6a33a7755cea94bdc8527df33b1e5e238c26a478c50c294387ab603ce7544729

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
26/04/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$R6DEG3Z.cmd
Size

438KB
MD5

85d6b9f9cffa62fd7eb22954568a7d9a
SHA1

8c871d7aae9430ae72aa091988e622f14dc31d59
SHA256

6a33a7755cea94bdc8527df33b1e5e238c26a478c50c294387ab603ce7544729
SHA512

30cf6abff4fe1218967d99dd2828698ebf93ed8a9c5d94c601cfb08b3ec20fdabc34b657e4d1ac2570d75247927b886905410b927167f7ac91483a2a8a2684a8
SSDEEP

3072:ZddR3S9mF2TJRMP0u+RciNiYFRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0xOn:XAnHu+R7VLo97bJu9p6zGDNS0KgOuCV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4036	dismhost.exe

Loads dropped DLL 23 IoCs

pid	Process
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe
4036	dismhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\SystemTemp\tem13C2.tmp	Clipup.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3724	sc.exe
980	sc.exe
4800	sc.exe
4752	sc.exe
4544	sc.exe
4844	sc.exe
4680	sc.exe
3056	sc.exe
3052	sc.exe
1472	sc.exe
4676	sc.exe
4012	sc.exe
2492	sc.exe
2460	sc.exe
2816	sc.exe
3372	sc.exe
3640	sc.exe
1052	sc.exe
2660	sc.exe
3020	sc.exe
4120	sc.exe
3724	sc.exe
1912	sc.exe
1052	sc.exe
780	sc.exe
3356	sc.exe
4984	sc.exe
4548	sc.exe
1924	sc.exe
4820	sc.exe
3028	sc.exe
2304	sc.exe
4992	sc.exe
4528	sc.exe
3504	sc.exe
3972	sc.exe
2252	sc.exe
3028	sc.exe
4952	sc.exe
2772	sc.exe
2148	sc.exe
3264	sc.exe
896	sc.exe
1516	sc.exe
3688	sc.exe
2636	sc.exe
4244	sc.exe
1104	sc.exe
3560	sc.exe
5088	sc.exe
4036	sc.exe
4344	sc.exe
1420	sc.exe
240	sc.exe
3264	sc.exe
860	sc.exe
2208	sc.exe
3092	sc.exe
4040	sc.exe
3756	sc.exe
4360	sc.exe
900	sc.exe
932	sc.exe
3412	sc.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3444	reg.exe
2112	reg.exe
2628	reg.exe
3812	reg.exe
1924	reg.exe
2408	reg.exe
3520	reg.exe
1456	reg.exe
4204	reg.exe
3084	reg.exe
4912	reg.exe
3464	reg.exe
1980	reg.exe
836	reg.exe
240	reg.exe
1456	reg.exe
2136	reg.exe
4940	reg.exe
4972	reg.exe
1516	reg.exe
3152	reg.exe
2312	reg.exe
4368	reg.exe
1796	reg.exe
3540	reg.exe
2168	reg.exe
1904	reg.exe
4508	reg.exe
2832	reg.exe
4368	reg.exe
4976	reg.exe
3580	reg.exe
4896	reg.exe
1608	reg.exe
1856	reg.exe
2436	reg.exe
3756	reg.exe
1548	reg.exe
4528	reg.exe
3560	reg.exe
4424	reg.exe
4120	reg.exe
2656	reg.exe
3008	reg.exe
1648	reg.exe
4756	reg.exe
3508	reg.exe
2636	reg.exe
4944	reg.exe
2352	reg.exe
2508	reg.exe
1712	reg.exe
4340	reg.exe
3128	reg.exe
3360	reg.exe
456	reg.exe
4796	reg.exe
4644	reg.exe
4192	reg.exe
4780	reg.exe
1624	reg.exe
3780	reg.exe
2100	reg.exe
1680	reg.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1324	PING.EXE
4644	PING.EXE
2408	PING.EXE
1548	PING.EXE
3612	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4344	powershell.exe
4344	powershell.exe
3020	powershell.exe
3020	powershell.exe
4896	powershell.exe
4896	powershell.exe
4360	powershell.exe
4360	powershell.exe
1040	powershell.exe
1040	powershell.exe
4092	powershell.exe
4092	powershell.exe
3228	powershell.exe
3228	powershell.exe
3372	powershell.exe
3372	powershell.exe
2304	powershell.exe
2304	powershell.exe
3308	powershell.exe
3308	powershell.exe
4940	powershell.exe
4940	powershell.exe
3304	powershell.exe
3304	powershell.exe
1516	powershell.exe
1516	powershell.exe
980	powershell.exe
980	powershell.exe
1368	powershell.exe
1368	powershell.exe
3536	powershell.exe
3536	powershell.exe
4200	powershell.exe
4200	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	2268	WMIC.exe
Token: SeSecurityPrivilege	2268	WMIC.exe
Token: SeTakeOwnershipPrivilege	2268	WMIC.exe
Token: SeLoadDriverPrivilege	2268	WMIC.exe
Token: SeSystemProfilePrivilege	2268	WMIC.exe
Token: SeSystemtimePrivilege	2268	WMIC.exe
Token: SeProfSingleProcessPrivilege	2268	WMIC.exe
Token: SeIncBasePriorityPrivilege	2268	WMIC.exe
Token: SeCreatePagefilePrivilege	2268	WMIC.exe
Token: SeBackupPrivilege	2268	WMIC.exe
Token: SeRestorePrivilege	2268	WMIC.exe
Token: SeShutdownPrivilege	2268	WMIC.exe
Token: SeDebugPrivilege	2268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2268	WMIC.exe
Token: SeRemoteShutdownPrivilege	2268	WMIC.exe
Token: SeUndockPrivilege	2268	WMIC.exe
Token: SeManageVolumePrivilege	2268	WMIC.exe
Token: 33	2268	WMIC.exe
Token: 34	2268	WMIC.exe
Token: 35	2268	WMIC.exe
Token: 36	2268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2268	WMIC.exe
Token: SeSecurityPrivilege	2268	WMIC.exe
Token: SeTakeOwnershipPrivilege	2268	WMIC.exe
Token: SeLoadDriverPrivilege	2268	WMIC.exe
Token: SeSystemProfilePrivilege	2268	WMIC.exe
Token: SeSystemtimePrivilege	2268	WMIC.exe
Token: SeProfSingleProcessPrivilege	2268	WMIC.exe
Token: SeIncBasePriorityPrivilege	2268	WMIC.exe
Token: SeCreatePagefilePrivilege	2268	WMIC.exe
Token: SeBackupPrivilege	2268	WMIC.exe
Token: SeRestorePrivilege	2268	WMIC.exe
Token: SeShutdownPrivilege	2268	WMIC.exe
Token: SeDebugPrivilege	2268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2268	WMIC.exe
Token: SeRemoteShutdownPrivilege	2268	WMIC.exe
Token: SeUndockPrivilege	2268	WMIC.exe
Token: SeManageVolumePrivilege	2268	WMIC.exe
Token: 33	2268	WMIC.exe
Token: 34	2268	WMIC.exe
Token: 35	2268	WMIC.exe
Token: 36	2268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4016	WMIC.exe
Token: SeSecurityPrivilege	4016	WMIC.exe
Token: SeTakeOwnershipPrivilege	4016	WMIC.exe
Token: SeLoadDriverPrivilege	4016	WMIC.exe
Token: SeSystemProfilePrivilege	4016	WMIC.exe
Token: SeSystemtimePrivilege	4016	WMIC.exe
Token: SeProfSingleProcessPrivilege	4016	WMIC.exe
Token: SeIncBasePriorityPrivilege	4016	WMIC.exe
Token: SeCreatePagefilePrivilege	4016	WMIC.exe
Token: SeBackupPrivilege	4016	WMIC.exe
Token: SeRestorePrivilege	4016	WMIC.exe
Token: SeShutdownPrivilege	4016	WMIC.exe
Token: SeDebugPrivilege	4016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4016	WMIC.exe
Token: SeRemoteShutdownPrivilege	4016	WMIC.exe
Token: SeUndockPrivilege	4016	WMIC.exe
Token: SeManageVolumePrivilege	4016	WMIC.exe
Token: 33	4016	WMIC.exe
Token: 34	4016	WMIC.exe
Token: 35	4016	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3640	4820	cmd.exe	81
PID 4820 wrote to memory of 3640	4820	cmd.exe	81
PID 4820 wrote to memory of 3588	4820	cmd.exe	82
PID 4820 wrote to memory of 3588	4820	cmd.exe	82
PID 4820 wrote to memory of 1828	4820	cmd.exe	83
PID 4820 wrote to memory of 1828	4820	cmd.exe	83
PID 4820 wrote to memory of 804	4820	cmd.exe	84
PID 4820 wrote to memory of 804	4820	cmd.exe	84
PID 4820 wrote to memory of 1604	4820	cmd.exe	85
PID 4820 wrote to memory of 1604	4820	cmd.exe	85
PID 4820 wrote to memory of 5004	4820	cmd.exe	86
PID 4820 wrote to memory of 5004	4820	cmd.exe	86
PID 4820 wrote to memory of 436	4820	cmd.exe	87
PID 4820 wrote to memory of 436	4820	cmd.exe	87
PID 436 wrote to memory of 952	436	cmd.exe	88
PID 436 wrote to memory of 952	436	cmd.exe	88
PID 436 wrote to memory of 1100	436	cmd.exe	89
PID 436 wrote to memory of 1100	436	cmd.exe	89
PID 4820 wrote to memory of 2400	4820	cmd.exe	90
PID 4820 wrote to memory of 2400	4820	cmd.exe	90
PID 4820 wrote to memory of 3424	4820	cmd.exe	91
PID 4820 wrote to memory of 3424	4820	cmd.exe	91
PID 4820 wrote to memory of 2968	4820	cmd.exe	92
PID 4820 wrote to memory of 2968	4820	cmd.exe	92
PID 4820 wrote to memory of 3812	4820	cmd.exe	94
PID 4820 wrote to memory of 3812	4820	cmd.exe	94
PID 4820 wrote to memory of 3472	4820	cmd.exe	95
PID 4820 wrote to memory of 3472	4820	cmd.exe	95
PID 4820 wrote to memory of 1548	4820	cmd.exe	96
PID 4820 wrote to memory of 1548	4820	cmd.exe	96
PID 4820 wrote to memory of 732	4820	cmd.exe	97
PID 4820 wrote to memory of 732	4820	cmd.exe	97
PID 732 wrote to memory of 1324	732	cmd.exe	99
PID 732 wrote to memory of 1324	732	cmd.exe	99
PID 732 wrote to memory of 4360	732	cmd.exe	100
PID 732 wrote to memory of 4360	732	cmd.exe	100
PID 732 wrote to memory of 1316	732	cmd.exe	101
PID 732 wrote to memory of 1316	732	cmd.exe	101
PID 732 wrote to memory of 1832	732	cmd.exe	102
PID 732 wrote to memory of 1832	732	cmd.exe	102
PID 732 wrote to memory of 4092	732	cmd.exe	103
PID 732 wrote to memory of 4092	732	cmd.exe	103
PID 732 wrote to memory of 1764	732	cmd.exe	104
PID 732 wrote to memory of 1764	732	cmd.exe	104
PID 732 wrote to memory of 2468	732	cmd.exe	105
PID 732 wrote to memory of 2468	732	cmd.exe	105
PID 732 wrote to memory of 3108	732	cmd.exe	106
PID 732 wrote to memory of 3108	732	cmd.exe	106
PID 732 wrote to memory of 408	732	cmd.exe	107
PID 732 wrote to memory of 408	732	cmd.exe	107
PID 732 wrote to memory of 2004	732	cmd.exe	108
PID 732 wrote to memory of 2004	732	cmd.exe	108
PID 2004 wrote to memory of 712	2004	cmd.exe	109
PID 2004 wrote to memory of 712	2004	cmd.exe	109
PID 2004 wrote to memory of 2536	2004	cmd.exe	110
PID 2004 wrote to memory of 2536	2004	cmd.exe	110
PID 732 wrote to memory of 2320	732	cmd.exe	111
PID 732 wrote to memory of 2320	732	cmd.exe	111
PID 732 wrote to memory of 3688	732	cmd.exe	112
PID 732 wrote to memory of 3688	732	cmd.exe	112
PID 732 wrote to memory of 4520	732	cmd.exe	113
PID 732 wrote to memory of 4520	732	cmd.exe	113
PID 732 wrote to memory of 4944	732	cmd.exe	114
PID 732 wrote to memory of 4944	732	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$R6DEG3Z.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:3640
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:3588
- C:\Windows\System32\findstr.exe
  findstr /v "$" "$R6DEG3Z.cmd"
  2⤵
  PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:804
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:1604
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:952
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\$R6DEG3Z.cmd" "
  2⤵
  PID:2400
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:3424
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:2968
- C:\Windows\System32\reg.exe
  reg query HKCU\Console /v QuickEdit
  2⤵
  PID:3812
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:3472
- C:\Windows\System32\reg.exe
  reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
  2⤵
  - Modifies registry key
  PID:1548
- C:\Windows\System32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\$R6DEG3Z.cmd" -qedit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\System32\reg.exe
    reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
    3⤵
    PID:1324
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:4360
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1316
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "$R6DEG3Z.cmd"
    3⤵
    PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:4092
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2468
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:3108
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:712
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\$R6DEG3Z.cmd" "
    3⤵
    PID:2320
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3688
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:4520
- - C:\Windows\System32\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    - Modifies registry key
    PID:4944
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
    3⤵
    PID:916
  - - C:\Windows\System32\PING.EXE
      ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      Runs ping.exe
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:4464
- - C:\Windows\System32\find.exe
    find /i "/S"
    3⤵
    PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:232
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:4948
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:4976
- - C:\Windows\System32\mode.com
    mode 76, 30
    3⤵
    PID:3164
- - C:\Windows\System32\choice.exe
    choice /C:123456780 /N
    3⤵
    PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2532
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:3664
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:2328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:1532
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:2152
- - C:\Windows\System32\mode.com
    mode 110, 34
    3⤵
    PID:1300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $ExecutionContext.SessionState.LanguageMode
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Windows\System32\find.exe
    find /i "Full"
    3⤵
    PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
    3⤵
    PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
    3⤵
    PID:2800
- - C:\Windows\System32\find.exe
    find /i "Windows"
    3⤵
    PID:2300
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\System32\find.exe
    find /i "computersystem"
    3⤵
    PID:4112
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:3724
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- - C:\Windows\System32\findstr.exe
    findstr /i "Windows"
    3⤵
    PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
    3⤵
    PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
    3⤵
    PID:5064
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
      4⤵
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
    3⤵
    PID:2476
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
      4⤵
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
    3⤵
    PID:3680
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
    3⤵
    PID:2968
  - - C:\Windows\System32\PING.EXE
      ping -n 1 l.root-servers.net
      4⤵
      Runs ping.exe
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 1 resolver1.opendns.com
    3⤵
    PID:3472
  - - C:\Windows\System32\PING.EXE
      ping -n 1 resolver1.opendns.com
      4⤵
      Runs ping.exe
      PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 1 download.windowsupdate.com
    3⤵
    PID:3756
  - - C:\Windows\System32\PING.EXE
      ping -n 1 download.windowsupdate.com
      4⤵
      Runs ping.exe
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 1 google.com
    3⤵
    PID:1112
  - - C:\Windows\System32\PING.EXE
      ping -n 1 google.com
      4⤵
      Runs ping.exe
      PID:1324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "If([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]'{DCB00C01-570F-4A9B-8D69-199FDBA5723B}')).IsConnectedToInternet){Exit 0}Else{Exit 1}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4360
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:408
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:1200
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:1896
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2536
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    - Launches sc.exe
    PID:900
- - C:\Windows\System32\sc.exe
    sc query ClipSVC
    3⤵
    - Launches sc.exe
    PID:3688
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
    3⤵
    - Modifies registry key
    PID:3128
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
    3⤵
    - Modifies registry key
    PID:2352
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
    3⤵
    PID:1864
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
    3⤵
    - Modifies registry key
    PID:3520
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
    3⤵
    PID:132
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
    3⤵
    - Modifies registry key
    PID:3360
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
    3⤵
    - Modifies registry key
    PID:2656
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
    3⤵
    - Modifies registry key
    PID:3464
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:3056
- - C:\Windows\System32\sc.exe
    sc query wlidsvc
    3⤵
    - Launches sc.exe
    PID:4120
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:4368
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
    3⤵
    PID:4912
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:1624
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
    3⤵
    PID:464
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:456
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
    3⤵
    PID:4504
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
    3⤵
    PID:4516
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
    3⤵
    - Modifies registry key
    PID:4976
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:2208
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:932
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:4508
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
    3⤵
    PID:1156
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:3780
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
    3⤵
    - Modifies registry key
    PID:1456
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:1648
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
    3⤵
    PID:736
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
    3⤵
    PID:3708
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
    3⤵
    - Modifies registry key
    PID:4796
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    - Launches sc.exe
    PID:2636
- - C:\Windows\System32\sc.exe
    sc query KeyIso
    3⤵
    - Launches sc.exe
    PID:1924
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
    3⤵
    PID:2860
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
    3⤵
    - Modifies registry key
    PID:4204
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
    3⤵
    - Modifies registry key
    PID:1856
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
    3⤵
    PID:3372
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
    3⤵
    PID:3632
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
    3⤵
    PID:4828
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
    3⤵
    - Modifies registry key
    PID:4756
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
    3⤵
    - Modifies registry key
    PID:1796
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    - Launches sc.exe
    PID:3972
- - C:\Windows\System32\sc.exe
    sc query LicenseManager
    3⤵
    - Launches sc.exe
    PID:780
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
    3⤵
    PID:1544
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
    3⤵
    - Modifies registry key
    PID:4192
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
    3⤵
    - Modifies registry key
    PID:2112
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
    3⤵
    - Modifies registry key
    PID:4528
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
    3⤵
    - Modifies registry key
    PID:3560
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
    3⤵
    - Modifies registry key
    PID:3580
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
    3⤵
    - Modifies registry key
    PID:3444
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
    3⤵
    PID:4744
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    - Launches sc.exe
    PID:3356
- - C:\Windows\System32\sc.exe
    sc query Winmgmt
    3⤵
    PID:1744
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
    3⤵
    - Modifies registry key
    PID:4780
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
    3⤵
    PID:676
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
    3⤵
    - Modifies registry key
    PID:2628
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
    3⤵
    - Modifies registry key
    PID:1980
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
    3⤵
    - Modifies registry key
    PID:1712
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
    3⤵
    PID:1912
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
    3⤵
    - Modifies registry key
    PID:2436
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
    3⤵
    - Modifies registry key
    PID:4340
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    - Launches sc.exe
    PID:2772
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    - Launches sc.exe
    PID:980
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
    3⤵
    PID:4040
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
    3⤵
    PID:4448
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
    3⤵
    PID:4548
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
    3⤵
    PID:3324
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
    3⤵
    PID:4992
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
    3⤵
    PID:1604
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
    3⤵
    - Modifies registry key
    PID:4896
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
    3⤵
    - Modifies registry key
    PID:4424
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    PID:5064
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:3412
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:2508
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
    3⤵
    PID:2180
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
    3⤵
    PID:3116
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
    3⤵
    - Modifies registry key
    PID:3540
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:3508
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
    3⤵
    - Modifies registry key
    PID:3812
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
    3⤵
    - Modifies registry key
    PID:2408
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
    3⤵
    PID:2204
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    PID:1548
- - C:\Windows\System32\sc.exe
    sc query CryptSvc
    3⤵
    - Launches sc.exe
    PID:4820
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:4972
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
    3⤵
    - Modifies registry key
    PID:3756
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:1516
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
    3⤵
    - Modifies registry key
    PID:836
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:1680
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
    3⤵
    - Modifies registry key
    PID:240
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
    3⤵
    - Modifies registry key
    PID:1608
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
    3⤵
    - Modifies registry key
    PID:2100
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:2816
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    - Launches sc.exe
    PID:4800
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
    3⤵
    PID:2004
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
    3⤵
    - Modifies registry key
    PID:2168
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
    3⤵
    PID:4520
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
    3⤵
    PID:652
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
    3⤵
    - Modifies registry key
    PID:3008
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
    3⤵
    - Modifies registry key
    PID:1904
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
    3⤵
    - Modifies registry key
    PID:3084
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
    3⤵
    - Modifies registry key
    PID:2832
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:3092
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:3028
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
    3⤵
    PID:3736
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
    3⤵
    - Modifies registry key
    PID:4120
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
    3⤵
    - Modifies registry key
    PID:4368
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
    3⤵
    - Modifies registry key
    PID:4912
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
    3⤵
    - Modifies registry key
    PID:2136
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
    3⤵
    - Modifies registry key
    PID:4644
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
    3⤵
    - Modifies registry key
    PID:3152
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
    3⤵
    - Modifies registry key
    PID:2312
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    - Launches sc.exe
    PID:2252
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    - Launches sc.exe
    PID:4676
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
    3⤵
    PID:3780
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
    3⤵
    - Modifies registry key
    PID:1456
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
    3⤵
    PID:1648
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
    3⤵
    PID:736
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
    3⤵
    PID:3708
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
    3⤵
    PID:4796
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
    3⤵
    - Modifies registry key
    PID:2636
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
    3⤵
    - Modifies registry key
    PID:1924
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1052
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    PID:2988
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    - Launches sc.exe
    PID:4244
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:3372
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:4844
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    - Launches sc.exe
    PID:2148
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    - Launches sc.exe
    PID:1104
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    PID:4488
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    - Launches sc.exe
    PID:4984
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    - Launches sc.exe
    PID:4344
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    - Launches sc.exe
    PID:4680
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:3264
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:4012
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    - Launches sc.exe
    PID:2660
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4752
- - C:\Windows\System32\sc.exe
    sc config DoSvc start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:3560
- - C:\Windows\System32\sc.exe
    sc config UsoSvc start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:2304
- - C:\Windows\System32\sc.exe
    sc config wuauserv start= demand
    3⤵
    - Launches sc.exe
    PID:5088
- - C:\Windows\System32\sc.exe
    sc query ClipSVC
    3⤵
    - Launches sc.exe
    PID:2492
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3356
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    - Launches sc.exe
    PID:3020
- - C:\Windows\System32\sc.exe
    sc query wlidsvc
    3⤵
    PID:1692
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:676
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:2460
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:3724
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1712
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:1912
- - C:\Windows\System32\sc.exe
    sc query KeyIso
    3⤵
    PID:2436
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4748
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    - Launches sc.exe
    PID:896
- - C:\Windows\System32\sc.exe
    sc query LicenseManager
    3⤵
    - Launches sc.exe
    PID:4544
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:804
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    - Launches sc.exe
    PID:1420
- - C:\Windows\System32\sc.exe
    sc query Winmgmt
    3⤵
    - Launches sc.exe
    PID:4548
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3588
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    PID:3308
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    - Launches sc.exe
    PID:4992
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service DoSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1040
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5012
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    PID:1680
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:240
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service UsoSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4092
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:3052
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3576
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    - Launches sc.exe
    PID:3028
- - C:\Windows\System32\sc.exe
    sc query CryptSvc
    3⤵
    PID:3736
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3880
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    PID:4368
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    - Launches sc.exe
    PID:1472
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service BITS
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3228
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    PID:4636
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2860
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:1052
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:4952
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service TrustedInstaller
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3372
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:3264
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2380
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:4528
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    PID:4752
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service wuauserv
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2304
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    - Launches sc.exe
    PID:4040
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3956
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    - Launches sc.exe
    PID:860
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4036
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service WaaSMedicSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3308
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3756
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4888
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo TrustedInstaller-1058, WaaSMedicSvc-1060 "
    3⤵
    PID:2476
- - C:\Windows\System32\findstr.exe
    findstr /i "ClipSVC-1058 sppsvc-1058"
    3⤵
    PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
    3⤵
    PID:972
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:1872
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
    3⤵
    PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\$R6DEG3Z.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
    3⤵
    PID:4456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\$R6DEG3Z.cmd') -split ':wpatest\:.*';iex ($f[1]);"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "9" "
    3⤵
    PID:4784
- - C:\Windows\System32\find.exe
    find /i "Error Found"
    3⤵
    PID:2292
- - C:\Windows\System32\Dism.exe
    DISM /English /Online /Get-CurrentEdition
    3⤵
    - Drops file in Windows directory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\dismhost.exe {BAD7E972-5199-4AD5-B4FC-84DD770FC97A}
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:4036
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b -2147467259
    3⤵
    PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
    3⤵
    PID:2596
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
      4⤵
      PID:4192
- - C:\Windows\System32\cscript.exe
    cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
    3⤵
    PID:2112
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 0
    3⤵
    PID:4812
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    PID:4752
- - C:\Windows\System32\find.exe
    find /i "computersystem"
    3⤵
    PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
    3⤵
    PID:3372
- - C:\Windows\System32\findstr.exe
    findstr /i "0x800410 0x800440"
    3⤵
    PID:3604
- - C:\Windows\System32\reg.exe
    reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
    3⤵
    PID:4744
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
    3⤵
    PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
    3⤵
    PID:2628
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
      4⤵
      PID:3552
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
    3⤵
    PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
    3⤵
    PID:804
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
      4⤵
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
    3⤵
    PID:4928
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
      4⤵
      PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:980
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
    3⤵
    PID:3108
- - C:\Windows\System32\find.exe
    find /i "windowsupdate"
    3⤵
    PID:3112
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
    3⤵
    - Modifies registry key
    PID:4940
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
    3⤵
    PID:4256
- - C:\Windows\System32\findstr.exe
    findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
    3⤵
    PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo: TrustedInstaller-1058, WaaSMedicSvc-1060 "
    3⤵
    PID:4820
- - C:\Windows\System32\find.exe
    find /i "wuauserv"
    3⤵
    PID:3028
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
    3⤵
    PID:4120
- - C:\Windows\System32\find.exe
    find /i "0x1"
    3⤵
    PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
    3⤵
    PID:4912
- - C:\Windows\System32\find.exe
    find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
    3⤵
    PID:1184
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
    3⤵
    PID:4676
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 0
    3⤵
    PID:788
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
    3⤵
    PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
    3⤵
    PID:2932
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Control Panel\International\Geo" /v Name
      4⤵
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
    3⤵
    PID:3836
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Control Panel\International\Geo" /v Nation
      4⤵
      PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
    3⤵
    PID:1796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
    3⤵
    PID:4012
- - C:\Windows\System32\find.exe
    find "AAAA"
    3⤵
    PID:4680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Restart-Service ClipSVC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3536
- - C:\Windows\System32\ClipUp.exe
    clipup -v -o
    3⤵
    PID:8
  - - C:\Windows\System32\clipup.exe
      clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem14AC.tmp
      4⤵
      Checks SCSI registry key(s)
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
    3⤵
    PID:2508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
    3⤵
    PID:4520
- - C:\Windows\System32\find.exe
    find /i "Windows"
    3⤵
    PID:980
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
    3⤵
    PID:3112
- - C:\Windows\System32\cscript.exe
    cscript //nologo C:\Windows\system32\slmgr.vbs /ato
    3⤵
    PID:3452
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b -2147023665
    3⤵
    PID:3880
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
    3⤵
    PID:456
- - C:\Windows\System32\findstr.exe
    findstr /i "Windows"
    3⤵
    PID:772
- - C:\Windows\System32\mode.com
    mode 76, 30
    3⤵
    PID:2328
- - C:\Windows\System32\choice.exe
    choice /C:123456780 /N
    3⤵
    PID:3152

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:2784
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem13C2.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket.xml

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6beabfb3abd480b469e6ed386fa98cc0

SHA1
c235c30c917076d76896a9b609162ba2ec5bb899

SHA256
67c8299df45c06caf4cba101600d376eb3c9bf5f689852c334bec1e391fe5123

SHA512
4039592b7e8ff928555c00094a5dbe52181523eb221b426ce711d1da98594e0816616c08f28556f18b5351fe701b1916bbd7ccd33d53047e115bff85a1da869e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
53fbb36e3de882ade26ea8b023b9a6ce

SHA1
ff48acf3b1475f0933c950856f58aebb26ca4af9

SHA256
c1ed4103218a9267eb4c0266f7a5d599950aa178523cc33357e49b727bb65130

SHA512
a2536a0500b3075e9f87ea66fee73061d6660af246637d04cfb7d80d51ddaa35692682a08663c21db9533cecc0e140a6b610d8656cc1aa02d3969b5d2a83f2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
043e669b96fe592d55e60aa0c65a76b5

SHA1
f2f504b51b74d90c361ba936f191d63723edd100

SHA256
a53c907618aba8156de50434590320f778e22e452ae8b483f9bcfa555b5f73df

SHA512
0c1f613f3e3ed6553cabc025d0b2552bbb6930ea89f9f20a2f299210bd4e38b718fe1a22d18b1ddd8aa3bfd92ef1d9cd9c1b1b692f4b6e2a3fd937b6a16c568a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
deace1f3e3f4fff66c9e1ab8fdd10b75

SHA1
a6a793f8e6628020a852b817f4941fa5fe85c326

SHA256
1773e2aa319ae388e654acd214635d9c2334f0922471d7b79f5360a355a9a27f

SHA512
1c74bff974f4b248f6b5fd79dc6ea6a50518cd57e91e4415497c36371b36c4a310069fc5ae6a6435c2eed21c991fe9ed33427bcfd46d3fe71fbfd28a233f31b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\AppxProvider.dll

Filesize
664KB

MD5
a31cb807bf0ab4ddbbe2b6bb96ae6cd1

SHA1
cf63765b41aee9cd7ae76c04dfbb6151e909b3c9

SHA256
37f45e6fc1e531279dcffed70c420df7b073504efe43bbb99a33a9ec24b75a47

SHA512
6a83378c7e88fe04dde20685889d76fd7efdf4e02342a952ba2e6ab0fa354e3293560986e5fded00718e4c14417970db0c06e6384277ae1e50021bb4dc87fad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\AssocProvider.dll

Filesize
136KB

MD5
702f9c8fb68fd19514c106e749ec357d

SHA1
7c141106e4ae8f3a0e5f75d8277ec830fc79eccc

SHA256
21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358

SHA512
2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\CbsProvider.dll

Filesize
1004KB

MD5
f51151b2d8d84cddbedbeffebdc6ec6a

SHA1
adc9c19aa0663e65997f54835228968e13532198

SHA256
7fe4e4924fbbfdf6d772cb9d0a4963d49f6aa18b3c86a2e8df6ca49e22f79884

SHA512
802b58617be5e92bfc0c7f8c8d7443128d81908ae99d9a4ce0a785f858dc7832c70dc305f2ad39c9f57db01c05f483f6bf949ad8811fc6fb255c5aee88c729b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\DismCore.dll

Filesize
444KB

MD5
c73ee8f61bce89d1edad64d16fedcdd6

SHA1
e8fe02e68fd278fd4af501e350d412a5a91b269f

SHA256
b1045fc7dce8fcf5612f82f8f97f8d243008e4c6b7389187e6babc554dd1e413

SHA512
8a5960e6bf35cf07e555558db13c89bf940c92d206adae0eb6e28404b7e499500a8158d29f3400f0b24ab8cedbacb75a28b0138be2e029b70a5cc66cce7cef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\DmiProvider.dll

Filesize
436KB

MD5
e54120aa50f14e0d3d257e77db46ece5

SHA1
922203542962ec5f938dcb3c876f060ecf17f9dc

SHA256
b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54

SHA512
fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\EdgeProvider.dll

Filesize
200KB

MD5
c22cc16103ee51ba59b765c6b449bddb

SHA1
b0683f837e1e44c46c9a050e0a3753893ece24ad

SHA256
eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b

SHA512
2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\Ffuprovider.dll

Filesize
680KB

MD5
a41b0e08419de4d9874893b813dccb5c

SHA1
2390e00f2c2bc9779e99a669193666688064ea77

SHA256
57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3

SHA512
bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\GenericProvider.dll

Filesize
172KB

MD5
20fb116831396d9477e352d42097741c

SHA1
7e063ac9bc173a81dc56dc5864f912041e2c725a

SHA256
6a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4

SHA512
851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\IBSProvider.dll

Filesize
84KB

MD5
f6b7301c18f651567a5f816c2eb7384d

SHA1
40cd6efc28aa7efe86b265af208b0e49bec09ae4

SHA256
8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61

SHA512
4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\ImagingProvider.dll

Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\IntlProvider.dll

Filesize
312KB

MD5
34035aed2021763bec1a7112d53732f1

SHA1
7132595f73755c3ae20a01b6863ac9518f7b75a4

SHA256
aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731

SHA512
ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\MsiProvider.dll

Filesize
208KB

MD5
eb171b7a41a7dd48940f7521da61feb0

SHA1
9f2a5ddac7b78615f5a7af753d835aaa41e788fc

SHA256
56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55

SHA512
5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\OfflineSetupProvider.dll

Filesize
213KB

MD5
3437087e6819614a8d54c9bc59a23139

SHA1
ae84efe44b02bacdb9da876e18715100a18362be

SHA256
8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74

SHA512
018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\ProvProvider.dll

Filesize
800KB

MD5
2ef388f7769205ca319630dd328dcef1

SHA1
6dc9ed84e72af4d3e7793c07cfb244626470f3b6

SHA256
4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf

SHA512
b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\SmiProvider.dll

Filesize
272KB

MD5
46e3e59dbf300ae56292dea398197837

SHA1
78636b25fdb32c8fcdf5fe73cac611213f13a8be

SHA256
5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339

SHA512
e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\SysprepProvider.dll

Filesize
820KB

MD5
4dfa1eeec0822bfcfb95e4fa8ec6c143

SHA1
54251e697e289020a72e1fd412e34713f2e292cf

SHA256
901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494

SHA512
5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\UnattendProvider.dll

Filesize
256KB

MD5
7c61284580a6bc4a4c9c92a39bd9ea08

SHA1
4579294e3f3b6c03b03b15c249b9cac66e730d2a

SHA256
3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8

SHA512
b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\Vhdprovider.dll

Filesize
596KB

MD5
8a655555544b2915b5d8676cbf3d77ab

SHA1
5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2

SHA256
d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27

SHA512
c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\WimProvider.dll

Filesize
672KB

MD5
bcf8735528bb89555fc687b1ed358844

SHA1
5ef5b24631d2f447c58b0973f61cb02118ae4adc

SHA256
78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c

SHA512
8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\dismprov.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\en-US\AppxProvider.dll.mui

Filesize
23KB

MD5
f70750a86cda23a3ced4a7ecf03feebd

SHA1
1c2d9d79974338ce21561b916130e696236fbb48

SHA256
8038c5177461aef977ac6e526ac0851bf7eff5928972462657176ff6b6d06050

SHA512
cfb6b5cdb451b12e7aee6e69ab743b91bec8bd417d4d2384def03010851fef0d7f2a65ff6349c4e62e564b44e742597aeb108e71a962a48020b1988a6c6f1a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
3a26818c500fb74f13342f44c5213114

SHA1
af1bfc2ca2a1dcbc7037f61f80a949b67a2c9602

SHA256
421bbff0c63377b5fd85591530f4c28d0109bc1ff39162a42eb294f0d0e7c6bb

SHA512
afa1d62788d24cd6d739ad78cff19e455b776a71904af1400a44e54e56b55b149eca456db9c686c3a0b515d7fd49d96dc77b217ec769e879b0937bedad53de7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
8644aa200968ce8dfe182f775e1d65c4

SHA1
060149f78e374f2983abde607066f2e07e9b0861

SHA256
46b59cfae0ea50c722718cdb8c07b3f5d6f02174cc599cd19a157eb6016c6030

SHA512
29b4299ae749587c4fc9fd4b9cf3bbe3e9677088b159a40506a2cbd5796808e7432e7af08f0a2eef6c26bacb39b23afa65d0143c72774f38d55dedaef36eba1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\en-US\DismCore.dll.mui

Filesize
7KB

MD5
0a4338fdfb1adaa6592b8f1023ced5cf

SHA1
b96bd2067f43e5142e19f9c66e4db7d317d9cd2e

SHA256
0b6ac5a720dc9163dea36e565c82da1e375041688e6594de15d97652ab7aca80

SHA512
cf8cbb592dc5f09a95892d897680d4ca4f59e74afaeea2701d7258ace84c4c1182e032e7dd76cbd52a77ea08c8d3858e9b5f900691a6d80c728f5e56701382db

Download Submit
C:\Users\Admin\AppData\Local\Temp\D800AED0-19C2-4C32-820D-8CB72935E9BE\en-US\dismprov.dll.mui

Filesize
2KB

MD5
bff1ff3b5a6dba20ce82214fd626dc2b

SHA1
affa7a6f6f1bec42dafe0ca868463eddffcc17e0

SHA256
f307033265151affded4af3dbc2527bc16479468af740ea913f84a2a3a557c46

SHA512
20dfc62f92fc8ab8c7f757a078103414c4e359b744a603f8b655dcd2340677fa7d5fd2acf3c544a3409d31194df788e764c262ea7c625019276e1d00d3f6de19

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhlrmcz3.xpc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
262KB

MD5
5940dd63e34b21661fb646cb5cc7527b

SHA1
d204f727b925fdbd5f64f275b775b073e5b38b53

SHA256
e4c063a287cb221864c62cc07adc38338a01062cdcdb453c048d95a4b6ee3e4d

SHA512
b30d483c1b6b5d8323a5065936d514b72181292fbb3917f7df4d0ea96e298d7b734e56188fc40c31d5708b374209f5efe458d6a879e3136e1610c66dbb408d3e

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
266KB

MD5
2a566910b2116774a566b641903f1412

SHA1
0cf676ee820e2759b2836ef4c77b22b8e302f6ae

SHA256
9f64d8e67c8b04c7e06cf158ff358a6ee2ca52aaba0cb7dafdb438c8c8ed4ba3

SHA512
7d3808ec52b7849b26ed158bb8bd9b45228b6e68455964e24d5bdd124159ad7fc77894b52a1b765434c62365e1ecaec19c24c3e01328a87d0712f05d9f936f48

Download Submit
memory/8-534-0x0000023B4F880000-0x0000023B4F890000-memory.dmp

Filesize
64KB

Download
memory/8-528-0x0000023B4F880000-0x0000023B4F890000-memory.dmp

Filesize
64KB

Download
memory/8-527-0x0000023B4F880000-0x0000023B4F890000-memory.dmp

Filesize
64KB

Download
memory/1420-516-0x000002E546210000-0x000002E546220000-memory.dmp

Filesize
64KB

Download
memory/1420-515-0x000002E546210000-0x000002E546220000-memory.dmp

Filesize
64KB

Download
memory/1420-519-0x000002E546210000-0x000002E546220000-memory.dmp

Filesize
64KB

Download
memory/2164-533-0x000001E7AD930000-0x000001E7AD940000-memory.dmp

Filesize
64KB

Download
memory/2164-529-0x000001E7AD930000-0x000001E7AD940000-memory.dmp

Filesize
64KB

Download
memory/2164-530-0x000001E7AD930000-0x000001E7AD940000-memory.dmp

Filesize
64KB

Download
memory/2784-520-0x0000018446D20000-0x0000018446D30000-memory.dmp

Filesize
64KB

Download
memory/2784-514-0x0000018446D20000-0x0000018446D30000-memory.dmp

Filesize
64KB

Download
memory/2784-513-0x0000018446D20000-0x0000018446D30000-memory.dmp

Filesize
64KB

Download
memory/4344-0-0x000001BED71C0000-0x000001BED71E2000-memory.dmp

Filesize
136KB

Download