ab926e62334b2

SHA1
6ce777ae5e8b10afc73d30f8c8a48adafaf6cb95

SHA256
34a42c535932f84af6313a621c249c134f7249b19678a53a78fbabb7c640dd7a

SHA512
b9de3c07994abd2de76439898c8f63374781f0cf5b6b051cfb2d665f0cd01b5531f8a06150494a025c856ad85bf5719e4130bc2feabb8a19e06b52a1beecfdd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
69KB

MD5
425aaf2fe9ae488d308da2a4d12dc394

SHA1
d4464306c1d905b5fa74c70ff9bdfdfbd94cd881

SHA256
fefd57119b844edc619e31e52835e819dc50abdb4422db73f6f88b8aa13f756f

SHA512
d665c2eb43d91dda21abff45e2792f37576c40d328af11904c7eae1f67f2f91aafd1066202f21b736aae7f5826eeb3d109216298cecac1c1d6a49973f1880355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
27KB

MD5
8e726f705237de526d24bef1bf3a0631

SHA1
32686afb7c33d0ea65c413d773bdff6a01a59899

SHA256
b0caf825c0456cc2e5ffef6801f361e34d5533c3bf55e3af0cb983e39343ba14

SHA512
c62c7e9ee6d1c5408811099f5bd5dde0ea20dd5d9d85deec980b3bab8344eefcd55143eda98b995d2418ca20522420f0d2d6c8f18bc0ecb48ad32b4a5e2e8c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000045

Filesize
58KB

MD5
6c73992e0f0c77305a6cc873d1166661

SHA1
c054fa30f163fcc949ceb5509364789280901df8

SHA256
47e6ede66b9dec2e36fa3a77ae055146811ec9649a5505fb9afc62b257422aec

SHA512
3b907fd296c687b4a92617315b0ac216f591a9ba05bfee7ac6877dc6ff2899aeb01d7e77119297ddd150520d3bdbebff2a3878f394c6bf95f64af166a9f8d32c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004e

Filesize
46KB

MD5
6a09020e5ffc3f8e067bdfb08921587d

SHA1
f86a1c1e92dae95003cc277ec3aefae8a45e5cbf

SHA256
91deff0f2b0f678262a6f84eac90b0d74a0196e4d2caefb4b20f5f99a45f6a5b

SHA512
9a074fa1ffd919d0d2d0c5d2e8ea874dae62e7d933b1526fb9fb25d14f244335f9f7567a3c8b77c159b54756659208b2da763120a5bb8513d52457b6865afb05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000068

Filesize
315KB

MD5
cf416902d156bda6c547eb585a562d79

SHA1
bf33de1a2a5eb0f56aabb29dfc195153a17c7b4a

SHA256
0301efb9f0e4bbefbf92523cf0c4c5b0526646768c5168fbac3e729f99c5efdf

SHA512
5987d3b07b63dd6200fa124d88a6cab7cdd152294e65fd4257ca19c41e832376cb1dabb73deb54ac4513919b9824d422059f712b9ddfb88aa5112606e4c80338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00006a

Filesize
126KB

MD5
cd2532bb538e31dc9504908bdf45742e

SHA1
4087fb9321b9e7f03355117ddab6ea82c20bc658

SHA256
44d33a6c12ea37f9b1492228f50b2acd9a8e93c478ee0a66ee5a6e1d83f52556

SHA512
9d46228713508a998fb47c675abfbc67db279b692c0506167308f791c32924ae09fa205409d4bd007a0c3d73ea7100d5e4e0a19f685e95b01b36330cf94da23f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3653004befb613c5_0

Filesize
266B

MD5
b8470aac1601e062fdba169a7dc4da59

SHA1
36e343c6a12a99a2d2b24477c6d22b96c3fb5c46

SHA256
fef100bd44a6cb24404a9660e932ee487d29cb9eefe255448d2201adf8fd11fd

SHA512
087b27b9cd1a793a4f4d8577f0b3ade9b28c03f17103c2433d8de30b5bbfe2fee04273d82b34e34fae6dff11788ceb7cf5e967efa1c1d3ca0755d0b926fb4869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4ea2e2571fc8616d_0

Filesize
379B

MD5
9061c90315e73d8b205e62a322ebf30e

SHA1
4096946f671bd8807bf523910de677e6c7a2451f

SHA256
39d321ccb42da8dfadf9ef625d6b356fb5fef43f51509af3b437418a9bc063ad

SHA512
c741c8d6a22fb804be3716de48c054bb41b6d2773dcaef77635f9f7cf985e653ffd7ed84272ff8c876ea0fdd89d4d1de461905c070b0732fb53d4a0389ff6f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b41d8df8ff18e1fb_0

Filesize
28KB

MD5
1f4ce154f449891e870784e52b40cdd3

SHA1
8737e2bded3a5f16497470d913ede95e2170b3b8

SHA256
39441085df158db60b88b6c023dba5cc1c5b05959325da14dfe7c41cdfd5b56c

SHA512
84d109f6e101447e9d2b617001cb19db42ab326e9816eaee7377bfb754e45036e4b67cde785fcc6ce91cca5e3a4d36239f21972290570fb76fad51b6e29d7646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c8c7344a51e3f8f2_0

Filesize
102KB

MD5
087955fa382568071e7992ad1f90493f

SHA1
15e5874ab22ef4d3513dee5a68e45169c755e2a9

SHA256
6996e888d066922e72fd94f66ade9c9e879ba37190fef5bdfda8ba3372c7cdd9

SHA512
9d7d330f555216f58dde0e02c7fca1bb129ce21946a854cff372efe034bc691b2e8d16092fbab6717e8c8f513cddfc0e8dda5991aa00e292890766012109dc7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
e351c13e449e54e02b10e863c9bb580d

SHA1
a72a3b157af76f0d2fb69fe2598adf43d6d972a1

SHA256
32eb6617208816cfd442702dcc34d6c436af165c0ad4ca1963280e007ff80b2b

SHA512
f508ccdde3a54149dd142de9e502763c4a019044cdfa0b7aa9bbabfa16f7dacc86a839c2b9228771440f83b23eaa26e8b0bad480e6f76d2e3511e60595b405b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cd062530415c925a562faf6e981bc666

SHA1
6909056bc24fa565dc64f6aa15d039131261ce2e

SHA256
9cc816a7c3ed4373351a13a5be5dfadc71b5b22915b23c0b6d3f60a082af0053

SHA512
d96044a63ab340fa713f17795d62bf47dc817ff1fda38033a5eca3c083018b8d3efa82370060b7c71782d5796de238c3b4fc997143803b82543e8a9f7f984e69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
355adf8b573fb43bd73d0fa19a90b968

SHA1
65e00b548785685dc5bc1de28c3d007d33ebb2ae

SHA256
93c140e770a7120fb34c76604babb5e6b8b2ef4728faa4bae8bd9b9f55af4c2d

SHA512
c11583b22f8e31426043e90be3bcbf36deae705064f36e71b5bbbba5b554b76461d745cb913cabe171de0d801d9e96412844fdacc50978935cc3e3f9d5a8daaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ee722509346b595c67bc1b7130a84953

SHA1
60921a04b73bd60fd2bb549c38b697da89613549

SHA256
70805516d0ffdbbc713f08d0c21e1759695bd5c61791354b7e2a951ecab15936

SHA512
ea34cbc7c4b36e42b230cd5fb1706aacbb927a311d8fcd5a9e402bbe79c6e5764872dc4a92e3236639f94553ed8f8875689f27722818a63cb85d6cbd8e08f4da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cc3ee298320df1d52491f2b7c39a9f46

SHA1
8ffa1a2b3205164438e6e9c84f5500d30179c9b1

SHA256
2855d973a9c355f44f5d6ed34b64a0110daae5da1983e27cbbb2e7199d1317e5

SHA512
d3cdef4e72ded18b1fb4985b81f63d4a91d576ec47f56692945928dc5edb3b3390b1c976a697b8acb5a3aba7e3aae9d9544ac463bc3c587c726cd84388b05bf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
4de78566ca5a3c99c77f851e61933ef1

SHA1
10c79c6027d354ed6f2b0157b258d781ff5314b0

SHA256
908968175f8c166cdd2ac0bc7bafcf8f593d921c680a883585109e9b03dc3d3d

SHA512
8e76a2a4cf017c12393628e18a339dbdb377e84cb181f24720008a94bbff5d22f75e72500bd21cae72566ef7dda79c6e95538fc27c5341f11d94166e7c98b289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ea311250b53d5976511e410b0318b71d

SHA1
6b21e365e4383dcc12ee2f7d63ebd7a57b5bff1c

SHA256
934897cdc6c5b8dc271082844fd7b7ace773f3a5b6bbaa5d8211653a0614b3df

SHA512
fbae2b80390774ba0b634c65d4987517582a08af109630776c18077e141311189b3223545137984847a4f8bb09f58760df7bf5de5f1a126ded25704dd06197e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\939e0b86-49e0-4ebc-abf0-caaf88b1f2c3.tmp

Filesize
10KB

MD5
9d2249593df324d6e9b518744a1e1c14

SHA1
8f4d524d31e8e91e9feb14dff358c4c0f6cc4e9a

SHA256
6684e0c7fc8d495fe2cb85b22bb2028797a6b7f0bd8c0b3e740bc77e7ab5659f

SHA512
78858c9cc42e9e5b98e737c6416e7afaad9ece3e2552819b8e1038b5704fe6b9cedb6e8f95ba29c780944dbd5a9a0535cc2e219983d9efdc8389f863c4ce63dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b5d682decf5d93e90e8e5b93f080798d

SHA1
45a8b8f092bee45e293a31a4c13c61771fd95890

SHA256
9b094c3da3c85b98e852a470d7be51f4f94345aa31dde58988809b2e5d71ca0e

SHA512
8b960e45cedc47d71655a624a9bb8ee2092924352a8b802067e52e63f447f391c50a1b479f78ebf3ac24dd26260cc09b2fc9d3760bf588ca462a9a95f61aed6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2253ed3ea34d655cca9e51bafeec3ae6

SHA1
acd0831a0b48f03339110084236d8830e3463835

SHA256
7eae2a7a064a69f247b464ebb3d641de57ee9db389803ecb83e26829a3d0a25a

SHA512
2dbfd0ac20d27c8589df56a70437ed2d161a37e43e9c2939cd4d9b571af4c5b81a2ab793f05aa4beef992e0182929039b60a1e55139a967d216a65769f2e110e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
9064dea9969f69247925b6825c913378

SHA1
21927da10634d6859db85f4cc46b264e6c326200

SHA256
cf72caadbb4f268d0138bf3291993f2f07195c14a36de1aa157dc6f277b7bd43

SHA512
3788813c26b0385d526ba51cb81332caced9df9fe2d7abdf328170cc0d4788e22f7656091797f4ce4ce70ea4918703418ec238dcde46ab21c64fcfc8a1f9e935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
694cb59d00806ffa9caf5b8f47fafa03

SHA1
927271fc9e896a299841ad63096c55afbedf3dfa

SHA256
7e288c08697ca9b50ea2ed7c9cee935a8c664775bc44533bbfcef7cc3018ee6a

SHA512
64a4afecb3fa7d931bd89d5f2da17445d14126422862741daf44290aa01230f9713bf6030e232bb77eb1eebe5e8ef2a7ce736d4df1c74d73aefe9c86518c89e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bc3841c23e6182037baf78d4b678c682

SHA1
e333243e187a6a860abc7dfdf31ba059080d2286

SHA256
0ed59f58dc51f9baa75198eb405fe7f6d84a13d5c0003176ccd74dd70137acef

SHA512
ef19d922bc798a8ccda4563a119bb92c60e31832f5d8f5ec5cc74b2d656f35ec41ccc1147a64e32dfc3bb5b187d26017f065b7d497b3ffba85421ed3a1ca9fb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2657c06df8bdd7a32a980de968c8c2e3

SHA1
e25a0f7c8696d676178fce997cce5e091d6d4eb3

SHA256
aa4b75cf387fc09ac9e618fae4eeb6f7d9d82b8ca2b32cc6966ba8cffaf60a72

SHA512
40f89d3fdc93c45f4606675014bf0ddf8733063cb808bffd4c09d87a2e1c3bfb1ccff9c31db68f9fe53416ef2c2252e7669489ca06f0a54e82808e4853221792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f95871b4e6d40d1246700af90579c19b

SHA1
6b1a267484c9bbf46b6bbcb7e6370129f02be770

SHA256
0757e0f856670bf06f7bd5dbd1c26a84ddf67e9b9d474f180c901ffb2dfb0597

SHA512
fcdb59812c6a1e192f8286ab313957a7531ee62d717546a5e67a062f5892f53cda6e6e7e5c5a2ef309f71d2d71f9c86e4e7439f255c94106c2f15ed2b702bb86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
806ce0f65a94605c89a8be8e1cedad2a

SHA1
dec9c1b5c810981ae47be627f15e091f41c85409

SHA256
e9cce2ae944ac3d9014ddbcd333a1ca474f23ab912c6e0e4758c21102b864ca4

SHA512
8c1f5b9951843d027dcc7f602fcdb4104e962d4f7873ba62d2d618eba75d9cd4fb2f9ea970a05bfcf16346453912a5229df4c25cebdd695eeab68a8c51e5f069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
69a38628a9ff3d0fc04759ccaed95db3

SHA1
e43b834d518f924b464621f589017866838306e0

SHA256
b37bfe691e6927a5c0d160026acd0c24b74255da42c69f0e0d6bd71df8b22824

SHA512
5fcdd2834e5d29ab770a9b43b2e6306fa8878d5d691134c14b3af28d04ccaa575f8757d5968199af3203f712628d8d9d9815b52039ca5639c1870cb792010da6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
61044cf3ed93c19450732a8dc75bd435

SHA1
7b3b4eef01ba6745519e9e224e3a0158c6eb2d1a

SHA256
2051d840b27dd411fbc89da366c0d8945a38ca9d2d25f98acad4009f06f5983f

SHA512
ff6cd9e2bc7e613812619140611711d6fbd835f933ccff0ad4a938ef5b3b33155f2b3d94c20e96a5f7e4779d5e07ca9b8c8280f079c364061aee4031243c5e9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
edffc20b0110e63fa0ca5315e0e1799b

SHA1
37de2dcaacf5b5eef6fb8f70c301bdf51dd41ae0

SHA256
6972c0f4d23b779522bc471f7afec8e1105e8197ac86e36d2d855519fe0b2027

SHA512
82997f10b6de03ac012e431277d6fff7bb57151575bdefa2c8c8b1165951a2271624bb765b379fdf01943cfbd5694d7bf2f6cfdf3fb6427030b5a826ecadf380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
556ac5767f67da777a2f42380e84cebd

SHA1
245dcbd4bfea6fd8e11b69f72190e5e0f80fdda4

SHA256
6bf82a272217988373bfee31d641a226fea44051c59a3d52583d746c0308dcf6

SHA512
133564fc0ea544393ffd0839f1f3b2208061d24d33ecd888b86dacb2a10dd760d47ab9c04dbe33ded9e581dcdd5c4de4a273f0d63d2394ab7e486f3427338eaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
3712ef9250e2a9e76a3d96bca81100ef

SHA1
1362b15681f5912978162ced2e8a51008a634c20

SHA256
de5ee25fb1cdf4abbacdab6fee6ec71ed8f5213c551f55ef4f78a4085ca84d0f

SHA512
b8afe5a8bd886e2f270abfdf2745b6a44195776d0bde69eeb3a85ce1f03ee08d4efc0774f308574a04be8f22547e9bcf8a088e16a2bbf4ee6442f064898100e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
83d0521f3ca21c9b01b89f8a47a99551

SHA1
76811643eea983e87de6482b6f2359e4f9f620ba

SHA256
488950d50d57f0caa7450ac73c4f58d4732fcd49fea1fc0e120f97ece793d97d

SHA512
b24bb5600883a38392a6762ba5477adbec315fb1c4405169c56adc2bc9032e1d594e65222a7a32d426f8e3daecb15b64da7f80704a5975e126e0124c7f2b4bbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6543110b7323aa4d4a31e16539c93a78

SHA1
52dbdb2d447871cc1cb56ac30348181469e2ec6a

SHA256
8781a109dd2fc9a2de98ebfa7fc98feba156fd5397d6b2197014f7c974f4ac90

SHA512
fb698e67c1eb5f97c5f229f7b008d663901827837b01f8e3e9ef03db6b689cffba14975f3240aa17b8943ed15ac2eeb6b8827ae7d3d555cfa6bada195f42d0e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e3d2111f266bf2a81ae37303b3c67ae1

SHA1
038c841ea4c2b46926b2e32bb0a972b3e5ccf1be

SHA256
a573807364847d185330d9f6cb2b730ad7f7a5c8abd604ddaadefa185df52aab

SHA512
778c1d9c54d2d2b295c7da2509dd82969e3929d03b49268602978a3cb7db379f82bcdb2f1bc1f7b3e2b5cd5f0f677465d49e02ec2153aa02b64f5a544621c889

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
51b49c4e8d277febc8603615cb14f540

SHA1
6dd7148ce46935310f7323fbac8f2b726a97b8ea

SHA256
3d7518cd25449e648fe22a3b59fae0a3685641aca8f572545ee95e63f4a60421

SHA512
1531150fc7d063e1d94c9d6d202073b269bb8ac1db1b6fd9014faf9dfe081d2013628f483ca9463f018e159c3640869c930d1245ac296e97708fda4889819637

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b181f64a4ed4780b2cf81fca3d73a606

SHA1
774fa21c341f5516e16f551cbcdd72744ec68e23

SHA256
c122b84cab3db67cd4c85a4fba7adb6747872f3c6e85da037ba95be90b21f52c

SHA512
4888178d4cbfa00ae10b4c10f80c332dc93135b0b89f31c7e0ab39b13a8c1e9a8ae0a3010c4572c8143ce08352acd7510dd52367f860f62cd5b54cf0c782eebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bccca4b82c4d565dcf06713b9d5645d6

SHA1
be7cd621be026a7666f3dfbabf4383998fbd2c63

SHA256
220a91dba8f94fdbb09d40b5006ef629a4a36046c07af9a2d78d45f8449bb138

SHA512
53c7f6907923cfb1ece3e113a0442d9efeb4e3df2e630c5a67f784766fae9b7381f38e56f421ae3004c427c71d1834aecb75d3400b225bce7d563b9506a8230d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6f6054e24bb702328222a8e143884013

SHA1
0dcdd581b25cbaa25fff6b78e6144e4c4be54658

SHA256
412bc759390b3b74265b10967d716d8ead2b9996ed3e3aa91e0b8d7c1fb7216e

SHA512
c8beac02b226df9381ed19b4a02c72ea2bf5acc6707b134604faa00d12442368bf13ae295f86c6818c55d4cd545a8bbfc2138ba2ee447192400c0a90eff53941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5bf9f1ef7e67a7a720e71680b5082459

SHA1
8b646bba5010c72df3122237e69d8c11efbf444f

SHA256
c8b9441e49e02a569d61f3d76528cfafc2181cbac0e250c6468e2e23b6031c84

SHA512
efcfd5dcbacd58280925f54aa03636121e97d134cded9dd04c0f3ee07610d9b568ece6c7f0743516ae7244992993254e6704d0d54914ca6310a7efade54bee2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac151c33b5a740aca376a111ebadeef2

SHA1
52813ab4f85f322d0606a0d62a845ba931820dd4

SHA256
95e6f062e1f3a22a3e8a26d26940e17d9686764449335661cb22af3731c6f9f0

SHA512
86957d89e27544cdcd6d2206463d79386878c191050087f7080f3a508ff2913759fd9b8745c017c0b744478a76048a9a0f965cca6f05576e3f31a8e271faed02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08e64b183bd5af977b6ed184b9c383d2

SHA1
00ed670f61b3b3ecd825405cc379c9c011b60b80

SHA256
a1af853f2f3c9d9d41347a1e2123c77500ca3d20932599adb049c55fafc56f2d

SHA512
f302dafce6e0a1bb32eba28ef54a518a0d405699fd197b077d10850c8050a88cbe62777d252f2d3dfdbbb5e0648aad65f537c7ca87e0399e09596b1cc335faeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f3d93870d9b7428f65d61cba47adf80e

SHA1
49ff2e31f5ac437cfd2be2491a16f32a2b33f8f4

SHA256
3efe3263edff6e468c2b7e9cb1e65d9e13ab2944ab3131129ad63ec1fc58b954

SHA512
347254a350fd564d8f1ff29e1d82bdf700be2ec3486c1e64923917a37f66c9357e195fd17ae45b6c7583b4584995cc26fbfa204d2f5976e9d7bdf1ca9b46b3a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
69f797e9c2834cd2150c63a235096838

SHA1
e1b600b9a46386ce231811ad6f66dbb39ccae771

SHA256
66429359ec54068a428a0c9ff1a3b1cb1d3450bb602882ec6b3e11242b65ca25

SHA512
875dcae1d9737107a5830b03bf44dcf7ac5a94f7e663eec280c72716ce44db138cd32bd2913e0abe81211260809177737c159de6efc3eb8d3c0e1fa8620b4935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fc78d42e8beb7a48c3f968180979a5d9

SHA1
655cd6074ae1f69880729ea4c66315392146fcb5

SHA256
697b91806304d7cc8d05099d8379a4029678aca09283e938fb51e58c729e2f08

SHA512
1d0b31e8710e52e59bb02d018664d665fc79afebc140bbefd228cd44b84123abb0c843a870ec0dc2feadb6ad5a893f7a7e92b3003f1bcf709e19ef998184058b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83f7e1cb3c14acb353bf3eafc3d35d04

SHA1
3ac387c7a8ba77bf39857b5f590c60b674cde9aa

SHA256
4f22cd08a0339246bc5539eb0e2c84be36f2eb72c60d4ac77f24230357466d85

SHA512
7e1c6ae38be85345768a3072d2457ebe5a65b52b5caea8d661cb615483eaf3578eff506cfa99a89973a41ad2ee961656c8d28bcd811a8a52618b249343178211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dec977bbf54176c67c9037c017050eb6

SHA1
5a3bb4ea4e7daf6919b2137dfd771ae2f0c5b772

SHA256
a26abcb61552ed9df99e9ed2bdc78de85c2ddca0ba22768ad03f878e8da0c53b

SHA512
9bcd645097b7824c83413b92ce5fee372e57c48649090febb2bcb61a7aaef6cb16b92766be6b8a95cbfc9b5c2eb3717051f2d2a301361b2be4e943b9552ce071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
94dd0440e5b213d1157c78ff16f97e2e

SHA1
da88f250f007a5411a39f33fa930e6c31cd340c7

SHA256
3c599d3d814eb52934145235ba9570c203c90d7894cecf6c5dbe14113b8a9f93

SHA512
059aca3db062459052f431748da94cf5a1bff10e5520895c981f5b4f9388312728977feb3c0461df4a97a8f4defd177eda4e580ac9c83f0ece043a417527a259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\16565bb4-b261-43df-b038-905041445fcc\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c497d85a-5f3a-48dc-a095-02c309995ec8\index-dir\the-real-index

Filesize
2KB

MD5
8572258d084545ae26e85af8bf6cec07

SHA1
98375dc99c54d530b0b10c912bff44f1a5987882

SHA256
39446861ef52a8a2b4cd68c229f6da1dfae5bd46749bbf935d2d4b65389e3a59

SHA512
c35e0cefc0464dd32fc247398e8db1ce5697bd962ea657018417c5c6a2d3eadd1a12a2516f311e97aff20c8461b80b3c807b4c7e74314941aad69e5125501ee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c497d85a-5f3a-48dc-a095-02c309995ec8\index-dir\the-real-index

Filesize
2KB

MD5
47f2fc90e7dcd16b377d32c03440bf2e

SHA1
a16e9a203350162803cab4d04451e154d28e1cc5

SHA256
a4959db754c03e9e02b81ae2a4117273b7eb0d184357c714e1bdcf5ebb5a4e17

SHA512
5cd01dab8db97540f77f36c7ff0ea528fd4ea3773968cf09314e0918fc287afa30c9dae6f1804ea7b4767e60603b8e30839c2aa7e64c5513de91a7334a9bba39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c497d85a-5f3a-48dc-a095-02c309995ec8\index-dir\the-real-index

Filesize
2KB

MD5
f67803071d833b19b7c8f32c7c86ef7c

SHA1
9b1b125005ceb1da6f098145ffcda11bf6f2c9f3

SHA256
07aaa627ac1a7d5c25cdb55b5d9245561e0c8d832bdfa8c9f59b658a6b14f128

SHA512
1b1dee37d19ac3734f659b6b777792f08053a75fee14f482eebc89fbc02e6cbdb52225f924e47bc7a8a1d491b065adcc10c6d198454397825a7765a9b3c08e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c497d85a-5f3a-48dc-a095-02c309995ec8\index-dir\the-real-index

Filesize
48B

MD5
f3fb504ce6281d8d7e185d19ae266809

SHA1
4b01f272e74ba3234fc8cdd3ec20dd6084be0670

SHA256
713fc17c55ff37a21f1b117974896cfeacb2f34af5539fd1afd405a571db68e5

SHA512
2c67735fd60f2835e2d0fe8ef6af45730af9af8c668b8be421e4b1a5516363ea56ec8ae23b10904952a641e750957715b101a89b9c1f204f4f31d2c723aae792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
3baccad65a807e8f99c582f4436faed7

SHA1
3c80c6d87f53513d3c7994fba63eb9a08cf26ed1

SHA256
64daa83dd0f475258f5d27fa54d48306719d88c65175f816a3033f8cf29c89bf

SHA512
cf8ee8b5159d452f480c44e0035cb457a723996b884eae9021e966742c36dc407aa2abf8660863cbb19f93700c5d5c344d9e3b2024ad9fe83d49e552741d5d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
116f48aa917c91ad55648e0e672f73b0

SHA1
d1c5bb91a786a6ddc2e83e0ae43d2460cba0578e

SHA256
437fc4f3dbd5cdd0da724955f2f3247d5cb6b8feced37a324f4b4d3cdc9af2e7

SHA512
24c3cdd6af965657e618526657c15e03192fa5015a6ff38bf109e7cb370280bc2d1c75ddd235e087c0a8e15ad257b5547c76a1f9b80784077dec260f5b70138c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
4921ea85107c6561a59af84fc36bc62f

SHA1
0cb833d81269c3195629c9abb34d5bac3616d653

SHA256
fcedbad14612607e11f84a852de60e15ead84549877d24f4280a2fc955e16e2d

SHA512
5759036a57783b202f81dfd92a4bf6abd93467239a115f93e6e60c58576e28075a862381c9d70f153c5457a5d93e1364f5b69dd7b3f441230f35927a23d5ea1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
a969d9101ca7c3b217dcbc867ffcaf65

SHA1
58983a8b77ec79268fa909e608ea6e76a5ea8e1b

SHA256
c1642692d2ba742b9f69acb5b478ae5c1ee62d26a3e5bb11f9745e35301ff73a

SHA512
ca685704ae7111179c9e931feb14a85cb674eed760259bb10d118169c5e3e32f4502d129668ab004ce0590ea46e11bda7868c8a98831ff786f9aa5931b0bef5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
67f95cc6be646ed46a162dbb28cf866f

SHA1
5ee59897b374def33bbf486c138870b18b58f6e7

SHA256
efa6d665cc4a91a22007a23188e23b06880fe90fc1842f79d8198a3199802810

SHA512
d2dc2bee16d3437cbef50780609342d66f268c8e3556d6673ac896a244049bcb904ef146575a88de4351fa69cbcfa7561e2883a53376919223aec327c55247d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe62d442.TMP

Filesize
119B

MD5
c7c6b894fab72837c54a7b8b90786a55

SHA1
62b88fa8872019f07c579a825faa21545ca0b2a4

SHA256
0ee35fa9356eb25f22e63006fdecd3081f2887c9abb6660b6442245cee02e3d7

SHA512
803a19d5b4b3dfc32ddc7ee2b2657cd278e64e6f8732f7a40947194f965b95b797e2bf6384f7465f7c3fab776c483f2bffa64ccf94f7cdb250672ebf08e3240b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0edde73cbf4db3e0c2389048331dad03

SHA1
990263d626be75d9c4800706268d8b6378c99950

SHA256
10e574812462c45b6c2e093748b1deb3493adc122c0c7567196425355632d1bf

SHA512
f175e0e44c284407536e24f192d1dd60afb38120a86f708f207d74c970c4da179bc4ad34a6654add2081d5ea6989d6df49cc2289ac7d2611903a157c3c13e426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe6324b4.TMP

Filesize
48B

MD5
a894cd8dfd6f7c2ecee610d0062e03ec

SHA1
2dbfcb153ace83973955ba4bc6a0710de324c55e

SHA256
636ac54f04f4c9958036eb4878567cec67cd1923781f461a52cbfd120f677c98

SHA512
6e035718ae703fc2eb0aceb72041294a6fdca7f75679459d7ba4016dcc16f25855c030480e254abef40456333d84c066fe622929b1679deafa5d218720631f84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4000_2131292378\Icons Monochrome\16.png

Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4000_852136090\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4000_852136090\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
6da010ac3dce6ee8d8f46cab7aa18940

SHA1
8d11383435e5383b2719935c62f95f16631b3f3b

SHA256
5dfca8018b5df225ae1a3631e8ffff6670a90e33b97c898522ebc845a1b94c26

SHA512
49280d8772a6d5fc18225aa2e027fb0c2e381c478fad3d16ed6f8d1dbfa949cd578dcf9cb75571c0cf89dd24c43e3d445c976e705379b28b88284c074e871cf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
ac2ba5c597641c77c9d08935016cf448

SHA1
5bf6ee6db1d34d14356874ff3ae51ca9df22867d

SHA256
810ab090867d2c546865f9025802ebb5566689abd88080e5a6092aba9af06503

SHA512
3fa9a6ceb16d09a83b7c765c13b8f2f4b5edd21089d693be2f31f8b02641376ce5852e8e7904c44d5e22d06587cfd50b4363a4900b6b2580f723f3c40bcfd172

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
2c03c45e6b5e169f76c4d024e0d88c54

SHA1
9f7a97bb90f722ec351c01b6ef512fbe31af2993

SHA256
88867d489b94d5af325e0a466de959b6df5259704b2119f0625007ab3bc3937d

SHA512
e4b29fde15bdc107253ada2a58fd45c80c2b7fba62efdf9680be9827e0ecd04fbefc3673598228482adf5fdea00bdbf18c849046fee805f89d50d45a232dde85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
c6f5f61df70fc596d27a0a088e989e9e

SHA1
ea112b55f97071e7b5b151e8f41b8a4e3fa8f765

SHA256
2bc27402cf7d8ab0283808b5f2db3f6645566ebc7945e9cb1d65c24c820904f2

SHA512
7f15f1ba9d416dad279deb4f4ea787cd4a362d44a0b1211530ef7be2408e2fc8995e81008eb8ec91c0a551a38241dd5f501f89d1ce20f5585115f4b4f670fcad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
3a65c141d2564cdd5dfff8d0a69cac46

SHA1
a5464af38dc4f9e7e91dbe8630a94851d4fb45a1

SHA256
2eb08580bdb9ff5d1ebe7388f56fc1197f3f0cd5849f9d8249cf1dbf59faeac2

SHA512
a0923c88632ea88bcea5bffda3a68ca4b0dc3ec7a34dd4d9a75d742091c836b49f13f8fcb844ac6a11e396f407177fedcfc0ed4de9929d3ddf7883e694eae19c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
10a846ef270581dc97bb40a55e3cef71

SHA1
14e2821b5eca269558139e6d01f430d894cfaed4

SHA256
2d93035aeb0c912174119b989b8f9cc739a4742ff69f288303b126fb4d8a8470

SHA512
ddf4c94cdd5fd5baafe4f5c1a44e08332a4ac231acefcc2025582f3d3458d0dbab968926a2b6e6138b6b2d0ed3381a18876814b11aabc0bb5027597beb0befe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
593d0e805a2612934bb7a56ee145496b

SHA1
63e03381e238464118909b112b31db11b91131c4

SHA256
2077371ecedf0d14af727b9a8f630cdec190fede2a3f8d7a87d19a3caed2045c

SHA512
c082900df0cc80038faef1ae554d0c6fd58afbbfeba48680e32a75561a1078530bdcfa5d544e3a074c56e1a0083553b7a1fa9f9838cdfda8af5543edeb5efa59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
1e9d5eddefa195d7109dc37ad1a411a8

SHA1
22703d2410d15348d86169558680e8711a5ac7b5

SHA256
af9d954ab3317efe834b8fc2e58089f2631c7f963df9fdf6c9b133d9c07c4c5f

SHA512
19efe5c2714db39625ebf6564f8c0264b61882b4a4d492a6dd666a3ad2ab39286dfcd21902e14f1fab7c87b25a5bc905ce744ed105b19f89eeb92f0b947dbe2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
6a230ffefbedaeb1970c60478ba2ceb0

SHA1
c53f6f5f0acc188095d164bb8db20dcc8ae2b8f6

SHA256
5e113ba01ad972f1174b73400031e6a34190981ca5e1a133ff936edabf7ca121

SHA512
e511d5941e7fc75e47ab3cbb543847508bcaa3c9c269f12823cafd21d5e5e7dd04912bd37df023abd95e1f256ded6e1de39f0eeb22499d56f76f98bb2bf7d547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
f5a110e29a3df5381e545091c7dd7db9

SHA1
4092e602e6ba01089b054a2a78d04690deb31d80

SHA256
72dceff865b7f3ae6c4ed4a9847f4549d104586bca1bb0e0341383a0cf0215d5

SHA512
574694189f7fec99ee8c0c14b89717082510fb48d0a042d33f7f4f21059d98ae6e8ec2a2d80c2fc592d71d6efefbd6f2e3c65c88dc1e82bf16bec4d6bd59d69b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
040350f5b6eb6bab56b52e06447c538d

SHA1
74d0321babe574939fe548c169d703ca3873f68e

SHA256
7c3e2f0c777be494c1b99f1149848e55108430449082a5773a0c8665b98393d3

SHA512
5515aa2331f1b331730e41bef8d02bd3e2c75699d96895e1b26a2a188a10d3053fe91c320a927340354f71fe80427be2cbf0ca9490f02485bf2dcce305cf2b6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
1b90baf37a494e8a84d78be23e4d450b

SHA1
33eb13871ac4a1fcef1a95266d8aae05642c51da

SHA256
3cc75f60f41d98dfc5140d7ed5a9bf68002b27ec66629430cbfc2b49b94ba821

SHA512
3071eaa96b4ab95f3b7cd78547ffe5b3e626f426ef7497df0e2fa6f12d79422a6d8634c5c0903ecc2ac369ee973014ec9d36e9dd21390be5a2cdde9f7563894c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
2083e88e67b6e3d68c698ca65de07117

SHA1
b9e0b6cc2cde486b58237e54fa5cc2b5f1eb389c

SHA256
73830aec3558dbfeccc92da4560d570b822f07c4e04337bd5e539b721b4b2f5f

SHA512
4b78857a994d2106501b5b088f412e264e4b21ed60ce1c7a3c6004dd34d34b2346ddee632ed9ec0f246083ac8af73464300072f306812323dbd874f1e6ba1a5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
045c20152383428bbc23cc6dc235bacd

SHA1
6461cb81962f1e2b1bc0571b947df31246b7aeeb

SHA256
f77b62f0edff92f7e696aef2296f491cbbc6e55529382db2a36062d966f94b6a

SHA512
4f72d472947cb25258e0485207130156c6be8e1c544b1ac239555cf1cf879965920467343e552f0821dc38483bd97dc49a9bfa97281806b67dfca01fa9cfe904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
84670ead1b79c6d5c19d9ea7bf64598b

SHA1
6192fc008f08b2efcfe213257a82d1de685d1d21

SHA256
4eef45270a789339bff218fc9312a81ae09960d7405f55e95da6a2793df3e481

SHA512
f704e931eef349e64251ee2775d6967264e0361f7bd95c47f2f7407ac7ac776d438f2ef3c1ee3e34978b108fe5c2d1bc406f68d20d802d38d651b69a4b51ffdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586b48.TMP

Filesize
97KB

MD5
677085a5621c5e9e6606e113ac1a56ca

SHA1
0df4259aee3ed7e0ca4cf90dcab824021d2cd080

SHA256
06d00cc99cb6210cc7a7e2611ab9ec4e9f3e68246a6a22512231718f2956e06a

SHA512
11b9c90ca72d90df6c6e0c52359b12977e1c58b24d89023d71ff48b2e5968ec51b0ba5ab6209adab065e8a5ccc8c7e785610d50d9bd66eb7b21e2eee435628c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
4KB

MD5
89e9eca89291e2aa01692458df8207dc

SHA1
81398c80d388ef18bc1dbebfd9aa42701fb70968

SHA256
4ee23cf263e662dfb359134005f1fe77afd5752337bb66410c98faa1daa4bbe1

SHA512
28eb0ebf975fc9300a42c913a33b5dbac528b3864af1b13ad386de37f97de9c17a26b3578ae471b14eac384279bc4b131699e301bee3ffe658d2d02d5534665c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d2e3189b22e881bb6156b3bb764b38f3

SHA1
b1d2642a2f81399eef636076a1abd374481aa249

SHA256
b33afa7b9f347602c94ee350c78adfd1562b823a286f6357d23f37e37de9ca11

SHA512
056cd39f1b8c8d829dc864fd7d715f6de6567abd2888dde0340914324d7f992994d357e11dea31ccbc729745048c3e85df11d0e0cdd9def09314606dbe143003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
8KB

MD5
9f9411bb3defa74475e404382d9665c8

SHA1
ffab3ced5b201a4f52fca59296fe115e97a8838d

SHA256
ed4617aaa373701d87f413b4ea0ef6c2c2acd5111bdb639c32f776488189b2ae

SHA512
351805bef5a6378f71250d5390e4fdda4d27f66306b3ae03cb00babac5f63df886e9c7fdf92b21fd8bef9950b71e40fe150697c33623fa3c695a3abd835deb1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a008ea4c25b4ac77c84767bbf56a2be8

SHA1
a5a9f6f99843ee6e0ab1cd4d9971c7232a54eb53

SHA256
63e7bc6ab52074e588f1ba1120643298420599d1e93ab149014c7e4b5fe91694

SHA512
bdc889edb64bbcdebc05340248561d4955d0397a22ba2159b76eb3f56b00a27648803f04ac41edbfe19e0056412b12947c3ca59d62e2547b578cd5d97cb546cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3073d3b03ffe5675ac6b5c5589e17d05

SHA1
828e6dd2769da15620b51f3d026aed3b979df976

SHA256
f9df7d3750f24343c6032b74f2273ecb1dc7e263183a1219bed330ef801d4ca7

SHA512
92ee92c4ec6b09b9ba6f0fe442734469c5305f6d07c03532d03b15d991fa7ba180e654d27dcd97cc4a16382dc6f463810252e9d7ca5847fcf924ab5db8db1446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b4592495c2bbbac47e64292cc78b6b45

SHA1
4a8dfb8f2d3fbfb14bd67035d7dd22039601f186

SHA256
44d41ba84ea23885698016185c472cb1f1650c2bfb98fee085fb6dd033d0f517

SHA512
2c241c7793cdfd4c2a329ff0a373c2d505f9cd46e3a74617cc0e0a82b43be1e0428bf649a4ff8454851a43643c1ea419985a5f7f3be19137c011d7b16c518578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
feadc4e1a70c13480ef147aca0c47bc0

SHA1
d7a5084c93842a290b24dacec0cd3904c2266819

SHA256
5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

SHA512
c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\95C41E8B-7069-4562-8270-18E7D978AF2F\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.PackageManagement\klkb4edf.z0l

Filesize
822B

MD5
26c50195abbfde6611a4caee3585960b

SHA1
f86bfb81eec43ea7d7cfb6eb637a54d536fa5bfd

SHA256
b2915edddbd8029336c3933115b8d8e9471fb63039177901606c5d101770e059

SHA512
f52b6657446cf0df03afbf7e90b7e325fe7c6fa3aa5f01671486ec50a1f9ee52d19e3424d58e4574e8876e04ea4d5c28c0f90be03f8bce454697d2e907ca1a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.PackageManagement\txa52ir5.lq5

Filesize
170KB

MD5
628da2d060916bba4e8623eb3e53cdc8

SHA1
2f7bf1d2a9bf85ec1a7bb7eaa5f24e3c281d96d5

SHA256
de2ebfe08d13ab88efc596dcc2aa39982ebc61366a6a222789fadf8f902efc4a

SHA512
2d4db1b3cc0a91f000ed6e8e8231b3824297cb5f34ee551b8208561e079031f9a63bf37da62f105f324ba4ee2530cc152aed4e01ee1aabfa66d7be09220d838b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.PackageManagement\w54xdcpp.rcc

Filesize
1KB

MD5
d35b8c04da801de749b12d5da8a0b9a0

SHA1
0d2f5f76cc3e1b56a76d0b154ca65c333727fa97

SHA256
9cb8c56fa40380069256c24ab816bfd0e08201e16b654bd76d0ec0608dc1cce1

SHA512
df4b1b29be23c11b1687ab99c04737d15414a4dfbcc2b7d6409314fce6b585a1b948a26ebaa1c93edd59830604c023b4b0afe0b66e7a622417d14f5ca4179ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES231A.tmp

Filesize
1KB

MD5
4bb02922c3e873503f556a92f8ec9982

SHA1
cecc17ef099f9864539c349d21996cb8390bf132

SHA256
774b2d29ce5605511c4a688444a08096faccea55cb7ae36dd09217be4a60077f

SHA512
905dab0f4b292dca73063607c58e4b9155c764c34c729f53966da636327e109d365d32b0c3cf9aab6bba172db36cc5ac9d66e0493de98ca95f58507a93a4281d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fzcb24j.pxl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4.nupkg

Filesize
704KB

MD5
4c229b167b3a487c2a38b5f6f73db8f3

SHA1
8a0f70bd201cccb3efec1690b9a97fc5db1d4d74

SHA256
ca944bfdcf6a7d4da257e6c7733509eceab6fd444420e132fc69df468c4c218c

SHA512
0acf0001bf29f44e1c374920dd66a0d1e61e28694d4b32a29ec97f7541d941885ea7fa23fd382b54c538019642d8750d5534b44c7b0cb3925bcbb870197a2546

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\7Zip4PowerShell.deps.json

Filesize
9KB

MD5
9b789a835e480006c600ab1ac441fc1e

SHA1
a71389d945bc219576aaa24f9bdc6d2dbebf40a8

SHA256
e284faf5ba5c10e44cf7bdfdaa28728ffac6acdcbe64da5a5e7153d66179bfe2

SHA512
932632c6772169c748e14ced0a16c906a8042814ead421e23802a55680dba741df8d106116266824fd41c30699b65f2d2118460d5bdba47489d59041d3eba0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\7Zip4PowerShell.dll

Filesize
24KB

MD5
5fce6d6ebf9a351d11e0cba2826820cd

SHA1
6fcc0ddbdac9e67a9d5e21f383fff230bbc68580

SHA256
2503524285f8962ae0fb29f92cee5c400b65f2d4627d9a50fff2c7cfe3cbd6d1

SHA512
1ebe98ede1cc0b5bcd91c8c66a9a2dac3db6c8f4e7100270930de56dfa99709af2b78c53c680e5a12dbc3c9f3ee85d9c52a95dfaf698d81d4668d9fc2d6b2014

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\7Zip4PowerShell.pdb

Filesize
15KB

MD5
ecb4c856e5a9b1c079955c1ebfced9ec

SHA1
f20a2e97549634051f8ce163ab7793d26c6b0cb9

SHA256
35b26ae9671d32151ae147551b6b8a459cc16f7f40dd4435e40d65d4db002e0f

SHA512
2ffa5e9152e3a583eb6c4a42981a8d89d4fef366271b30ca6c8f13f0b7f1f9e042d342246ef4a77d3cad10003316a8cbf55ceffa430426762273c9e4ff48e6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\7Zip4Powershell.nuspec

Filesize
1KB

MD5
76281fc1c57aafd470b20dbe16f1b3ab

SHA1
96e93864713d40d4fb11f23b7f658d9074941f8e

SHA256
ac2b1d3249e693259b73c505abbd1e672749ecf2c77c996d38908afe428e2888

SHA512
fe67a30e98387c5491cdc5115b6e84729e617d473c144f4eb278f831e21bcccad3d64b5691ffbd0e2acb2748b12cdabf865b1b4cfa59d0b99e2817f101907605

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\7Zip4Powershell.psd1

Filesize
1KB

MD5
ab58f8110dea6cf77d03ad60cd4d91b2

SHA1
410cbdef5fd4fbf0ca48d5bd9154ac9eb6bb72e1

SHA256
cc09282e8deea3dd8abf7ac3399ec5aa6ff26eb972442d03fb141173c4019f84

SHA512
0b180a8a8ee7fbf759dded255528629bc3370a148e5248f40dbd52dc5c1b5ec778d3beb59131c10db1ae9e619cbf6f723ec49f03ba068e80a5f5b56ade12db8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\7z.dll

Filesize
1.2MB

MD5
cd479d111eee1dbd85870e1c7477ad4c

SHA1
01ff945138480705d5934c766906b2c7c1a32b72

SHA256
367f8d1bfcf90ae86c0c33b0c8c9e6ec1c433c353d0663ebb44567607402c83d

SHA512
8b801bfbb933e0dc77090555fa258d416cbe9ed780fb1821aed532a979617082b29e0b6f8fb85f73a9e93c98981426c92c498a41c49f823707da3e6b7bb30128

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\7z64.dll

Filesize
704KB

MD5
aaf6d31f0c50ad798b0365fa2eca051c

SHA1
20b23a4306a5a46ffd0cab19655a9713b03706c6

SHA256
e04f00a1125bfb742098ce89d45d4abb26a43a8806bb56bacb17f5fe3f309176

SHA512
a755e66fd390dbbde8624a0d142ad149d9b7bff23c548d63cf3c0085d0b40a6f50f9991fd995b7e405d5ef6a91030e9b99e42e9b2d5fa14c03383541ba118260

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\SevenZipSharp.dll

Filesize
1.7MB

MD5
7243ee527becae4f62c77c2e87f8335d

SHA1
295d09d307b60c10984b882fb424cf41a6e2b45e

SHA256
e73aef0d00ddbe0b3131a190bdad7986fcaf85c2ae48c3460b17632e238a59d2

SHA512
b9635551084accbc62d9c5854bceb0ba451275f21fc5c56949e95f1e7f3f1bd41fa08c88a4f9d308fff5defda06b22c65eb3334a7dd12aa5f758589cab380262

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Buffers.dll

Filesize
27KB

MD5
b66c85efa4d6f8c698476735c1ff4ecc

SHA1
e523519ece3200133c5077993920d14d436b8484

SHA256
9444b5a41a816b193c033bec199d74cdfc8298ed8300a3c39a4e953dec137494

SHA512
7a648b004c49074c557624254bfc5072e10b8094e49102d91406bcbac30d78293c84b8bbb4e0a522ffebb873ae4d47ce2a2888c0d858d6e3e5ffd1d1066933d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Configuration.ConfigurationManager.dll

Filesize
373KB

MD5
8e748f63f6012c50d96441472483da98

SHA1
a51b2808834cdf97fa666fa4421a2a2a6d52dda5

SHA256
e814b79f175ecde855c7ae003cd8bc5ed88edea4ab4089d055ed7b63da7bbec9

SHA512
b21fbf5470e28cbdea2c8d06a00de450b0286bb8b69ba7a5ba114604fcae0a5aedd5ca796eda8bd6305d5d08393c4a5e78a5701e29f6649873263def5c44329b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Management.Automation.dll

Filesize
346KB

MD5
102eb57be340abd18ff2743349ce7e5c

SHA1
7c5d3cbdb7668070615c6971c56abfba6b3205d1

SHA256
d8b667e0fde9869077d6255c0e9168c2538a9260fcadfa8b5e634bd3491f68ef

SHA512
dc543dddb69793f37b5cd809bb6727d75582dfaf5c32decdbbead1129c52c2a3bd88849ac8fae825feaf4ef6531840ea63c1e8934673e4d9aaa32a62859bdc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Memory.dll

Filesize
145KB

MD5
6db6fb8767b28e24775ee2dc65394758

SHA1
a88dab84a7d313bf49ee01c7000437e57dbba697

SHA256
5dc9f4c8d55754c5bd8d4a4bbe76db6b094c017f4873166b0e629db8d4cb7238

SHA512
1e810a9891f9df219ac4e46d88fd100e407e658b97fbd6e0ca61ddd2a3371a947169fa5970e54b7d334dfbfd4f640e596b75e169b29402aca605b84873721d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Numerics.Vectors.dll

Filesize
159KB

MD5
e9abb00cd885368e7943974f8c11e61e

SHA1
31855ce721d078678676f5d07afa28ec7627b47b

SHA256
2324ee5a35674269225e2aa20957ce8830dbca0cffb918bd593f7a3222dee480

SHA512
14a2627fade56d88699e72fe78bba1a25d49ddf448b50c78acd400bf470e410866c1b67b5ebac1198d5d508fa9df1d33e58eec73eca90243609468169bbe3e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Runtime.CompilerServices.Unsafe.dll

Filesize
21KB

MD5
82d8aea1b8101b7a70c2d47636e29340

SHA1
fd55a3bc6b0928a029b29dd0559fed4ce30b79d4

SHA256
92726189520484eb6eb2fc977c1b87e6510b565387d2d0aeaf55d42058973d36

SHA512
c45b9d897d1bc3d7ea24f1cbfb3cb9c2b79212492ad85aa9613827f9a97cf40c37ff48f929bd0e8cbaa9cc34a4656df43db3df1c36370f06b0ec1bb303ef340e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Security.AccessControl.dll

Filesize
53KB

MD5
a1e4a9d456ebb3fe63f42a5a987c9112

SHA1
bb040feeeb60191cc6bc16b722bd3f15adfd6bc7

SHA256
92a0cb02750ed3f97bad1f49e1c1554b785bf226bb3b07a44b660584a5abd18a

SHA512
2cf1f95a2de5b1d29f80ddae57c263716465a3880ca1cffc28ed0ebe793601f63eb3d81d87bfad662c3a2e8d2a7ce18d76b1981617ac4f9fedc56f32bd474858

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Security.Cryptography.ProtectedData.dll

Filesize
24KB

MD5
01e21ca3e08d9cd1556a43536e55835c

SHA1
2dab77fe0f660b9724dc6d3d1247824fec5ee3a4

SHA256
80566f0839ece5946e66bf9f00d723e59e371ba1341a18e00c7c7a7c49298e1d

SHA512
5c772e149aead9da46cba980eeffc8212c0c8bea6b715478c207ac8583f0cbeb181dba6fda9593a18ac11cc6bf6ddfd2b9c1a0416cee61855b89add54cdd903c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Security.Permissions.dll

Filesize
94KB

MD5
706d8592956ef30e4a23e479e302119c

SHA1
0e9d8f70884d8f90a492f8ef79cb37d02937a136

SHA256
8ca99b4d76d2708d27040d82d87c9f2beb26987e283146aea6bc275d92e895ce

SHA512
40c3ca0a64f74110d3d7374919050a2aef2c02c105ec44e96dc52fed6c7c82cbe392a070a25602c5813c9913fcb83d8964cbf380de61e71b4fa958236b6a95d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5jn3v4\System.Security.Principal.Windows.dll

Filesize
38KB

MD5
6f4b107ed317776a058a222d0699d7d8

SHA1
9d232e1efb419c25f22895e73ad63667a9ebf782

SHA256
680d6d767cd2eb0537069e0dc6a13fa7f52a35547c8ac8ff45fa4580b9826143

SHA512
0c8bdfbb37c647a7dd124f7f1fb538a64136336a9376bb7def655440f7be202838cc20eeffd66da371114a6cc6c73daaced8a98b68372dc644d5c5ef819da549

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnlyzz3a\tnlyzz3a.dll

Filesize
10KB

MD5
319cbbfbaf82645f4b6b9c2f66f500cf

SHA1
4988b3c5c0db4df64b5420b2cc6b5e07dfa5251b

SHA256
c0aa6155cfe6231fd193d3d94b18747bc65ce24e86b5954e328fa199fd0bce04

SHA512
088677c6111b909b92b88b9dc2d9c08a590d276bb7315e7dbe4603d1f45a6bdc1a8e47d4cc18c11863381f5b3e8e7d5f4387cb79dea7abd9bfadcc5bf508c048

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
db9239ad8ed58c680c01f47aac34d322

SHA1
172a1c16c121e63486df86a860579cae4dc8f593

SHA256
63b999c6f278c1ab6b06836ec2396dd20d98816d622a92ffcb020a8436593190

SHA512
16656629d71856fc160725ca4c5f13e5f5d74b7ec2efe00148ace48133867928c33c0bd89d053c3fa389cf0ed4ee301ba4edd2dc47d9cca8e1775cc24acb1185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
991028d555c33b566fae1b8dea7f6979

SHA1
8f54380f10f110fb716d7ae8dce0ae4dcfd5b70f

SHA256
243c2935f23438fa2530de0c121a07bb78c4a0537219dbc7431d300c79b8caa8

SHA512
174ce31b1cef24513b895f7e752b2f438db8c2957f328bd2b69877e4628b60afc584903e47af5472516a93c00834df3d0fd8da5d4db3f9cc9ef3f0610a5853fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2e80096672236c30b3b4bf057df5cd50

SHA1
3b4136935b708c0113c1ed3f6b6cfa0ecfd553bc

SHA256
9f8cff557b93b51d731768cd218a14dabf6b545f0f7edf809dd2e29e2b096c59

SHA512
50ad8cd3ee9be7bce803cdc9d6febdee65da1ac5207139fe1c64113c7b6b4455aab0cbbde58caed1ca837b3f5fb9bb563f2b0fbd34c1d0984865c8398b4e4fde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
fa1e3c1d2f22e3b4c5fb9f4e1e6e3cfa

SHA1
cb4229b7de668aff3977e633dcf48850b7c32703

SHA256
d0154b736aecec1cbf6e67bd70231cf358b1be6d223419a8216f121ee2fd7959

SHA512
f310cc8672022c7d34ada91279e81418381b671dcb583e324f03b7f8b86b0c68c545e41c583ede130d143ff4c42e6e69bdf72c875c531b428f3892ae6bbca6c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f1da7d24896b0fdcc822666f482c8c04

SHA1
2779c7d6a0f9f17f99a732fcda88df9d5de699fe

SHA256
ef39f3b782dfa91db9c92d23c6f752029dd1cce59304c1f8f6d79ccef085cf59

SHA512
e3316254905f29e6be31759fb04b2c1e4d8426fc917be8199389c00be17f7625b82ac638745d25b43a1972993b883253292790d48ae9ea4ff05f028687d9d973

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
8KB

MD5
7db91cb32519af5ea3bd275368ebe9f2

SHA1
cee3c5d911105afbd6514375e20319335af81750

SHA256
233b9165b94f9454024aeebafc42cbbdcf494b802debce9755557bf43c616879

SHA512
153f09aaf4b6b9c1d4f04d4234ef03c76827cb06c44875cd54eaa85578b9e57fcd1c3f1ef7d5ed91725fae1e7d76b5ee4525286ca60e475bc5ca584302d28a97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
10KB

MD5
cfe6f7bb95886dee89af3bd30a3ed4e1

SHA1
834ab2ae69bbd43b98e1532a04e1bcbfeaff68f4

SHA256
d75f9dab16c34eb7adc4fcb02f244460c9738e2c0cefd10087f96ac1efee498c

SHA512
d6a221b9a58b9e8bd313dc99a8cd68260b5795ac79741fbaefb6b849db4b7560283b943709aa37217bc7c4b012d153cd8c6e8c752461f38c876e6f18b6e77824

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
10KB

MD5
a49380d4cb88eb03b1f0a086bbb5e92b

SHA1
2a670b1be0d021665633e4d3b2f3e5167ec154fe

SHA256
8658d02e25aa2117b8a84e265805a613ea97a88280d15685ca4ec740c40f35a0

SHA512
d3845a315476e2fd569a415e9cd7c9cd6f9712e39884a652d57480ab0bb4656656e0966be31d73138ab6962222ee664c7b88da2748a472b70a75633c373c9b0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
10KB

MD5
cbdfc588c1e00d97379a75c4cf9a992f

SHA1
42a48ec7576d43175f20db823ec28e9cb1d79605

SHA256
fbdbcb66bc8552fad5774d835205f48eb3928fb97c1a3276124a5de2501b7fcd

SHA512
8591ece74164c59fc7949999c3117e1aadc5e2c58f9959d69b662d02b38e911d32e08e1f1e7c4db6be68afd5853a636e709d397e315c2d536538cc6a52b078aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
9KB

MD5
c2e8a3ecb1a29ea0f7ac03e9ecd12b1a

SHA1
63ebb419b12c08865d39159b9a38042426985f10

SHA256
fc1cd655de85297867017202c635f968481959c8a2f21644ecf324a85653f220

SHA512
c6a0e6cefe148675051c699c89cfc692e103d6496930da2786246dc16f3811aaffb0eaf077a1d6291c082f30b81c799cc122d424e94c9e94a4c2d337c9199ac4

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
191KB

MD5
e535a3b05dc0dcaa2d10c1886240c1f5

SHA1
952c42eea39696851dd78cfd7c3409d26e52b003

SHA256
147e313606fc322e7d0b1857960238e003cc729353ae06cde4fef78d8866b2ee

SHA512
6a171e7b71a0b08a5d865d575dd256682d2c1dbcab897cf69ba234fffb1389e175854a759693504eb584921d334f318d9e4589a2ff880a86262e1da8d9ae9bd7

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
214KB

MD5
d0a7735aee98905a9b1e77c9a61c9530

SHA1
bf809d545ae027e2d89f725e29dce786df174ae8

SHA256
fa670bbd875461efae530d0946f18de4bbd6a477d8f74f5da9ff790748d64d9b

SHA512
7e42f4d50139c5ea3328139cfa2c07b26bb5212b2f0127e88609d379c703ba7c5bfa58f174302c4cd46edae3a8ee434c31e8ff9bb294750e9adfcb0842bf6512

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk

Filesize
8KB

MD5
bcd05a990b67908bbcb57be03cf78cf4

SHA1
2988e7560d5a96756cfc2cdb3579e7e1d59e381b

SHA256
e340af7a95ae37caa8002266269a73afaecdebd7f24568cda9a93a753939836a

SHA512
7344a344cabef8da457e67ebb83697870d35dce4e4cb0d8bee334e66582543c7eb8b62a0d15c7ff351ff7f5e2e204cfb52ca04137dad9917b45160e86a992634

Download Submit
C:\Windows\Temp\MAS_16274055.cmd

Filesize
435KB

MD5
b1e469c7fba7663e8371378e864adc7e

SHA1
582f59f5ee6f5828c46cd74a408916d4f26e5c3c

SHA256
44ec64a8abbeb95774240b82c8a35491c4072d98bd57f7941c0831468cda32d0

SHA512
6380be0edb3112fb3c8049b766e1699342f7d99182167c6a41b2a76383fb7ef0c93e796e70ce8c2d1c4230f5126b48868511e7015eabe161fde3947488abde60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tnlyzz3a\CSC125F2AEE50524B8685A6D1EEC7ECCA44.TMP

Filesize
652B

MD5
8fe994076c0aeed5db6834378b4e2cef

SHA1
695a466cfce5928b297bb1320fc2d0c3a9384776

SHA256
fcce1c566b16207cb7b51b213528c062599d2ccf81fd3b5fdb7f7d45a933c38b

SHA512
df89fa1035e1ec017976cd28c4137f6b82ae11f3df39d7bbc03d987218b64af2c629d4c483f948a596913b9b4c292e82c3a7b8e0f6b092f882fe51f87d7d2070

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tnlyzz3a\tnlyzz3a.0.cs

Filesize
10KB

MD5
a29444398ac9a819c5d208948b81a14c

SHA1
fad400b1b7c8041846304012e39c8e80b60b0305

SHA256
f447865e0c75b6c39becab9b9527fcc583def24c18a66cc815a9419f375ddc11

SHA512
b75a16673e7c7e37cb8ac45d6e6793694890b4b5293cd5b2a1ce477211dd79a8c80ca4df58808eff85315fb2b0b6bfbe4cb36ddd3dae61105707a173776685ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tnlyzz3a\tnlyzz3a.cmdline

Filesize
450B

MD5
05d2c4954616316a41800c40e47968db

SHA1
82a08147ef613da78e0213f7b14606b7ea40f300

SHA256
21160f7e4c2499adf4b134c849b3e5cad2b5346705e0dc237371cfd70136313f

SHA512
d06b917f8b193e722fa2f840c96867d4a3dc93fe62c7805a66586c2a5f23ed26b7260ae8e863381ef36f56fa211a5a17a1582dd253f3a25476c044ff506b1faf

Download Submit
memory/1060-1710-0x000001472B950000-0x000001472B960000-memory.dmp

Filesize
64KB

Download
memory/1060-1711-0x000001472B950000-0x000001472B960000-memory.dmp

Filesize
64KB

Download
memory/1060-1722-0x000001472B950000-0x000001472B960000-memory.dmp

Filesize
64KB

Download
memory/1300-1694-0x00000232672E0000-0x00000232672F0000-memory.dmp

Filesize
64KB

Download
memory/1300-1701-0x00000232672E0000-0x00000232672F0000-memory.dmp

Filesize
64KB

Download
memory/1476-783-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/1476-1039-0x00007FF498C00000-0x00007FF498C10000-memory.dmp

Filesize
64KB

Download
memory/1476-661-0x000001ACCACA0000-0x000001ACCACC2000-memory.dmp

Filesize
136KB

Download
memory/1476-671-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/1476-672-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/1476-673-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/1476-674-0x000001ACE4230000-0x000001ACE43F2000-memory.dmp

Filesize
1.8MB

Download
memory/1476-675-0x000001ACE4060000-0x000001ACE408E000-memory.dmp

Filesize
184KB

Download
memory/1476-676-0x000001ACE40E0000-0x000001ACE4124000-memory.dmp

Filesize
272KB

Download
memory/1476-678-0x000001ACE40B0000-0x000001ACE40C8000-memory.dmp

Filesize
96KB

Download
memory/1476-679-0x000001ACE4130000-0x000001ACE4144000-memory.dmp

Filesize
80KB

Download
memory/1476-681-0x000001ACE4190000-0x000001ACE41D0000-memory.dmp

Filesize
256KB

Download
memory/1476-680-0x000001ACCAE20000-0x000001ACCAE2A000-memory.dmp

Filesize
40KB

Download
memory/1476-677-0x000001ACE4090000-0x000001ACE40A6000-memory.dmp

Filesize
88KB

Download
memory/1476-706-0x000001ACCAE30000-0x000001ACCAE38000-memory.dmp

Filesize
32KB

Download
memory/1476-766-0x000001ACE4200000-0x000001ACE422C000-memory.dmp

Filesize
176KB

Download
memory/1476-771-0x000001ACE4880000-0x000001ACE48F6000-memory.dmp

Filesize
472KB

Download
memory/1476-774-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/1476-778-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/1476-780-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/1476-782-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/1476-784-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/1476-789-0x000001ACE41F0000-0x000001ACE41FA000-memory.dmp

Filesize
40KB

Download
memory/1476-790-0x000001ACE4820000-0x000001ACE4832000-memory.dmp

Filesize
72KB

Download
memory/1476-915-0x00007FF498C00000-0x00007FF498C10000-memory.dmp

Filesize
64KB

Download
memory/1476-926-0x000001ACE4810000-0x000001ACE481C000-memory.dmp

Filesize
48KB

Download
memory/1476-1128-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/1476-929-0x000001ACE4860000-0x000001ACE487A000-memory.dmp

Filesize
104KB

Download
memory/1476-931-0x000001ACE4AD0000-0x000001ACE4C94000-memory.dmp

Filesize
1.8MB

Download
memory/1476-1034-0x000001ACE4900000-0x000001ACE4926000-memory.dmp

Filesize
152KB

Download
memory/1476-1035-0x000001ACE4840000-0x000001ACE4854000-memory.dmp

Filesize
80KB

Download
memory/1476-1036-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/1476-1038-0x000001ACCACE0000-0x000001ACCACF0000-memory.dmp

Filesize
64KB

Download
memory/2068-1141-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-1151-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-1148-0x0000021E19D50000-0x0000021E19D60000-memory.dmp

Filesize
64KB

Download
memory/2068-1146-0x0000021E19D50000-0x0000021E19D60000-memory.dmp

Filesize
64KB

Download
memory/2164-1690-0x000001A031020000-0x000001A031030000-memory.dmp

Filesize
64KB

Download
memory/2164-1692-0x000001A031020000-0x000001A031030000-memory.dmp

Filesize
64KB

Download
memory/2164-1703-0x000001A031020000-0x000001A031030000-memory.dmp

Filesize
64KB

Download
memory/2460-1713-0x0000020B0CFC0000-0x0000020B0CFD0000-memory.dmp

Filesize
64KB

Download
memory/2460-1720-0x0000020B0CFC0000-0x0000020B0CFD0000-memory.dmp

Filesize
64KB

Download
memory/2548-1045-0x0000013036220000-0x0000013036230000-memory.dmp

Filesize
64KB

Download
memory/2548-1052-0x000001303E340000-0x000001303E341000-memory.dmp

Filesize
4KB

Download
memory/2548-1060-0x000001303E460000-0x000001303E461000-memory.dmp

Filesize
4KB

Download
memory/2548-1041-0x00000130357B0000-0x00000130357C0000-memory.dmp

Filesize
64KB

Download
memory/2548-1054-0x000001303E3C0000-0x000001303E3C1000-memory.dmp

Filesize
4KB

Download
memory/2548-1056-0x000001303E3C0000-0x000001303E3C1000-memory.dmp

Filesize
4KB

Download
memory/2548-1057-0x000001303E450000-0x000001303E451000-memory.dmp

Filesize
4KB

Download
memory/2548-1058-0x000001303E450000-0x000001303E451000-memory.dmp

Filesize
4KB

Download
memory/2548-1059-0x000001303E460000-0x000001303E461000-memory.dmp

Filesize
4KB

Download
memory/2944-1169-0x00000256588D0000-0x00000256588E0000-memory.dmp

Filesize
64KB

Download
memory/2944-1188-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/2944-1168-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/2944-1170-0x00000256588D0000-0x00000256588E0000-memory.dmp

Filesize
64KB

Download
memory/2944-1171-0x00000256588D0000-0x00000256588E0000-memory.dmp

Filesize
64KB

Download
memory/2956-1074-0x00007FF63EFE0000-0x00007FF63F0D8000-memory.dmp

Filesize
992KB

Download
memory/2956-1078-0x00007FF9C3DB0000-0x00007FF9C3EC2000-memory.dmp

Filesize
1.1MB

Download
memory/2956-1077-0x00007FF9C4410000-0x00007FF9C54BB000-memory.dmp

Filesize
16.7MB

Download
memory/2956-1076-0x00007FF9C8670000-0x00007FF9C8924000-memory.dmp

Filesize
2.7MB

Download
memory/2956-1075-0x00007FF9D21F0000-0x00007FF9D2224000-memory.dmp

Filesize
208KB

Download
memory/3004-1202-0x0000025F7F200000-0x0000025F7F210000-memory.dmp

Filesize
64KB

Download
memory/3004-1201-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/3176-1238-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1244-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1245-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1246-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1247-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1248-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1249-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1243-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1239-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3176-1237-0x000001D5217E0000-0x000001D5217E1000-memory.dmp

Filesize
4KB

Download
memory/3652-1087-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1085-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1121-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/3652-1123-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1122-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/3652-1125-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1124-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1119-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/3652-1095-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1096-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1097-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1094-0x00007FF9AFCB0000-0x00007FF9AFCC0000-memory.dmp

Filesize
64KB

Download
memory/3652-1098-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1093-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1092-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1084-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/3652-1083-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1082-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/3652-1091-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1090-0x00007FF9AFCB0000-0x00007FF9AFCC0000-memory.dmp

Filesize
64KB

Download
memory/3652-1089-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1088-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1120-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/3652-1086-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/3652-1079-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/3652-1081-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1080-0x00007FF9B2350000-0x00007FF9B2360000-memory.dmp

Filesize
64KB

Download
memory/4932-1187-0x000001E4FB3C0000-0x000001E4FB3D0000-memory.dmp

Filesize
64KB

Download
memory/4932-1186-0x000001E4FB3C0000-0x000001E4FB3D0000-memory.dmp

Filesize
64KB

Download
memory/4932-1190-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download
memory/4932-1185-0x00007FF9D1190000-0x00007FF9D1C51000-memory.dmp

Filesize
10.8MB

Download