Analysis

  • max time kernel
    589s
  • max time network
    489s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-04-2024 11:46

General

  • Target

    https://massgrave.dev/index.html#method_1_-_powershell

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 23 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 64 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 64 IoCs
  • NTFS ADS 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://massgrave.dev/index.html#method_1_-_powershell
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffccf999758,0x7ffccf999768,0x7ffccf999778
      2⤵
        PID:132
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:2
        2⤵
          PID:1348
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:8
          2⤵
            PID:3928
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:8
            2⤵
              PID:5080
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:1
              2⤵
                PID:4956
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:1
                2⤵
                  PID:3976
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:8
                  2⤵
                    PID:3892
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:8
                    2⤵
                      PID:2404
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4688 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:1
                      2⤵
                        PID:2408
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:8
                        2⤵
                          PID:4936
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:8
                          2⤵
                          • NTFS ADS
                          PID:1292
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3128 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:8
                          2⤵
                            PID:772
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4712 --field-trial-handle=1840,i,18100719310864134813,8017122780559308642,131072 /prefetch:2
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4228
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                          1⤵
                            PID:1292
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:5112
                          • C:\Windows\SysWOW64\DllHost.exe
                            C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                            1⤵
                              PID:2500
                            • C:\Windows\system32\rundll32.exe
                              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
                              1⤵
                                PID:4344
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:3836
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd" "
                                  1⤵
                                    PID:1520
                                    • C:\Windows\System32\sc.exe
                                      sc query Null
                                      2⤵
                                      • Launches sc.exe
                                      PID:548
                                    • C:\Windows\System32\find.exe
                                      find /i "RUNNING"
                                      2⤵
                                        PID:4820
                                      • C:\Windows\System32\findstr.exe
                                        findstr /v "$" "MAS_AIO-CRC32_60BA35A8.cmd"
                                        2⤵
                                          PID:1292
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ver
                                          2⤵
                                            PID:664
                                          • C:\Windows\System32\reg.exe
                                            reg query "HKCU\Console" /v ForceV2
                                            2⤵
                                              PID:4144
                                            • C:\Windows\System32\find.exe
                                              find /i "0x0"
                                              2⤵
                                                PID:416
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
                                                2⤵
                                                  PID:4052
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
                                                    3⤵
                                                      PID:1116
                                                    • C:\Windows\System32\cmd.exe
                                                      cmd
                                                      3⤵
                                                        PID:4936
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd" "
                                                      2⤵
                                                        PID:3672
                                                      • C:\Windows\System32\find.exe
                                                        find /i "C:\Users\Admin\AppData\Local\Temp"
                                                        2⤵
                                                          PID:4928
                                                        • C:\Windows\System32\fltMC.exe
                                                          fltmc
                                                          2⤵
                                                            PID:4572
                                                          • C:\Windows\System32\reg.exe
                                                            reg query HKCU\Console /v QuickEdit
                                                            2⤵
                                                            • Modifies registry key
                                                            PID:4264
                                                          • C:\Windows\System32\find.exe
                                                            find /i "0x0"
                                                            2⤵
                                                              PID:4132
                                                            • C:\Windows\System32\reg.exe
                                                              reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
                                                              2⤵
                                                              • Modifies registry key
                                                              PID:2248
                                                            • C:\Windows\System32\cmd.exe
                                                              cmd.exe /c ""C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd" -qedit"
                                                              2⤵
                                                                PID:4524
                                                                • C:\Windows\System32\reg.exe
                                                                  reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
                                                                  3⤵
                                                                    PID:3336
                                                                  • C:\Windows\System32\sc.exe
                                                                    sc query Null
                                                                    3⤵
                                                                      PID:3740
                                                                    • C:\Windows\System32\find.exe
                                                                      find /i "RUNNING"
                                                                      3⤵
                                                                        PID:3564
                                                                      • C:\Windows\System32\findstr.exe
                                                                        findstr /v "$" "MAS_AIO-CRC32_60BA35A8.cmd"
                                                                        3⤵
                                                                          PID:1948
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
                                                                          3⤵
                                                                            PID:4868
                                                                          • C:\Windows\System32\find.exe
                                                                            find /i "/"
                                                                            3⤵
                                                                              PID:4856
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ver
                                                                              3⤵
                                                                                PID:5068
                                                                              • C:\Windows\System32\reg.exe
                                                                                reg query "HKCU\Console" /v ForceV2
                                                                                3⤵
                                                                                  PID:1816
                                                                                • C:\Windows\System32\find.exe
                                                                                  find /i "0x0"
                                                                                  3⤵
                                                                                    PID:464
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
                                                                                    3⤵
                                                                                      PID:4344
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
                                                                                        4⤵
                                                                                          PID:2616
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          cmd
                                                                                          4⤵
                                                                                            PID:2104
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd" "
                                                                                          3⤵
                                                                                            PID:4304
                                                                                          • C:\Windows\System32\find.exe
                                                                                            find /i "C:\Users\Admin\AppData\Local\Temp"
                                                                                            3⤵
                                                                                              PID:2472
                                                                                            • C:\Windows\System32\fltMC.exe
                                                                                              fltmc
                                                                                              3⤵
                                                                                                PID:3172
                                                                                              • C:\Windows\System32\reg.exe
                                                                                                reg query HKCU\Console /v QuickEdit
                                                                                                3⤵
                                                                                                • Modifies registry key
                                                                                                PID:2384
                                                                                              • C:\Windows\System32\find.exe
                                                                                                find /i "0x0"
                                                                                                3⤵
                                                                                                  PID:2256
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
                                                                                                  3⤵
                                                                                                    PID:4320
                                                                                                    • C:\Windows\System32\PING.EXE
                                                                                                      ping -4 -n 1 updatecheck.massgrave.dev
                                                                                                      4⤵
                                                                                                      • Runs ping.exe
                                                                                                      PID:2308
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
                                                                                                    3⤵
                                                                                                      PID:1704
                                                                                                    • C:\Windows\System32\find.exe
                                                                                                      find "127.69"
                                                                                                      3⤵
                                                                                                        PID:840
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
                                                                                                        3⤵
                                                                                                          PID:3056
                                                                                                        • C:\Windows\System32\find.exe
                                                                                                          find "127.69.2.5"
                                                                                                          3⤵
                                                                                                            PID:2312
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
                                                                                                            3⤵
                                                                                                              PID:3656
                                                                                                            • C:\Windows\System32\find.exe
                                                                                                              find /i "/S"
                                                                                                              3⤵
                                                                                                                PID:4992
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
                                                                                                                3⤵
                                                                                                                  PID:2028
                                                                                                                • C:\Windows\System32\find.exe
                                                                                                                  find /i "/"
                                                                                                                  3⤵
                                                                                                                    PID:1524
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
                                                                                                                    3⤵
                                                                                                                      PID:3516
                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
                                                                                                                        4⤵
                                                                                                                          PID:3196
                                                                                                                      • C:\Windows\System32\mode.com
                                                                                                                        mode 76, 30
                                                                                                                        3⤵
                                                                                                                          PID:4060
                                                                                                                        • C:\Windows\System32\choice.exe
                                                                                                                          choice /C:123456780 /N
                                                                                                                          3⤵
                                                                                                                            PID:3100
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c ver
                                                                                                                            3⤵
                                                                                                                              PID:2416
                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                              reg query "HKCU\Console" /v ForceV2
                                                                                                                              3⤵
                                                                                                                                PID:1672
                                                                                                                              • C:\Windows\System32\find.exe
                                                                                                                                find /i "0x0"
                                                                                                                                3⤵
                                                                                                                                  PID:908
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
                                                                                                                                  3⤵
                                                                                                                                    PID:416
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
                                                                                                                                      4⤵
                                                                                                                                        PID:3316
                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                        cmd
                                                                                                                                        4⤵
                                                                                                                                          PID:4472
                                                                                                                                      • C:\Windows\System32\mode.com
                                                                                                                                        mode 110, 34
                                                                                                                                        3⤵
                                                                                                                                          PID:4052
                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell.exe $ExecutionContext.SessionState.LanguageMode
                                                                                                                                          3⤵
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          PID:2836
                                                                                                                                        • C:\Windows\System32\find.exe
                                                                                                                                          find /i "Full"
                                                                                                                                          3⤵
                                                                                                                                            PID:2036
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
                                                                                                                                            3⤵
                                                                                                                                              PID:2588
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
                                                                                                                                                4⤵
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                PID:1356
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
                                                                                                                                              3⤵
                                                                                                                                                PID:4268
                                                                                                                                              • C:\Windows\System32\find.exe
                                                                                                                                                find /i "Windows"
                                                                                                                                                3⤵
                                                                                                                                                  PID:3644
                                                                                                                                                • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                  wmic path Win32_ComputerSystem get CreationClassName /value
                                                                                                                                                  3⤵
                                                                                                                                                    PID:3808
                                                                                                                                                  • C:\Windows\System32\find.exe
                                                                                                                                                    find /i "computersystem"
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1944
                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                      sc start sppsvc
                                                                                                                                                      3⤵
                                                                                                                                                      • Launches sc.exe
                                                                                                                                                      PID:4320
                                                                                                                                                    • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
                                                                                                                                                      3⤵
                                                                                                                                                        PID:4152
                                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                                        findstr /i "Windows"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2056
                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:5096
                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                              powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
                                                                                                                                                              4⤵
                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                              PID:2300
                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
                                                                                                                                                            3⤵
                                                                                                                                                              PID:1448
                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:664
                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:1316
                                                                                                                                                                  • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:3752
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:4144
                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:4828
                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ver
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:4132
                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:1172
                                                                                                                                                                            • C:\Windows\System32\PING.EXE
                                                                                                                                                                              ping -n 1 l.root-servers.net
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Runs ping.exe
                                                                                                                                                                              PID:556
                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                            reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:3816
                                                                                                                                                                            • C:\Windows\System32\find.exe
                                                                                                                                                                              find /i "0x0"
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:4484
                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:5048
                                                                                                                                                                                • C:\Windows\System32\find.exe
                                                                                                                                                                                  find /i "0x0"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:2420
                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                    sc start ClipSVC
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:4928
                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                    sc query ClipSVC
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:260
                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:1900
                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                      PID:2944
                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:1456
                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:4040
                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:4224
                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Modifies registry key
                                                                                                                                                                                            PID:2156
                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:1816
                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                              PID:2892
                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                              sc start wlidsvc
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                              PID:3336
                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                              sc query wlidsvc
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                              PID:772
                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                              PID:5056
                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:2608
                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:2904
                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:3560
                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                    PID:1944
                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                    PID:4320
                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                    PID:3652
                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                    PID:756
                                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                                    sc start sppsvc
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:2280
                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                      sc query sppsvc
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                      PID:3748
                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                      PID:2056
                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                      PID:4728
                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                      PID:344
                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                      PID:1712
                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                      PID:1412
                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:4808
                                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                                        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                        PID:2980
                                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                                        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                        PID:2240
                                                                                                                                                                                                      • C:\Windows\System32\sc.exe
                                                                                                                                                                                                        sc start KeyIso
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1672
                                                                                                                                                                                                        • C:\Windows\System32\sc.exe
                                                                                                                                                                                                          sc query KeyIso
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:400
                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:1116
                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                              PID:3112
                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                              PID:416
                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                              PID:3036
                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                              PID:3804
                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                              PID:1172
                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                              PID:4260
                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                              PID:2248
                                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                                              sc start LicenseManager
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                              PID:2420
                                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                                              sc query LicenseManager
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                              PID:4868
                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:5068
                                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Modifies registry key
                                                                                                                                                                                                                PID:3460
                                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:3192
                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                  PID:3924
                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                  PID:3340
                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                  PID:4224
                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                  PID:2156
                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                  PID:1816
                                                                                                                                                                                                                • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                  sc start Winmgmt
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:2892
                                                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                    sc query Winmgmt
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                    PID:4456
                                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:4268
                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:4884
                                                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                                        PID:2616
                                                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:4304
                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                          PID:2472
                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                          PID:3448
                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                          PID:3808
                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:1892
                                                                                                                                                                                                                          • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                            sc start DoSvc
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                            PID:3960
                                                                                                                                                                                                                          • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                            sc query DoSvc
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                            PID:3056
                                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:4152
                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                              PID:2568
                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                              PID:4820
                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                              PID:1020
                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                              PID:1712
                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                              PID:1412
                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:2024
                                                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:2960
                                                                                                                                                                                                                                • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                  sc start UsoSvc
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:2020
                                                                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                    sc query UsoSvc
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                    PID:1184
                                                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:3548
                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                      PID:3160
                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                      PID:1116
                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                      PID:3112
                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                      PID:1132
                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                      PID:4828
                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:724
                                                                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:3036
                                                                                                                                                                                                                                        • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                          sc start CryptSvc
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                          PID:4264
                                                                                                                                                                                                                                        • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                          sc query CryptSvc
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                          PID:1172
                                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                                          PID:4260
                                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                                          PID:4936
                                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                                          PID:4928
                                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:3504
                                                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:4284
                                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                                              PID:4020
                                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                                              PID:3740
                                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:3080
                                                                                                                                                                                                                                              • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                sc start BITS
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                PID:4856
                                                                                                                                                                                                                                              • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                sc query BITS
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                PID:1588
                                                                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:3336
                                                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                                                  PID:2608
                                                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                                                  PID:2904
                                                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:876
                                                                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                                                                    PID:1908
                                                                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                                                                    PID:1492
                                                                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:3808
                                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                                      PID:2280
                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                      sc start TrustedInstaller
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                      PID:2056
                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                      sc query TrustedInstaller
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                      PID:4152
                                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                                      PID:4820
                                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                                      PID:1020
                                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                                      PID:1712
                                                                                                                                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:4808
                                                                                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:5084
                                                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                                                          PID:2300
                                                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                          reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:2804
                                                                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Modifies registry key
                                                                                                                                                                                                                                                            PID:2812
                                                                                                                                                                                                                                                          • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                            sc start wuauserv
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                            PID:3752
                                                                                                                                                                                                                                                          • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                            sc query wuauserv
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                            PID:1316
                                                                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Modifies registry key
                                                                                                                                                                                                                                                            PID:2964
                                                                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Modifies registry key
                                                                                                                                                                                                                                                            PID:4828
                                                                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                            reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:556
                                                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                              reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:3672
                                                                                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:4364
                                                                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                  reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:3444
                                                                                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                                                                                    PID:2816
                                                                                                                                                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:4868
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start WaaSMedicSvc
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:1900
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc query WaaSMedicSvc
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:3420
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start ClipSVC
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:4284
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start wlidsvc
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:1436
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start sppsvc
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:3924
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start KeyIso
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:3736
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start LicenseManager
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:2320
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start Winmgmt
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:3436
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start DoSvc
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:2104
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start UsoSvc
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:3336
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start CryptSvc
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:2616
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start BITS
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:3560
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start TrustedInstaller
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:2908
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start wuauserv
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                      PID:876
                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      sc start WaaSMedicSvc
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:4320
                                                                                                                                                                                                                                                                      • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                        sc config DoSvc start= delayed-auto
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                        PID:1352
                                                                                                                                                                                                                                                                      • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                        sc config UsoSvc start= delayed-auto
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                        PID:1704
                                                                                                                                                                                                                                                                      • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                        sc config wuauserv start= demand
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                        PID:840
                                                                                                                                                                                                                                                                      • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                        sc query ClipSVC
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                        PID:2280
                                                                                                                                                                                                                                                                      • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                        find /i "RUNNING"
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:1960
                                                                                                                                                                                                                                                                        • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                          sc start ClipSVC
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                          PID:4728
                                                                                                                                                                                                                                                                        • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                          sc query wlidsvc
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                          PID:344
                                                                                                                                                                                                                                                                        • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                          find /i "RUNNING"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:4820
                                                                                                                                                                                                                                                                          • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                            sc start wlidsvc
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                            PID:1412
                                                                                                                                                                                                                                                                          • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                            sc query sppsvc
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                            PID:2024
                                                                                                                                                                                                                                                                          • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                            find /i "RUNNING"
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:4808
                                                                                                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                              sc start sppsvc
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                                              PID:3056
                                                                                                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                              sc query KeyIso
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:400
                                                                                                                                                                                                                                                                              • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                find /i "RUNNING"
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:2804
                                                                                                                                                                                                                                                                                • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                  sc start KeyIso
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                  PID:3160
                                                                                                                                                                                                                                                                                • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                  sc query LicenseManager
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                  PID:4824
                                                                                                                                                                                                                                                                                • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                  find /i "RUNNING"
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                    PID:1316
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                    sc start LicenseManager
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                                    PID:3920
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                    sc query Winmgmt
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:4828
                                                                                                                                                                                                                                                                                    • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                      find /i "RUNNING"
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:1936
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                        sc start Winmgmt
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                                        PID:3672
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                        sc query DoSvc
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                                        PID:5048
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                        find /i "RUNNING"
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                          PID:4260
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          powershell.exe Start-Service DoSvc
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                          PID:2816
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                          sc query DoSvc
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                            PID:1492
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                            find /i "RUNNING"
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                              PID:3048
                                                                                                                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                              sc start DoSvc
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                                                              PID:4760
                                                                                                                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                              sc query UsoSvc
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                                                              PID:2056
                                                                                                                                                                                                                                                                                            • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                              find /i "RUNNING"
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                PID:3748
                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                powershell.exe Start-Service UsoSvc
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                PID:1332
                                                                                                                                                                                                                                                                                              • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                sc query UsoSvc
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                PID:556
                                                                                                                                                                                                                                                                                              • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                find /i "RUNNING"
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:1172
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                  sc start UsoSvc
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                                  PID:2420
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                  sc query CryptSvc
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                                  PID:256
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                  find /i "RUNNING"
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:1436
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                    sc start CryptSvc
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                                                    PID:3436
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                    sc query BITS
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                                                    PID:4960
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                    find /i "RUNNING"
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                      PID:2316
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                      sc start BITS
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                                                      PID:1140
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                      sc query TrustedInstaller
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                        PID:1900
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                        find /i "RUNNING"
                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                          PID:3736
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                          powershell.exe Start-Service TrustedInstaller
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                          PID:1356
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                          sc query TrustedInstaller
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                                                          PID:344
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                          find /i "RUNNING"
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:680
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                            sc start TrustedInstaller
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                                                            PID:2024
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                            sc query wuauserv
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                                                            PID:2300
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                            find /i "RUNNING"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                              PID:3056
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                              powershell.exe Start-Service wuauserv
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                              PID:3672
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                              sc query wuauserv
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                                                                              PID:2056
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                              find /i "RUNNING"
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                PID:4152
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                                sc start wuauserv
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                                PID:3684
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                                sc query WaaSMedicSvc
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                                PID:4052
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                find /i "RUNNING"
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                  PID:1292
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                  powershell.exe Start-Service WaaSMedicSvc
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                  PID:5096
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                                  sc query WaaSMedicSvc
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:412
                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                    find /i "RUNNING"
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:1356
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                                      sc start WaaSMedicSvc
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:344
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo TrustedInstaller-1058, WaaSMedicSvc-1060 "
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                          PID:2020
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                          findstr /i "ClipSVC-1058 sppsvc-1058"
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:4820
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:1332
                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                  PID:4236
                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:2040
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:3804
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d\MAS\All-In-One-Version\MAS_AIO-CRC32_60BA35A8.cmd') -split ':wpatest\:.*';iex ($f[1]);"
                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                      PID:3916
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo "5" "
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                      PID:2484
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                      find /i "Error Found"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:3112
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Dism.exe
                                                                                                                                                                                                                                                                                                                                        DISM /English /Online /Get-CurrentEdition
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                        PID:2416
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\dismhost.exe
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\dismhost.exe {B2F7A4E2-72FD-4574-AC99-96F689E39DFA}
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                          PID:4060
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                        cmd /c exit /b -2147467259
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:1704
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:3748
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                              reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                PID:1672
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                                                                                                                              cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:4244
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                cmd /c exit /b 0
                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1844
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                  wmic path Win32_ComputerSystem get CreationClassName /value
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:4772
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                                    find /i "computersystem"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                      PID:344
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                        PID:1072
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                        findstr /i "0x800410 0x800440"
                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                          PID:236
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                          reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2700
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                            reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:1016
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                PID:4352
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:2484
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:4152
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:3112
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:3440
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1172
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                            wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:2716
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                            powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                            PID:1676
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                            powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                            PID:2960
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                            powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                            PID:4692
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                            reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:4152
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                                                              find /i "windowsupdate"
                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:1448
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:1492
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                  reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                                                                                                                                                                                  PID:2532
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                  findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:4748
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo: TrustedInstaller-1058, WaaSMedicSvc-1060 "
                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:2716
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                                                                      find /i "wuauserv"
                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:1172
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                        reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:2104
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                                                                          find /i "0x1"
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:2040
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:3548
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                                                                              find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:3120
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:4456
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  cmd /c exit /b 0
                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3104
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                    wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:2776
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:1676
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          reg query "HKCU\Control Panel\International\Geo" /v Name
                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3036
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:4228
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                              reg query "HKCU\Control Panel\International\Geo" /v Nation
                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:5096
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2480
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3808
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:468
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  find "AAAA"
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4352
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    powershell.exe Restart-Service ClipSVC
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3216
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    timeout /t 2
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1712
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\ClipUp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    clipup -v -o
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1936
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\clipup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem641A.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2420
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4260
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2528
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4436
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          find /i "Windows"
                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3548
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:680
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              cmd /c exit /b 0
                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3700
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3904
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  findstr /i "Windows"
                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:236
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\mode.com
                                                                                                                                                                                                                                                                                                                                                                                                                                    mode 76, 30
                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4992
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\choice.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      choice /C:123456780 /N
                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3124
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\mode.com
                                                                                                                                                                                                                                                                                                                                                                                                                                        mode con cols=100 lines=32
                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2832
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          powershell "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4444
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ver
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2448
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            wmic path Win32_ComputerSystem get CreationClassName /value
                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2256
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\find.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              find /i "ComputerSystem"
                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1332
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                sc query osppsvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2472
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\net.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                net start sppsvc /y
                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3320
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\net1 start sppsvc /y
                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1028
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2028
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      findstr /i ID
                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1524
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3484
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          findstr /i ID
                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1236
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5096
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4556
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    wmic path SoftwareLicensingProduct where ID='4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      findstr =
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        findstr /i VOLUME_KMSCLIENT
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            findstr /i TIMEBASED_
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, RETAIL channel"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                findstr /i VIRTUAL_MACHINE_ACTIVATION
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cmd /c exit /b 1074066433
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              findstr =
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                findstr /i VOLUME_KMSCLIENT
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    findstr /i TIMEBASED_
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        findstr /i VIRTUAL_MACHINE_ACTIVATION
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c exit /b 3221549142
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  findstr =
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\Clipup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Clipup.exe" -o
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\Clipup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem5CF6.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:756

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                67a8abe602fd21c5683962fa75f8c9fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e296942da1d2b56452e05ae7f753cd176d488ea8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                264B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                47169b6de0a709736d94c3953e8d619e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3e99d2f22cafdc58d72892fefc8b39e9839995d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fcc02e72070e1fa420dbadc183d64b653a3ca345a854ee79b078eb5e19dfea34

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                41ee22639b44f66813d28ce0309f851bb92eee4938913421701334ca4759eeed168994a49e60d163f3b322c72768006a1e1c91af7dec5f64bcaf8df422ba9e2b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                825B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2f768caa7aa97006afe892cea8adc01e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                89df4ae0a9e2e297038323c2155705bc93ed1429

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3b4eb8773b6458473a87e8ddac7e11d818454dfa50f21ae938588d88e6709bd8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                88b9f90123a5a65e6b411c05e280dd3ad1b82876bbed5e2dbcae88f0aee86ca6b9b8448207bbab8831595a8b0dfcb7669f46994fee8e7779d0253ff52d6b09c9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                896B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d7b83008dfaa27199c970055b0742c2f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9853d5467c303c50144fe416173a272939931be3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a73bf8f4cda0a688e098b7a4a02f27b61391e2c9b814a9223bffce04d575451b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5b4e522ea11c63cbd250a6c8ade156dfde14a9c9d258e0163914ff7cc84778bd4c31bd5088a6ebe6afee3ae466871e45ef2a314c3120e0f12eca7e1f61611b61

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                538B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7a63fe258816162c14a14d9cba1b715b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                34057cfd856d891333a98df39e60d07c62c0474d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9bd17568ef0f85fed0e960ef02fe1aa5c24506598840c1c6f5609e2bf5c7c5bb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                294a6db57c25dfceb6da07f73dffdaadcfac43c2f698b65d8a31342f1423cff58cd29892690337880787ccc2f2c37a96f3c33282079f5c5a80bb5dbcb648e2b7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                703B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3a20a5266059e856eae4e9169893e4df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1999a711c12e76974abf1623457a454528afe74a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ce41f105daa376227531db6f5770fc442460525929ae8e5f53448f4ce474714d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8e801610733e03052ecbf647260e1f7dc890ac4c4a30e7670d1dce104ddaff375edc0f6be0ca95de07335b26c4a2981fabf3573c0116c4e57230a9583d350148

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1f89f1863ad6854a4803beb3cc87f520

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c4f3720009305fd5915d615651fd7d442c6e6ff9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                851086ec434287a1a5261ca420cba3fa3ff9100f1827a70c8407a7e4e5d76929

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                db21f7c914069e959bc8b6cc721a9407fc3393ee1aae49a8a3104f3f0184d89b58240fdc73df5e54069c45210a6949d80f094802b0dfa59c2f204edc01ea708d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                949784498b558c1eb6e2f66e74066fb4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d508e6dfb64047585ce3a2b69f3e0dbddcb52a9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6fa5ba5c994d83d0b3883cced78affbe5f11a45be04ac2ec3ae18cd24db5f42b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2b1acc903a277a35c0c1b7616d8023feca563165a52441e8439eb1a6d576f12b7bd3694c49b52e63114503d0d3843e7d1d8c87be4b7efce3addbd496211d4b11

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0da911f32929266459eee6a73976c946

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                72eea98af5baa644bd57aca7bef138aaf4e6b382

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                db96027335b0045314ee38c180c51aaaef1c7af30c94be5a36495dba92a31ddf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                29648a54a1b7a14b2bd17a40c64d9e4dd000907ba4da08f2877a6aef2685171fd6d6609cb9a371e7e94b6bb7e132b27a42c4f98a40b2ab3031e01f1bee8c1131

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                130KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5210081134a31c156c01e90da8f1e19a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b0083fec0d9482b03f9d187efb31e3be9165196d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3e4363f29c3348902252263fca9acfea5dafd4b2033d8ecd0bee352869498da1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3dcba4d807c1e1045bb3e617dd89cbf667d1824a164ac78ce8aad4e041d9f957091f6c977c7834cf5350dad90edb2b67a3d8e20aa891b8b11b53661388063d1d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                130KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fa88364b0d171433d22aa9a0e3bc19ba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e88b894fc360e06a55c8c5d9cd234b4180379070

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0d7fb26baca3d527f36bea10cf73603319ee61db534560d0638e155d1adb3373

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cddc2bbdb242c914bfa20ce0de2c4d50e44c8443c655ba956928f66903f5384b44162c9e7a7128df5fcecb9516c32bbaae95e673833b465c43432c6c17d2537b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                103KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ceceeb5d6bd0bbad92b3ca43bf3ce1d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fce88be91a3a5ce0c1d6f6c19b6c77b53335cc39

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                32d3697cab751e1850402878b41d043fc581cb178f6036f70a65b463196c1005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e1b04215217c990311110e14935f0a2481213a76ee70cea8a7e9e35cc4ca6919121dc7b3831932f672ce05a1b54104fe97459eb35050035aa183d032afeffcef

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                98KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                af5d555ccd9152738d5ae28fe5da5866

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c2f30ddc24e4d274a8f2b73fd3820035229f3be6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                66d43e906987efaf93605a85fc902023fb179044c4f2f1fe2a7810e9c005f360

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                384b39b25d9b1596422601e3009923c2314811db0d09236aad52aa82a616a0a2ced9a7f543603f1a2d0f4383e5113c1b6307371d265bde89cb6d805e44859f8a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58eeff.TMP

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                93KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e9971071c76e853bf122eed9129abcb3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2c389a409cb8572c3895834cb85ff764eae6483a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c38268b9d7038a02c58aee8007a391e5b23cc5e94eb033931f58dd89986a148f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64cb14509e2fcda3d8cb4f57931b7e35aed2994b9878351ecad96eb82d313ebeaa1accd6813a35a31a1f5c2ff71c6a698f6d17d59a7039078bafd8fb942dd287

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                99914b932bd37a50b983c5e7c90ae93b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                627073ee3ca9676911bee35548eff2b8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                feadc4e1a70c13480ef147aca0c47bc0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d7a5084c93842a290b24dacec0cd3904c2266819

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b3809d6bd978d7d4b574cca868273433

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1ecd5200938eb12269cd692417fa540ade0ed42d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                40b9816dd06975e3006a7628a23d7bceb6c5c1e2957b8ac7a05d469acf188916

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                20b185d39b5483c1ce09b8c0b30df44de0ac9cd50ca82bac8f93ac53f867e9dd83f403d43f36f3128fce5d612242391340ed20fa5d43f177c73bdb4a3b56257b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                84719b15e20ae559c6f29dba7a3d0097

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                88345454b1eb5c1f39dcad5dfad4ecc268bd6f50

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4910d430710a79f88662d02e7e2bea4b2e4a8ec4748283871e670b2a32a7bf3f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5d5fb11d6a6ee8a4bb2f85a3e8c709ef4024f9d523900b1ae22af5facfc8dc503b3be4203658ea5f4ea59143c68d1dd1080faee8b20961f45de367778e640bd9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a6c9d692ed2826ecb12c09356e69cc09

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                def728a6138cf083d8a7c61337f3c9dade41a37f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                446dd1cf97eaba21cf14d03aebc79f27

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                36e4cc7367e0c7b40f4a8ace272941ea46373799

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                deace1f3e3f4fff66c9e1ab8fdd10b75

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a6a793f8e6628020a852b817f4941fa5fe85c326

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1773e2aa319ae388e654acd214635d9c2334f0922471d7b79f5360a355a9a27f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1c74bff974f4b248f6b5fd79dc6ea6a50518cd57e91e4415497c36371b36c4a310069fc5ae6a6435c2eed21c991fe9ed33427bcfd46d3fe71fbfd28a233f31b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c1eb57545c15470f48512f8829bc41c1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                59faad284490a0c0cc4dd31beef81442cd9a0f0f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4f609b706753d6259500f7955a3d596047088d7c74ce4937d559d9e553f6e9f2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                abc2912f6d3588a7b6dd2a48b3df00a1598137184b6a09b6c69b41379d6cc9f9f7cb55337e785ae2982e5b92bf086942bc2d4387972964078ea577b1f0be414c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\AssocProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                702f9c8fb68fd19514c106e749ec357d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7c141106e4ae8f3a0e5f75d8277ec830fc79eccc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\DismCorePS.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                200KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7f751738de9ac0f2544b2722f3a19eb0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7187c57cd1bd378ef73ba9ad686a758b892c89dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\DismHost.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                168KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                17275206102d1cf6f17346fd73300030

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\DismProv.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                292KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2ac64cc617d144ae4f37677b5cdbb9b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                13fe83d7489d302de9ccefbf02c7737e7f9442f9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\DmiProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                436KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e54120aa50f14e0d3d257e77db46ece5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                922203542962ec5f938dcb3c876f060ecf17f9dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\EdgeProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                200KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c22cc16103ee51ba59b765c6b449bddb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b0683f837e1e44c46c9a050e0a3753893ece24ad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\Ffuprovider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                680KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a41b0e08419de4d9874893b813dccb5c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2390e00f2c2bc9779e99a669193666688064ea77

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\GenericProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                172KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                20fb116831396d9477e352d42097741c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7e063ac9bc173a81dc56dc5864f912041e2c725a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\IBSProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                84KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f6b7301c18f651567a5f816c2eb7384d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                40cd6efc28aa7efe86b265af208b0e49bec09ae4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\ImagingProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                248KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4c6d681704e3070df2a9d3f42d3a58a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\IntlProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                312KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                34035aed2021763bec1a7112d53732f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7132595f73755c3ae20a01b6863ac9518f7b75a4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\LogProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                108KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c63f6b6d4498f2ec95de15645c48e086

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                29f71180feed44f023da9b119ba112f2e23e6a10

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\MsiProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                208KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                eb171b7a41a7dd48940f7521da61feb0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9f2a5ddac7b78615f5a7af753d835aaa41e788fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\OSProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                180KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e9833a54c1a1bfdab3e5189f3f740ff9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ffb999c781161d9a694a841728995fda5b6da6d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\OfflineSetupProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                213KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3437087e6819614a8d54c9bc59a23139

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ae84efe44b02bacdb9da876e18715100a18362be

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\ProvProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                800KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2ef388f7769205ca319630dd328dcef1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6dc9ed84e72af4d3e7793c07cfb244626470f3b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\ServicingCommon.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                944KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                07231bdae9d15bfca7d97f571de3a521

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\SmiProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                272KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                46e3e59dbf300ae56292dea398197837

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                78636b25fdb32c8fcdf5fe73cac611213f13a8be

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\SysprepProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                820KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4dfa1eeec0822bfcfb95e4fa8ec6c143

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                54251e697e289020a72e1fd412e34713f2e292cf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\TransmogProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c1c56a9c6ea636dbca49cfcc45a188c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d852e49978a08e662804bf3d7ec93d8f6401a174

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\UnattendProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7c61284580a6bc4a4c9c92a39bd9ea08

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4579294e3f3b6c03b03b15c249b9cac66e730d2a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\Vhdprovider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                596KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8a655555544b2915b5d8676cbf3d77ab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\89B295CD-ADDE-4F2C-A505-3213D62A84D0\WimProvider.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                672KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                bcf8735528bb89555fc687b1ed358844

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5ef5b24631d2f447c58b0973f61cb02118ae4adc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lf12aaqc.41l.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                60B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\WindowsAddict-microsoft-activation-scripts-d59e2b0e6e7d.zip:Zone.Identifier

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                151B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                388040d833d61ac30f44f5bd5a814f6d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                42dfeab4a2dbbbc117c45f30d26e9169a587f478

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                00d0e7d0b88e28e095042c6165aaba91478470d0cf3ad6a04d2fdae29ecc1d86

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                226ff3f69e5a3206955f2d8985cc9a5077f1fc84d9ff7f1b226f3c0f5c54633b426703c063f556c63b7ddccee2d0cf227cf855b94d742bc298fe799b2253b094

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\Logs\DISM\dism.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                17KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9e2eb8b3923e532aec88d8acb1962753

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                643137257d9af8cdffb669f639202e83c2c2258a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                53954133235cf9e77a85148e00cee622350a630df9ad70bf0a18b8344428f7a3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                862ac6637ef507d713818b3b212ac21ba2a10e928af911e30dfa73ea71e5861c122d56531181beebb0f330f608cf671a63276f594cbb3d4eb737cc16847fbfad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\Logs\DISM\dism.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                23KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7ab0271070b686cb99ce57d07a0dd157

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                950a5b2b7a5a72d8985675ade29b430517e304dd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f270c9188c01083263fbeea60e42e771b7456c6fb109de4a46e65233d2482544

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                20870af72a1013cd1361d813f7ce5c6a0dcb16316c3f09edf9e310177d31af96dfee084494e9c5078c3a3ade23e500df725cf4b66bca9f9841d57682ac5c7093

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/756-532-0x000001D342940000-0x000001D342950000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/756-528-0x000001D342940000-0x000001D342950000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/756-527-0x000001D342940000-0x000001D342950000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/756-525-0x000001D342940000-0x000001D342950000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1332-273-0x00007FFCB96A0000-0x00007FFCBA162000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1332-271-0x000001AC861F0000-0x000001AC86200000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1332-270-0x000001AC861F0000-0x000001AC86200000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1332-269-0x000001AC861F0000-0x000001AC86200000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1332-268-0x00007FFCB96A0000-0x00007FFCBA162000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-227-0x000001ABFC970000-0x000001ABFC980000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-225-0x000001ABFC970000-0x000001ABFC980000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-297-0x00007FFCB96A0000-0x00007FFCBA162000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-276-0x000002B67E7F0000-0x000002B67E800000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-224-0x000001ABFC970000-0x000001ABFC980000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-274-0x00007FFCB96A0000-0x00007FFCBA162000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-275-0x000002B67E7F0000-0x000002B67E800000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-229-0x00007FFCB9BB0000-0x00007FFCBA672000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-286-0x000002B67E7F0000-0x000002B67E800000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1356-223-0x00007FFCB9BB0000-0x00007FFCBA672000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1676-460-0x000002B0BCD30000-0x000002B0BCD40000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1676-458-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1676-462-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1676-459-0x000002B0BCD30000-0x000002B0BCD40000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1936-541-0x0000023AA6DE0000-0x0000023AA6DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1936-543-0x0000023AA6DE0000-0x0000023AA6DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1936-553-0x0000023AA6DE0000-0x0000023AA6DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2300-232-0x000001CBFFA00000-0x000001CBFFA10000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2300-230-0x00007FFCB9BB0000-0x00007FFCBA672000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2300-243-0x00007FFCB9BB0000-0x00007FFCBA672000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2300-231-0x000001CBFFA00000-0x000001CBFFA10000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2420-545-0x00000196DBE90000-0x00000196DBEA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2420-546-0x00000196DBE90000-0x00000196DBEA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2420-551-0x00000196DBE90000-0x00000196DBEA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2816-258-0x00007FFCB96A0000-0x00007FFCBA162000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2816-244-0x00007FFCB96A0000-0x00007FFCBA162000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2816-256-0x000001D667670000-0x000001D667680000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2816-246-0x000001D667670000-0x000001D667680000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2816-245-0x000001D667670000-0x000001D667680000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2836-209-0x000001B83F950000-0x000001B83F960000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2836-210-0x000001B83F950000-0x000001B83F960000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2836-208-0x00007FFCB9BB0000-0x00007FFCBA672000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2836-207-0x000001B83F910000-0x000001B83F932000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2836-213-0x00007FFCB9BB0000-0x00007FFCBA672000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2960-465-0x00000196E6EA0000-0x00000196E6EB0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2960-463-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2960-464-0x00000196E6EA0000-0x00000196E6EB0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2960-475-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3216-517-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3216-518-0x000001FBA5CE0000-0x000001FBA5CF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3216-521-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3216-519-0x000001FBA5CE0000-0x000001FBA5CF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3672-309-0x000001ED0A2E0000-0x000001ED0A2F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3672-307-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3672-308-0x000001ED0A2E0000-0x000001ED0A2F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3672-311-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3808-489-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3808-490-0x000001624D650000-0x000001624D660000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3808-499-0x000001624D650000-0x000001624D660000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3808-501-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3916-339-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3916-334-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3916-336-0x000001A75C150000-0x000001A75C160000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3916-335-0x000001A75C150000-0x000001A75C160000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4692-488-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4692-486-0x000002A039690000-0x000002A0396A0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4692-477-0x000002A039690000-0x000002A0396A0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4692-476-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4792-524-0x0000021E1C0D0000-0x0000021E1C0E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4792-523-0x0000021E1C0D0000-0x0000021E1C0E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4792-522-0x0000021E1C0D0000-0x0000021E1C0E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4792-534-0x0000021E1C0D0000-0x0000021E1C0E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5096-317-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5096-321-0x000001EAF10D0000-0x000001EAF10E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5096-322-0x000001EAF10D0000-0x000001EAF10E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5096-325-0x00007FFCB9750000-0x00007FFCBA212000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10.8MB