Analysis
-
max time kernel
589s -
max time network
489s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-04-2024 11:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://massgrave.dev/index.html#method_1_-_powershell
Resource
win11-20240221-en
General
-
Target
https://massgrave.dev/index.html#method_1_-_powershell
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4060 dismhost.exe -
Loads dropped DLL 23 IoCs
pid Process 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe 4060 dismhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 3 bitbucket.org 26 bitbucket.org 27 bitbucket.org -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\SystemTemp\tem5CF6.tmp Clipup.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1704 sc.exe 3920 sc.exe 2056 sc.exe 1352 sc.exe 344 sc.exe 3560 sc.exe 256 sc.exe 2280 sc.exe 5048 sc.exe 3436 sc.exe 3684 sc.exe 4320 sc.exe 2420 sc.exe 840 sc.exe 2024 sc.exe 3056 sc.exe 2056 sc.exe 3336 sc.exe 3924 sc.exe 2908 sc.exe 1412 sc.exe 3736 sc.exe 2320 sc.exe 876 sc.exe 3672 sc.exe 4928 sc.exe 3436 sc.exe 4960 sc.exe 4856 sc.exe 2420 sc.exe 3056 sc.exe 4264 sc.exe 1588 sc.exe 2300 sc.exe 2472 sc.exe 772 sc.exe 4456 sc.exe 4284 sc.exe 1140 sc.exe 2056 sc.exe 4052 sc.exe 260 sc.exe 1900 sc.exe 556 sc.exe 548 sc.exe 3752 sc.exe 3960 sc.exe 3420 sc.exe 4728 sc.exe 2024 sc.exe 3748 sc.exe 4868 sc.exe 2104 sc.exe 344 sc.exe 4152 sc.exe 1436 sc.exe 2616 sc.exe 4760 sc.exe 1184 sc.exe 1172 sc.exe 1316 sc.exe 3336 sc.exe 3160 sc.exe 4824 sc.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 clipup.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1712 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570503860436642" chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings chrome.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1944 reg.exe 1172 reg.exe 2568 reg.exe 3740 reg.exe 756 reg.exe 4728 reg.exe 2980 reg.exe 3036 reg.exe 4224 reg.exe 1132 reg.exe 2608 reg.exe 2812 reg.exe 2892 reg.exe 1412 reg.exe 2616 reg.exe 3160 reg.exe 3112 reg.exe 2816 reg.exe 2944 reg.exe 2156 reg.exe 1116 reg.exe 4936 reg.exe 1020 reg.exe 1712 reg.exe 2384 reg.exe 3460 reg.exe 4928 reg.exe 1908 reg.exe 4264 reg.exe 4260 reg.exe 1020 reg.exe 4828 reg.exe 344 reg.exe 4260 reg.exe 2280 reg.exe 3652 reg.exe 3804 reg.exe 3924 reg.exe 1712 reg.exe 2156 reg.exe 1816 reg.exe 2472 reg.exe 3448 reg.exe 2248 reg.exe 2904 reg.exe 2300 reg.exe 2240 reg.exe 4828 reg.exe 4020 reg.exe 1492 reg.exe 4820 reg.exe 2532 reg.exe 3340 reg.exe 3808 reg.exe 2248 reg.exe 4320 reg.exe 416 reg.exe 4820 reg.exe 1412 reg.exe 2964 reg.exe 1712 reg.exe 3112 reg.exe 5056 reg.exe 2056 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d.zip:Zone.Identifier chrome.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2308 PING.EXE 556 PING.EXE -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1220 chrome.exe 1220 chrome.exe 4228 chrome.exe 4228 chrome.exe 2836 powershell.exe 2836 powershell.exe 2836 powershell.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 2300 powershell.exe 2300 powershell.exe 2300 powershell.exe 2816 powershell.exe 2816 powershell.exe 2816 powershell.exe 1332 powershell.exe 1332 powershell.exe 1332 powershell.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 3672 powershell.exe 3672 powershell.exe 3672 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 3916 powershell.exe 3916 powershell.exe 3916 powershell.exe 1676 powershell.exe 1676 powershell.exe 1676 powershell.exe 2960 powershell.exe 2960 powershell.exe 2960 powershell.exe 4692 powershell.exe 4692 powershell.exe 4692 powershell.exe 3808 powershell.exe 3808 powershell.exe 3808 powershell.exe 3216 powershell.exe 3216 powershell.exe 3216 powershell.exe 2528 powershell.exe 2528 powershell.exe 2528 powershell.exe 4444 powershell.exe 4444 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5112 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 132 1220 chrome.exe 79 PID 1220 wrote to memory of 132 1220 chrome.exe 79 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 1348 1220 chrome.exe 82 PID 1220 wrote to memory of 3928 1220 chrome.exe 83 PID 1220 wrote to memory of 3928 1220 chrome.exe 83 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 PID 1220 wrote to memory of 5080 1220 chrome.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://massgrave.dev/index.html#method_1_-_powershell1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffccf999758,0x7ffccf999768,0x7ffccf9997782⤵PID:132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:22⤵PID:1348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:82⤵PID:3928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:12⤵PID:4956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:12⤵PID:3976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:82⤵PID:3892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:82⤵PID:2404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4688 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:12⤵PID:2408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:82⤵PID:4936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:82⤵
- NTFS ADS
PID:1292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3128 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:82⤵PID:772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4712 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1292
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5112
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2500
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,1⤵PID:4344
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd" "1⤵PID:1520
-
C:\Windows\System32\sc.exesc query Null2⤵
- Launches sc.exe
PID:548
-
-
C:\Windows\System32\find.exefind /i "RUNNING"2⤵PID:4820
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_AIO-CRC32_60BA35A8.cmd"2⤵PID:1292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:664
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV22⤵PID:4144
-
-
C:\Windows\System32\find.exefind /i "0x0"2⤵PID:416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd2⤵PID:4052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "3⤵PID:1116
-
-
C:\Windows\System32\cmd.execmd3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd" "2⤵PID:3672
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"2⤵PID:4928
-
-
C:\Windows\System32\fltMC.exefltmc2⤵PID:4572
-
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit2⤵
- Modifies registry key
PID:4264
-
-
C:\Windows\System32\find.exefind /i "0x0"2⤵PID:4132
-
-
C:\Windows\System32\reg.exereg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f2⤵
- Modifies registry key
PID:2248
-
-
C:\Windows\System32\cmd.execmd.exe /c ""C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd" -qedit"2⤵PID:4524
-
C:\Windows\System32\reg.exereg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f3⤵PID:3336
-
-
C:\Windows\System32\sc.exesc query Null3⤵PID:3740
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:3564
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_AIO-CRC32_60BA35A8.cmd"3⤵PID:1948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "3⤵PID:4868
-
-
C:\Windows\System32\find.exefind /i "/"3⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:5068
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:1816
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵PID:4344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:2616
-
-
C:\Windows\System32\cmd.execmd4⤵PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd" "3⤵PID:4304
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵PID:2472
-
-
C:\Windows\System32\fltMC.exefltmc3⤵PID:3172
-
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit3⤵
- Modifies registry key
PID:2384
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev3⤵PID:4320
-
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck.massgrave.dev4⤵
- Runs ping.exe
PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "3⤵PID:1704
-
-
C:\Windows\System32\find.exefind "127.69"3⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "3⤵PID:3056
-
-
C:\Windows\System32\find.exefind "127.69.2.5"3⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "3⤵PID:3656
-
-
C:\Windows\System32\find.exefind /i "/S"3⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "3⤵PID:2028
-
-
C:\Windows\System32\find.exefind /i "/"3⤵PID:1524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵PID:3516
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵PID:3196
-
-
-
C:\Windows\System32\mode.commode 76, 303⤵PID:4060
-
-
C:\Windows\System32\choice.exechoice /C:123456780 /N3⤵PID:3100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:2416
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:1672
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵PID:416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:3316
-
-
C:\Windows\System32\cmd.execmd4⤵PID:4472
-
-
-
C:\Windows\System32\mode.commode 110, 343⤵PID:4052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $ExecutionContext.SessionState.LanguageMode3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
-
C:\Windows\System32\find.exefind /i "Full"3⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:2588
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "3⤵PID:4268
-
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:3644
-
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵PID:3808
-
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵PID:1944
-
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
PID:4320
-
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵PID:4152
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"3⤵PID:5096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵PID:1448
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵PID:664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵PID:1316
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵PID:3752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵PID:4144
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:4132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net3⤵PID:1172
-
C:\Windows\System32\PING.EXEping -n 1 l.root-servers.net4⤵
- Runs ping.exe
PID:556
-
-
-
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:3816
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:4484
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:5048
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:2420
-
-
C:\Windows\System32\sc.exesc start ClipSVC3⤵
- Launches sc.exe
PID:4928
-
-
C:\Windows\System32\sc.exesc query ClipSVC3⤵
- Launches sc.exe
PID:260
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService3⤵PID:1900
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description3⤵
- Modifies registry key
PID:2944
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName3⤵PID:1456
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl3⤵PID:4040
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath3⤵PID:4224
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName3⤵
- Modifies registry key
PID:2156
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start3⤵PID:1816
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type3⤵
- Modifies registry key
PID:2892
-
-
C:\Windows\System32\sc.exesc start wlidsvc3⤵
- Launches sc.exe
PID:3336
-
-
C:\Windows\System32\sc.exesc query wlidsvc3⤵
- Launches sc.exe
PID:772
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService3⤵
- Modifies registry key
PID:5056
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description3⤵PID:2608
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName3⤵PID:2904
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl3⤵PID:3560
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath3⤵
- Modifies registry key
PID:1944
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName3⤵
- Modifies registry key
PID:4320
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start3⤵
- Modifies registry key
PID:3652
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type3⤵
- Modifies registry key
PID:756
-
-
C:\Windows\System32\sc.exesc start sppsvc3⤵PID:2280
-
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:3748
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService3⤵
- Modifies registry key
PID:2056
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description3⤵
- Modifies registry key
PID:4728
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName3⤵
- Modifies registry key
PID:344
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl3⤵
- Modifies registry key
PID:1712
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath3⤵
- Modifies registry key
PID:1412
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName3⤵PID:4808
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
- Modifies registry key
PID:2980
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type3⤵
- Modifies registry key
PID:2240
-
-
C:\Windows\System32\sc.exesc start KeyIso3⤵PID:1672
-
-
C:\Windows\System32\sc.exesc query KeyIso3⤵PID:400
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService3⤵PID:1116
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description3⤵
- Modifies registry key
PID:3112
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName3⤵
- Modifies registry key
PID:416
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl3⤵
- Modifies registry key
PID:3036
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath3⤵
- Modifies registry key
PID:3804
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName3⤵
- Modifies registry key
PID:1172
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start3⤵
- Modifies registry key
PID:4260
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type3⤵
- Modifies registry key
PID:2248
-
-
C:\Windows\System32\sc.exesc start LicenseManager3⤵
- Launches sc.exe
PID:2420
-
-
C:\Windows\System32\sc.exesc query LicenseManager3⤵
- Launches sc.exe
PID:4868
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService3⤵PID:5068
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description3⤵
- Modifies registry key
PID:3460
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName3⤵PID:3192
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl3⤵
- Modifies registry key
PID:3924
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath3⤵
- Modifies registry key
PID:3340
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName3⤵
- Modifies registry key
PID:4224
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start3⤵
- Modifies registry key
PID:2156
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type3⤵
- Modifies registry key
PID:1816
-
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵PID:2892
-
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
- Launches sc.exe
PID:4456
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService3⤵PID:4268
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description3⤵PID:4884
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName3⤵
- Modifies registry key
PID:2616
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl3⤵PID:4304
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath3⤵
- Modifies registry key
PID:2472
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName3⤵
- Modifies registry key
PID:3448
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
PID:3808
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type3⤵PID:1892
-
-
C:\Windows\System32\sc.exesc start DoSvc3⤵
- Launches sc.exe
PID:3960
-
-
C:\Windows\System32\sc.exesc query DoSvc3⤵
- Launches sc.exe
PID:3056
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService3⤵PID:4152
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description3⤵
- Modifies registry key
PID:2568
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName3⤵
- Modifies registry key
PID:4820
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl3⤵
- Modifies registry key
PID:1020
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath3⤵
- Modifies registry key
PID:1712
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName3⤵
- Modifies registry key
PID:1412
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start3⤵PID:2024
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type3⤵PID:2960
-
-
C:\Windows\System32\sc.exesc start UsoSvc3⤵PID:2020
-
-
C:\Windows\System32\sc.exesc query UsoSvc3⤵
- Launches sc.exe
PID:1184
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService3⤵PID:3548
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description3⤵
- Modifies registry key
PID:3160
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName3⤵
- Modifies registry key
PID:1116
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl3⤵
- Modifies registry key
PID:3112
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath3⤵
- Modifies registry key
PID:1132
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName3⤵
- Modifies registry key
PID:4828
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start3⤵PID:724
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type3⤵PID:3036
-
-
C:\Windows\System32\sc.exesc start CryptSvc3⤵
- Launches sc.exe
PID:4264
-
-
C:\Windows\System32\sc.exesc query CryptSvc3⤵
- Launches sc.exe
PID:1172
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService3⤵
- Modifies registry key
PID:4260
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description3⤵
- Modifies registry key
PID:4936
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName3⤵
- Modifies registry key
PID:4928
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl3⤵PID:3504
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath3⤵PID:4284
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName3⤵
- Modifies registry key
PID:4020
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start3⤵
- Modifies registry key
PID:3740
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type3⤵PID:3080
-
-
C:\Windows\System32\sc.exesc start BITS3⤵
- Launches sc.exe
PID:4856
-
-
C:\Windows\System32\sc.exesc query BITS3⤵
- Launches sc.exe
PID:1588
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService3⤵PID:3336
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description3⤵
- Modifies registry key
PID:2608
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName3⤵
- Modifies registry key
PID:2904
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl3⤵PID:876
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath3⤵
- Modifies registry key
PID:1908
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName3⤵
- Modifies registry key
PID:1492
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start3⤵PID:3808
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type3⤵
- Modifies registry key
PID:2280
-
-
C:\Windows\System32\sc.exesc start TrustedInstaller3⤵
- Launches sc.exe
PID:2056
-
-
C:\Windows\System32\sc.exesc query TrustedInstaller3⤵
- Launches sc.exe
PID:4152
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService3⤵
- Modifies registry key
PID:4820
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description3⤵
- Modifies registry key
PID:1020
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName3⤵
- Modifies registry key
PID:1712
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl3⤵PID:4808
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath3⤵PID:5084
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName3⤵
- Modifies registry key
PID:2300
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start3⤵PID:2804
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type3⤵
- Modifies registry key
PID:2812
-
-
C:\Windows\System32\sc.exesc start wuauserv3⤵
- Launches sc.exe
PID:3752
-
-
C:\Windows\System32\sc.exesc query wuauserv3⤵
- Launches sc.exe
PID:1316
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService3⤵
- Modifies registry key
PID:2964
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description3⤵
- Modifies registry key
PID:4828
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName3⤵PID:556
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl3⤵PID:3672
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath3⤵PID:4364
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName3⤵PID:3444
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start3⤵
- Modifies registry key
PID:2816
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type3⤵PID:4868
-
-
C:\Windows\System32\sc.exesc start WaaSMedicSvc3⤵
- Launches sc.exe
PID:1900
-
-
C:\Windows\System32\sc.exesc query WaaSMedicSvc3⤵
- Launches sc.exe
PID:3420
-
-
C:\Windows\System32\sc.exesc start ClipSVC3⤵
- Launches sc.exe
PID:4284
-
-
C:\Windows\System32\sc.exesc start wlidsvc3⤵
- Launches sc.exe
PID:1436
-
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
PID:3924
-
-
C:\Windows\System32\sc.exesc start KeyIso3⤵
- Launches sc.exe
PID:3736
-
-
C:\Windows\System32\sc.exesc start LicenseManager3⤵
- Launches sc.exe
PID:2320
-
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
PID:3436
-
-
C:\Windows\System32\sc.exesc start DoSvc3⤵
- Launches sc.exe
PID:2104
-
-
C:\Windows\System32\sc.exesc start UsoSvc3⤵
- Launches sc.exe
PID:3336
-
-
C:\Windows\System32\sc.exesc start CryptSvc3⤵
- Launches sc.exe
PID:2616
-
-
C:\Windows\System32\sc.exesc start BITS3⤵
- Launches sc.exe
PID:3560
-
-
C:\Windows\System32\sc.exesc start TrustedInstaller3⤵
- Launches sc.exe
PID:2908
-
-
C:\Windows\System32\sc.exesc start wuauserv3⤵
- Launches sc.exe
PID:876
-
-
C:\Windows\System32\sc.exesc start WaaSMedicSvc3⤵PID:4320
-
-
C:\Windows\System32\sc.exesc config DoSvc start= delayed-auto3⤵
- Launches sc.exe
PID:1352
-
-
C:\Windows\System32\sc.exesc config UsoSvc start= delayed-auto3⤵
- Launches sc.exe
PID:1704
-
-
C:\Windows\System32\sc.exesc config wuauserv start= demand3⤵
- Launches sc.exe
PID:840
-
-
C:\Windows\System32\sc.exesc query ClipSVC3⤵
- Launches sc.exe
PID:2280
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:1960
-
-
C:\Windows\System32\sc.exesc start ClipSVC3⤵
- Launches sc.exe
PID:4728
-
-
C:\Windows\System32\sc.exesc query wlidsvc3⤵
- Launches sc.exe
PID:344
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:4820
-
-
C:\Windows\System32\sc.exesc start wlidsvc3⤵
- Launches sc.exe
PID:1412
-
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:2024
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:4808
-
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
PID:3056
-
-
C:\Windows\System32\sc.exesc query KeyIso3⤵PID:400
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:2804
-
-
C:\Windows\System32\sc.exesc start KeyIso3⤵
- Launches sc.exe
PID:3160
-
-
C:\Windows\System32\sc.exesc query LicenseManager3⤵
- Launches sc.exe
PID:4824
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:1316
-
-
C:\Windows\System32\sc.exesc start LicenseManager3⤵
- Launches sc.exe
PID:3920
-
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵PID:4828
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:1936
-
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
PID:3672
-
-
C:\Windows\System32\sc.exesc query DoSvc3⤵
- Launches sc.exe
PID:5048
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:4260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Service DoSvc3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
C:\Windows\System32\sc.exesc query DoSvc3⤵PID:1492
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:3048
-
-
C:\Windows\System32\sc.exesc start DoSvc3⤵
- Launches sc.exe
PID:4760
-
-
C:\Windows\System32\sc.exesc query UsoSvc3⤵
- Launches sc.exe
PID:2056
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:3748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Service UsoSvc3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332
-
-
C:\Windows\System32\sc.exesc query UsoSvc3⤵
- Launches sc.exe
PID:556
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:1172
-
-
C:\Windows\System32\sc.exesc start UsoSvc3⤵
- Launches sc.exe
PID:2420
-
-
C:\Windows\System32\sc.exesc query CryptSvc3⤵
- Launches sc.exe
PID:256
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:1436
-
-
C:\Windows\System32\sc.exesc start CryptSvc3⤵
- Launches sc.exe
PID:3436
-
-
C:\Windows\System32\sc.exesc query BITS3⤵
- Launches sc.exe
PID:4960
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:2316
-
-
C:\Windows\System32\sc.exesc start BITS3⤵
- Launches sc.exe
PID:1140
-
-
C:\Windows\System32\sc.exesc query TrustedInstaller3⤵PID:1900
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:3736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Service TrustedInstaller3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
-
C:\Windows\System32\sc.exesc query TrustedInstaller3⤵
- Launches sc.exe
PID:344
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:680
-
-
C:\Windows\System32\sc.exesc start TrustedInstaller3⤵
- Launches sc.exe
PID:2024
-
-
C:\Windows\System32\sc.exesc query wuauserv3⤵
- Launches sc.exe
PID:2300
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Service wuauserv3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3672
-
-
C:\Windows\System32\sc.exesc query wuauserv3⤵
- Launches sc.exe
PID:2056
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:4152
-
-
C:\Windows\System32\sc.exesc start wuauserv3⤵
- Launches sc.exe
PID:3684
-
-
C:\Windows\System32\sc.exesc query WaaSMedicSvc3⤵
- Launches sc.exe
PID:4052
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:1292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Service WaaSMedicSvc3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096
-
-
C:\Windows\System32\sc.exesc query WaaSMedicSvc3⤵PID:412
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:1356
-
-
C:\Windows\System32\sc.exesc start WaaSMedicSvc3⤵PID:344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo TrustedInstaller-1058, WaaSMedicSvc-1060 "3⤵PID:2020
-
-
C:\Windows\System32\findstr.exefindstr /i "ClipSVC-1058 sppsvc-1058"3⤵PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState3⤵PID:1332
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState4⤵PID:4236
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot3⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul3⤵PID:3804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd') -split ':wpatest\:.*';iex ($f[1]);"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "5" "3⤵PID:2484
-
-
C:\Windows\System32\find.exefind /i "Error Found"3⤵PID:3112
-
-
C:\Windows\System32\Dism.exeDISM /English /Online /Get-CurrentEdition3⤵
- Drops file in Windows directory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\dismhost.exeC:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\dismhost.exe {B2F7A4E2-72FD-4574-AC99-96F689E39DFA}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4060
-
-
-
C:\Windows\System32\cmd.execmd /c exit /b -21474672593⤵PID:1704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul3⤵PID:3748
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID4⤵PID:1672
-
-
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /dlv3⤵PID:4244
-
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:1844
-
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵PID:4772
-
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵PID:344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "0" "3⤵PID:1072
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440"3⤵PID:236
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"3⤵PID:2700
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"3⤵PID:1016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul3⤵PID:4352
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"4⤵PID:2484
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d3⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul3⤵PID:3112
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore4⤵PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵PID:1172
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵PID:2716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692
-
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility3⤵PID:4152
-
-
C:\Windows\System32\find.exefind /i "windowsupdate"3⤵PID:1448
-
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress3⤵PID:1492
-
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s3⤵
- Modifies registry key
PID:2532
-
-
C:\Windows\System32\findstr.exefindstr /i "NoAutoUpdate DisableWindowsUpdateAccess"3⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo: TrustedInstaller-1058, WaaSMedicSvc-1060 "3⤵PID:2716
-
-
C:\Windows\System32\find.exefind /i "wuauserv"3⤵PID:1172
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps3⤵PID:2104
-
-
C:\Windows\System32\find.exefind /i "0x1"3⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "3⤵PID:3548
-
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"3⤵PID:3120
-
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"3⤵PID:4456
-
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:3104
-
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul3⤵PID:1676
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Name4⤵PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul3⤵PID:4228
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Nation4⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))3⤵PID:2480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "3⤵PID:468
-
-
C:\Windows\System32\find.exefind "AAAA"3⤵PID:4352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Restart-Service ClipSVC3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3216
-
-
C:\Windows\System32\timeout.exetimeout /t 23⤵
- Delays execution with timeout.exe
PID:1712
-
-
C:\Windows\System32\ClipUp.execlipup -v -o3⤵PID:1936
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem641A.tmp4⤵
- Checks SCSI registry key(s)
PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"3⤵PID:4260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "3⤵PID:4436
-
-
C:\Windows\System32\find.exefind /i "Windows"3⤵PID:3548
-
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate3⤵PID:680
-
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵PID:3700
-
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵PID:3904
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵PID:236
-
-
C:\Windows\System32\mode.commode 76, 303⤵PID:4992
-
-
C:\Windows\System32\choice.exechoice /C:123456780 /N3⤵PID:3124
-
-
C:\Windows\System32\mode.commode con cols=100 lines=323⤵PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:2448
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵PID:2256
-
-
C:\Windows\System32\find.exefind /i "ComputerSystem"3⤵PID:1332
-
-
C:\Windows\System32\sc.exesc query osppsvc3⤵
- Launches sc.exe
PID:2472
-
-
C:\Windows\System32\net.exenet start sppsvc /y3⤵PID:3320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵PID:1028
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value3⤵PID:2028
-
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:1524
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value3⤵PID:3484
-
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"3⤵PID:5096
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value4⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:2248
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:4572
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵PID:2704
-
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵PID:4624
-
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"3⤵PID:2228
-
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:1676
-
-
C:\Windows\System32\cmd.execmd /c exit /b 10740664333⤵PID:2524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"3⤵PID:5060
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value4⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:544
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:840
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:668
-
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:2232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:3192
-
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:3364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:1132
-
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:4836
-
-
C:\Windows\System32\cmd.execmd /c exit /b 32215491423⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵PID:2700
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵PID:3672
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:3448
-
-
-
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵PID:4792
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem5CF6.tmp2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567a8abe602fd21c5683962fa75f8c9fd
SHA1e296942da1d2b56452e05ae7f753cd176d488ea8
SHA2561d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA51270b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6
-
Filesize
264B
MD547169b6de0a709736d94c3953e8d619e
SHA13e99d2f22cafdc58d72892fefc8b39e9839995d0
SHA256fcc02e72070e1fa420dbadc183d64b653a3ca345a854ee79b078eb5e19dfea34
SHA51241ee22639b44f66813d28ce0309f851bb92eee4938913421701334ca4759eeed168994a49e60d163f3b322c72768006a1e1c91af7dec5f64bcaf8df422ba9e2b
-
Filesize
825B
MD52f768caa7aa97006afe892cea8adc01e
SHA189df4ae0a9e2e297038323c2155705bc93ed1429
SHA2563b4eb8773b6458473a87e8ddac7e11d818454dfa50f21ae938588d88e6709bd8
SHA51288b9f90123a5a65e6b411c05e280dd3ad1b82876bbed5e2dbcae88f0aee86ca6b9b8448207bbab8831595a8b0dfcb7669f46994fee8e7779d0253ff52d6b09c9
-
Filesize
896B
MD5d7b83008dfaa27199c970055b0742c2f
SHA19853d5467c303c50144fe416173a272939931be3
SHA256a73bf8f4cda0a688e098b7a4a02f27b61391e2c9b814a9223bffce04d575451b
SHA5125b4e522ea11c63cbd250a6c8ade156dfde14a9c9d258e0163914ff7cc84778bd4c31bd5088a6ebe6afee3ae466871e45ef2a314c3120e0f12eca7e1f61611b61
-
Filesize
538B
MD57a63fe258816162c14a14d9cba1b715b
SHA134057cfd856d891333a98df39e60d07c62c0474d
SHA2569bd17568ef0f85fed0e960ef02fe1aa5c24506598840c1c6f5609e2bf5c7c5bb
SHA512294a6db57c25dfceb6da07f73dffdaadcfac43c2f698b65d8a31342f1423cff58cd29892690337880787ccc2f2c37a96f3c33282079f5c5a80bb5dbcb648e2b7
-
Filesize
703B
MD53a20a5266059e856eae4e9169893e4df
SHA11999a711c12e76974abf1623457a454528afe74a
SHA256ce41f105daa376227531db6f5770fc442460525929ae8e5f53448f4ce474714d
SHA5128e801610733e03052ecbf647260e1f7dc890ac4c4a30e7670d1dce104ddaff375edc0f6be0ca95de07335b26c4a2981fabf3573c0116c4e57230a9583d350148
-
Filesize
6KB
MD51f89f1863ad6854a4803beb3cc87f520
SHA1c4f3720009305fd5915d615651fd7d442c6e6ff9
SHA256851086ec434287a1a5261ca420cba3fa3ff9100f1827a70c8407a7e4e5d76929
SHA512db21f7c914069e959bc8b6cc721a9407fc3393ee1aae49a8a3104f3f0184d89b58240fdc73df5e54069c45210a6949d80f094802b0dfa59c2f204edc01ea708d
-
Filesize
6KB
MD5949784498b558c1eb6e2f66e74066fb4
SHA1d508e6dfb64047585ce3a2b69f3e0dbddcb52a9d
SHA2566fa5ba5c994d83d0b3883cced78affbe5f11a45be04ac2ec3ae18cd24db5f42b
SHA5122b1acc903a277a35c0c1b7616d8023feca563165a52441e8439eb1a6d576f12b7bd3694c49b52e63114503d0d3843e7d1d8c87be4b7efce3addbd496211d4b11
-
Filesize
6KB
MD50da911f32929266459eee6a73976c946
SHA172eea98af5baa644bd57aca7bef138aaf4e6b382
SHA256db96027335b0045314ee38c180c51aaaef1c7af30c94be5a36495dba92a31ddf
SHA51229648a54a1b7a14b2bd17a40c64d9e4dd000907ba4da08f2877a6aef2685171fd6d6609cb9a371e7e94b6bb7e132b27a42c4f98a40b2ab3031e01f1bee8c1131
-
Filesize
130KB
MD55210081134a31c156c01e90da8f1e19a
SHA1b0083fec0d9482b03f9d187efb31e3be9165196d
SHA2563e4363f29c3348902252263fca9acfea5dafd4b2033d8ecd0bee352869498da1
SHA5123dcba4d807c1e1045bb3e617dd89cbf667d1824a164ac78ce8aad4e041d9f957091f6c977c7834cf5350dad90edb2b67a3d8e20aa891b8b11b53661388063d1d
-
Filesize
130KB
MD5fa88364b0d171433d22aa9a0e3bc19ba
SHA1e88b894fc360e06a55c8c5d9cd234b4180379070
SHA2560d7fb26baca3d527f36bea10cf73603319ee61db534560d0638e155d1adb3373
SHA512cddc2bbdb242c914bfa20ce0de2c4d50e44c8443c655ba956928f66903f5384b44162c9e7a7128df5fcecb9516c32bbaae95e673833b465c43432c6c17d2537b
-
Filesize
103KB
MD5ceceeb5d6bd0bbad92b3ca43bf3ce1d2
SHA1fce88be91a3a5ce0c1d6f6c19b6c77b53335cc39
SHA25632d3697cab751e1850402878b41d043fc581cb178f6036f70a65b463196c1005
SHA512e1b04215217c990311110e14935f0a2481213a76ee70cea8a7e9e35cc4ca6919121dc7b3831932f672ce05a1b54104fe97459eb35050035aa183d032afeffcef
-
Filesize
98KB
MD5af5d555ccd9152738d5ae28fe5da5866
SHA1c2f30ddc24e4d274a8f2b73fd3820035229f3be6
SHA25666d43e906987efaf93605a85fc902023fb179044c4f2f1fe2a7810e9c005f360
SHA512384b39b25d9b1596422601e3009923c2314811db0d09236aad52aa82a616a0a2ced9a7f543603f1a2d0f4383e5113c1b6307371d265bde89cb6d805e44859f8a
-
Filesize
93KB
MD5e9971071c76e853bf122eed9129abcb3
SHA12c389a409cb8572c3895834cb85ff764eae6483a
SHA256c38268b9d7038a02c58aee8007a391e5b23cc5e94eb033931f58dd89986a148f
SHA51264cb14509e2fcda3d8cb4f57931b7e35aed2994b9878351ecad96eb82d313ebeaa1accd6813a35a31a1f5c2ff71c6a698f6d17d59a7039078bafd8fb942dd287
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
64B
MD5feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23
-
Filesize
944B
MD5b3809d6bd978d7d4b574cca868273433
SHA11ecd5200938eb12269cd692417fa540ade0ed42d
SHA25640b9816dd06975e3006a7628a23d7bceb6c5c1e2957b8ac7a05d469acf188916
SHA51220b185d39b5483c1ce09b8c0b30df44de0ac9cd50ca82bac8f93ac53f867e9dd83f403d43f36f3128fce5d612242391340ed20fa5d43f177c73bdb4a3b56257b
-
Filesize
944B
MD584719b15e20ae559c6f29dba7a3d0097
SHA188345454b1eb5c1f39dcad5dfad4ecc268bd6f50
SHA2564910d430710a79f88662d02e7e2bea4b2e4a8ec4748283871e670b2a32a7bf3f
SHA5125d5fb11d6a6ee8a4bb2f85a3e8c709ef4024f9d523900b1ae22af5facfc8dc503b3be4203658ea5f4ea59143c68d1dd1080faee8b20961f45de367778e640bd9
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5deace1f3e3f4fff66c9e1ab8fdd10b75
SHA1a6a793f8e6628020a852b817f4941fa5fe85c326
SHA2561773e2aa319ae388e654acd214635d9c2334f0922471d7b79f5360a355a9a27f
SHA5121c74bff974f4b248f6b5fd79dc6ea6a50518cd57e91e4415497c36371b36c4a310069fc5ae6a6435c2eed21c991fe9ed33427bcfd46d3fe71fbfd28a233f31b6
-
Filesize
64B
MD5c1eb57545c15470f48512f8829bc41c1
SHA159faad284490a0c0cc4dd31beef81442cd9a0f0f
SHA2564f609b706753d6259500f7955a3d596047088d7c74ce4937d559d9e553f6e9f2
SHA512abc2912f6d3588a7b6dd2a48b3df00a1598137184b6a09b6c69b41379d6cc9f9f7cb55337e785ae2982e5b92bf086942bc2d4387972964078ea577b1f0be414c
-
Filesize
136KB
MD5702f9c8fb68fd19514c106e749ec357d
SHA17c141106e4ae8f3a0e5f75d8277ec830fc79eccc
SHA25621ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358
SHA5122e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9
-
Filesize
200KB
MD57f751738de9ac0f2544b2722f3a19eb0
SHA17187c57cd1bd378ef73ba9ad686a758b892c89dc
SHA256db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc
SHA5120891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb
-
Filesize
168KB
MD517275206102d1cf6f17346fd73300030
SHA1bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166
SHA256dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6
SHA512ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3
-
Filesize
292KB
MD52ac64cc617d144ae4f37677b5cdbb9b6
SHA113fe83d7489d302de9ccefbf02c7737e7f9442f9
SHA256006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44
SHA512acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7
-
Filesize
436KB
MD5e54120aa50f14e0d3d257e77db46ece5
SHA1922203542962ec5f938dcb3c876f060ecf17f9dc
SHA256b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54
SHA512fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9
-
Filesize
200KB
MD5c22cc16103ee51ba59b765c6b449bddb
SHA1b0683f837e1e44c46c9a050e0a3753893ece24ad
SHA256eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b
SHA5122c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e
-
Filesize
680KB
MD5a41b0e08419de4d9874893b813dccb5c
SHA12390e00f2c2bc9779e99a669193666688064ea77
SHA25657ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3
SHA512bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a
-
Filesize
172KB
MD520fb116831396d9477e352d42097741c
SHA17e063ac9bc173a81dc56dc5864f912041e2c725a
SHA2566a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4
SHA512851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a
-
Filesize
84KB
MD5f6b7301c18f651567a5f816c2eb7384d
SHA140cd6efc28aa7efe86b265af208b0e49bec09ae4
SHA2568f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61
SHA5124087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286
-
Filesize
248KB
MD54c6d681704e3070df2a9d3f42d3a58a2
SHA1a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81
SHA256f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137
SHA512daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86
-
Filesize
312KB
MD534035aed2021763bec1a7112d53732f1
SHA17132595f73755c3ae20a01b6863ac9518f7b75a4
SHA256aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731
SHA512ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d
-
Filesize
108KB
MD5c63f6b6d4498f2ec95de15645c48e086
SHA129f71180feed44f023da9b119ba112f2e23e6a10
SHA25656aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde
SHA5123a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc
-
Filesize
208KB
MD5eb171b7a41a7dd48940f7521da61feb0
SHA19f2a5ddac7b78615f5a7af753d835aaa41e788fc
SHA25656a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55
SHA5125917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12
-
Filesize
180KB
MD5e9833a54c1a1bfdab3e5189f3f740ff9
SHA1ffb999c781161d9a694a841728995fda5b6da6d3
SHA256ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85
SHA5120b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9
-
Filesize
213KB
MD53437087e6819614a8d54c9bc59a23139
SHA1ae84efe44b02bacdb9da876e18715100a18362be
SHA2568b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74
SHA512018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde
-
Filesize
800KB
MD52ef388f7769205ca319630dd328dcef1
SHA16dc9ed84e72af4d3e7793c07cfb244626470f3b6
SHA2564915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf
SHA512b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b
-
Filesize
944KB
MD507231bdae9d15bfca7d97f571de3a521
SHA104aec0f1afcf7732bc4cd1f7aab36e460c325ba6
SHA256be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935
SHA5122a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129
-
Filesize
272KB
MD546e3e59dbf300ae56292dea398197837
SHA178636b25fdb32c8fcdf5fe73cac611213f13a8be
SHA2565a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339
SHA512e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c
-
Filesize
820KB
MD54dfa1eeec0822bfcfb95e4fa8ec6c143
SHA154251e697e289020a72e1fd412e34713f2e292cf
SHA256901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494
SHA5125f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4
-
Filesize
1.3MB
MD5c1c56a9c6ea636dbca49cfcc45a188c3
SHA1d852e49978a08e662804bf3d7ec93d8f6401a174
SHA256b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf
SHA512f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e
-
Filesize
256KB
MD57c61284580a6bc4a4c9c92a39bd9ea08
SHA14579294e3f3b6c03b03b15c249b9cac66e730d2a
SHA2563665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8
SHA512b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe
-
Filesize
596KB
MD58a655555544b2915b5d8676cbf3d77ab
SHA15a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2
SHA256d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27
SHA512c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93
-
Filesize
672KB
MD5bcf8735528bb89555fc687b1ed358844
SHA15ef5b24631d2f447c58b0973f61cb02118ae4adc
SHA25678b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c
SHA5128b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d.zip:Zone.Identifier
Filesize151B
MD5388040d833d61ac30f44f5bd5a814f6d
SHA142dfeab4a2dbbbc117c45f30d26e9169a587f478
SHA25600d0e7d0b88e28e095042c6165aaba91478470d0cf3ad6a04d2fdae29ecc1d86
SHA512226ff3f69e5a3206955f2d8985cc9a5077f1fc84d9ff7f1b226f3c0f5c54633b426703c063f556c63b7ddccee2d0cf227cf855b94d742bc298fe799b2253b094
-
Filesize
17KB
MD59e2eb8b3923e532aec88d8acb1962753
SHA1643137257d9af8cdffb669f639202e83c2c2258a
SHA25653954133235cf9e77a85148e00cee622350a630df9ad70bf0a18b8344428f7a3
SHA512862ac6637ef507d713818b3b212ac21ba2a10e928af911e30dfa73ea71e5861c122d56531181beebb0f330f608cf671a63276f594cbb3d4eb737cc16847fbfad
-
Filesize
23KB
MD57ab0271070b686cb99ce57d07a0dd157
SHA1950a5b2b7a5a72d8985675ade29b430517e304dd
SHA256f270c9188c01083263fbeea60e42e771b7456c6fb109de4a46e65233d2482544
SHA51220870af72a1013cd1361d813f7ce5c6a0dcb16316c3f09edf9e310177d31af96dfee084494e9c5078c3a3ade23e500df725cf4b66bca9f9841d57682ac5c7093