Analysis
-
max time kernel
842s -
max time network
842s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-es -
resource tags
arch:x64arch:x86image:win10v2004-20240611-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
20-06-2024 17:13
Static task
static1
General
-
Target
MAS_AIO-CRC32_31F7FD1E.cmd
-
Size
438KB
-
MD5
88d518ea04598e056440635851ba61db
-
SHA1
22c62949a561e0172a8c1a870862cd7b64d09738
-
SHA256
533e16e27044e4b3373290f23ffac3863481747bca5ae9de31c3b84396dee4e0
-
SHA512
45af822ee9565a9962e6bcbfce93c31f15eaa39bad3bc6a97791366ec9547011c2ff933411d8b883ef54367dcc3588a1a737d63f1a528dedc1cdc98ab4aedecf
-
SSDEEP
3072:M/dR3S9mF2TJRMP0u+RciNiYFRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0xOn:KAnHu+R7VLo97bJu9p6zGDNS0KgOuCV
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
dismhost.exedismhost.exedismhost.exedismhost.exepid process 840 dismhost.exe 4400 dismhost.exe 5500 dismhost.exe 1380 dismhost.exe -
Loads dropped DLL 64 IoCs
Processes:
dismhost.exedismhost.exeWINWORD.EXEWINWORD.EXEdismhost.exedismhost.exepid process 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 840 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 4400 dismhost.exe 1300 WINWORD.EXE 1300 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 5500 dismhost.exe 1380 dismhost.exe 1380 dismhost.exe 1380 dismhost.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT svchost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
powershell.exepowershell.execmd.exedescription ioc process File created C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll powershell.exe File created C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll powershell.exe File created C:\Program Files\Microsoft Office\root\vfs\System\sppcs.dll cmd.exe -
Drops file in Windows directory 8 IoCs
Processes:
dismhost.exeDism.exedismhost.exeDism.exedismhost.exeDism.exedismhost.exeDism.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 960 sc.exe 4580 sc.exe 6000 sc.exe 2644 sc.exe 4640 sc.exe 4868 sc.exe 1328 sc.exe 3676 sc.exe 392 sc.exe 948 sc.exe 1924 sc.exe 2536 sc.exe 4468 sc.exe 4220 sc.exe 3800 sc.exe 4912 sc.exe 6740 sc.exe 964 sc.exe 6972 sc.exe 6784 sc.exe 1344 sc.exe 3800 sc.exe 6688 sc.exe 1888 sc.exe 556 sc.exe 1864 sc.exe 1452 sc.exe 1384 sc.exe 4040 sc.exe 644 sc.exe 3520 sc.exe 3920 sc.exe 1508 sc.exe 6656 sc.exe 2992 sc.exe 6756 sc.exe 316 sc.exe 2916 sc.exe 1800 sc.exe 4900 sc.exe 5080 sc.exe 632 sc.exe 5180 sc.exe 2012 sc.exe 2188 sc.exe 532 sc.exe 1148 sc.exe 960 sc.exe 2912 sc.exe 4468 sc.exe 3488 sc.exe 2252 sc.exe 3008 sc.exe 2880 sc.exe 6908 sc.exe 1724 sc.exe 3888 sc.exe 4356 sc.exe 4268 sc.exe 3956 sc.exe 6108 sc.exe 3352 sc.exe 2236 sc.exe 1100 sc.exe -
Checks SCSI registry key(s) 3 TTPs 23 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SettingSyncHost.exetaskmgr.exeClipup.execlipup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SettingSyncHost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SettingSyncHost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID SettingSyncHost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID SettingSyncHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SettingSyncHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SettingSyncHost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID SettingSyncHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SettingSyncHost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID clipup.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEtaskmgr.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
chrome.exeWINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Processes:
WINWORD.EXEwwahost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "60" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "0" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "32" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\signup.live.com WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\hsprotect.net WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "177" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "0" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "122" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "32" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "221" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "3693" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signup.live.com\ = "122" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "2" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\NumberOfSubdomains = "1" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "20" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "20" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "168" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3733" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.com WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "3693" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "0" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\Total = "40" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "177" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com\NumberOfSubdomains = "2" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "20" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "1" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "128" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "217" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com\NumberOfSubdomains = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signup.live.com\ = "0" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "261" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "221" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com\ = "40" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "128" WINWORD.EXE -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633775353780673" chrome.exe -
Modifies registry class 64 IoCs
Processes:
SettingSyncHost.exewwahost.exechrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.microsoftedge.stable_8wekyb3d8bbwe\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho = "0" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.live.com\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\login.live.com wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.creddialoghost_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\Total = "0" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.live.com wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoftwindows.client.cbs_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost\ = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\e2a4f912-2574-4a75-9bb0-0d023378592b_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.aad.brokerplugin_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\1527c705-839a-4832-9118-54d4bd6a0c89_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.ecapp_8wekyb3d8bbwe\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoftwindows.undockeddevkit_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\login.live.com\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "122" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.win32webviewhost_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{100BEB3C-74F3-45D0-9D48-EE8EE61E0779} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\NumberOfSubdomai = "0" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "122" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.xgpuejectdialog_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.xboxgamecallableui_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.accountscontrol_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.lockapp_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ncsiuwpapp_8wekyb3d8bbwe\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\f46d4000-fd22-4db4-ac8e-4e1ddde828fe_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.bioenrollment_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.apprep.chxapp_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho wwahost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.callingshellapp_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.printdialog_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 7104 reg.exe 4624 reg.exe 5076 reg.exe 1880 reg.exe 2672 reg.exe 6232 reg.exe 216 reg.exe 5632 reg.exe 6164 reg.exe 896 reg.exe 5652 reg.exe 6776 reg.exe 4244 reg.exe 6768 reg.exe 2212 reg.exe 3952 reg.exe 752 reg.exe 2552 reg.exe 5528 reg.exe 4952 reg.exe 2324 reg.exe 2976 reg.exe 1880 reg.exe 1872 reg.exe 4600 reg.exe 1904 reg.exe 1088 reg.exe 1152 reg.exe 2160 reg.exe 1136 reg.exe 4836 reg.exe 1012 reg.exe 4220 reg.exe 3140 reg.exe 7012 reg.exe 1368 reg.exe 3932 reg.exe 1896 reg.exe 6428 reg.exe 2408 reg.exe 5080 reg.exe 4548 reg.exe 2812 reg.exe 1872 reg.exe 1868 reg.exe 1288 reg.exe 4040 reg.exe 1592 reg.exe 1088 reg.exe 2680 reg.exe 4472 reg.exe 7084 reg.exe 2508 reg.exe 944 reg.exe 5260 reg.exe 4348 reg.exe 1508 reg.exe 3096 reg.exe 5096 reg.exe 4548 reg.exe 4860 reg.exe 2060 reg.exe 3140 reg.exe 4168 reg.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 1300 WINWORD.EXE 1300 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1872 powershell.exe 1872 powershell.exe 1816 powershell.exe 1816 powershell.exe 3976 powershell.exe 3976 powershell.exe 2808 powershell.exe 2808 powershell.exe 3976 powershell.exe 3976 powershell.exe 3976 powershell.exe 4160 powershell.exe 4160 powershell.exe 4160 powershell.exe 1344 powershell.exe 1344 powershell.exe 1344 powershell.exe 3568 powershell.exe 3568 powershell.exe 3568 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 4640 powershell.exe 4640 powershell.exe 4640 powershell.exe 2932 powershell.exe 2932 powershell.exe 2932 powershell.exe 4384 powershell.exe 4384 powershell.exe 4384 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 2100 powershell.exe 2100 powershell.exe 2100 powershell.exe 1200 powershell.exe 1200 powershell.exe 1200 powershell.exe 3888 powershell.exe 3888 powershell.exe 3888 powershell.exe 2512 powershell.exe 2512 powershell.exe 2512 powershell.exe 920 powershell.exe 920 powershell.exe 920 powershell.exe 1456 powershell.exe 1456 powershell.exe 1456 powershell.exe 1204 powershell.exe 1204 powershell.exe 1204 powershell.exe 1468 powershell.exe 1468 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1736 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
chrome.exepid process 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeIncreaseQuotaPrivilege 1508 WMIC.exe Token: SeSecurityPrivilege 1508 WMIC.exe Token: SeTakeOwnershipPrivilege 1508 WMIC.exe Token: SeLoadDriverPrivilege 1508 WMIC.exe Token: SeSystemProfilePrivilege 1508 WMIC.exe Token: SeSystemtimePrivilege 1508 WMIC.exe Token: SeProfSingleProcessPrivilege 1508 WMIC.exe Token: SeIncBasePriorityPrivilege 1508 WMIC.exe Token: SeCreatePagefilePrivilege 1508 WMIC.exe Token: SeBackupPrivilege 1508 WMIC.exe Token: SeRestorePrivilege 1508 WMIC.exe Token: SeShutdownPrivilege 1508 WMIC.exe Token: SeDebugPrivilege 1508 WMIC.exe Token: SeSystemEnvironmentPrivilege 1508 WMIC.exe Token: SeRemoteShutdownPrivilege 1508 WMIC.exe Token: SeUndockPrivilege 1508 WMIC.exe Token: SeManageVolumePrivilege 1508 WMIC.exe Token: 33 1508 WMIC.exe Token: 34 1508 WMIC.exe Token: 35 1508 WMIC.exe Token: 36 1508 WMIC.exe Token: SeIncreaseQuotaPrivilege 1508 WMIC.exe Token: SeSecurityPrivilege 1508 WMIC.exe Token: SeTakeOwnershipPrivilege 1508 WMIC.exe Token: SeLoadDriverPrivilege 1508 WMIC.exe Token: SeSystemProfilePrivilege 1508 WMIC.exe Token: SeSystemtimePrivilege 1508 WMIC.exe Token: SeProfSingleProcessPrivilege 1508 WMIC.exe Token: SeIncBasePriorityPrivilege 1508 WMIC.exe Token: SeCreatePagefilePrivilege 1508 WMIC.exe Token: SeBackupPrivilege 1508 WMIC.exe Token: SeRestorePrivilege 1508 WMIC.exe Token: SeShutdownPrivilege 1508 WMIC.exe Token: SeDebugPrivilege 1508 WMIC.exe Token: SeSystemEnvironmentPrivilege 1508 WMIC.exe Token: SeRemoteShutdownPrivilege 1508 WMIC.exe Token: SeUndockPrivilege 1508 WMIC.exe Token: SeManageVolumePrivilege 1508 WMIC.exe Token: 33 1508 WMIC.exe Token: 34 1508 WMIC.exe Token: 35 1508 WMIC.exe Token: 36 1508 WMIC.exe Token: SeIncreaseQuotaPrivilege 4512 WMIC.exe Token: SeSecurityPrivilege 4512 WMIC.exe Token: SeTakeOwnershipPrivilege 4512 WMIC.exe Token: SeLoadDriverPrivilege 4512 WMIC.exe Token: SeSystemProfilePrivilege 4512 WMIC.exe Token: SeSystemtimePrivilege 4512 WMIC.exe Token: SeProfSingleProcessPrivilege 4512 WMIC.exe Token: SeIncBasePriorityPrivilege 4512 WMIC.exe Token: SeCreatePagefilePrivilege 4512 WMIC.exe Token: SeBackupPrivilege 4512 WMIC.exe Token: SeRestorePrivilege 4512 WMIC.exe Token: SeShutdownPrivilege 4512 WMIC.exe Token: SeDebugPrivilege 4512 WMIC.exe Token: SeSystemEnvironmentPrivilege 4512 WMIC.exe Token: SeRemoteShutdownPrivilege 4512 WMIC.exe Token: SeUndockPrivilege 4512 WMIC.exe Token: SeManageVolumePrivilege 4512 WMIC.exe Token: 33 4512 WMIC.exe Token: 34 4512 WMIC.exe Token: 35 4512 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 5620 chrome.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe 1736 taskmgr.exe -
Suspicious use of SetWindowsHookEx 38 IoCs
Processes:
WINWORD.EXEwwahost.exeWINWORD.EXEpid process 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 5332 wwahost.exe 1300 WINWORD.EXE 1300 WINWORD.EXE 1300 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE 6956 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.execmd.execmd.exedescription pid process target process PID 1832 wrote to memory of 1460 1832 cmd.exe sc.exe PID 1832 wrote to memory of 1460 1832 cmd.exe sc.exe PID 1832 wrote to memory of 624 1832 cmd.exe find.exe PID 1832 wrote to memory of 624 1832 cmd.exe find.exe PID 1832 wrote to memory of 1516 1832 cmd.exe findstr.exe PID 1832 wrote to memory of 1516 1832 cmd.exe findstr.exe PID 1832 wrote to memory of 4564 1832 cmd.exe cmd.exe PID 1832 wrote to memory of 4564 1832 cmd.exe cmd.exe PID 1832 wrote to memory of 2324 1832 cmd.exe reg.exe PID 1832 wrote to memory of 2324 1832 cmd.exe reg.exe PID 1832 wrote to memory of 2464 1832 cmd.exe find.exe PID 1832 wrote to memory of 2464 1832 cmd.exe find.exe PID 1832 wrote to memory of 4636 1832 cmd.exe cmd.exe PID 1832 wrote to memory of 4636 1832 cmd.exe cmd.exe PID 4636 wrote to memory of 4340 4636 cmd.exe cmd.exe PID 4636 wrote to memory of 4340 4636 cmd.exe cmd.exe PID 4636 wrote to memory of 4852 4636 cmd.exe cmd.exe PID 4636 wrote to memory of 4852 4636 cmd.exe cmd.exe PID 1832 wrote to memory of 4492 1832 cmd.exe cmd.exe PID 1832 wrote to memory of 4492 1832 cmd.exe cmd.exe PID 1832 wrote to memory of 1660 1832 cmd.exe find.exe PID 1832 wrote to memory of 1660 1832 cmd.exe find.exe PID 1832 wrote to memory of 2536 1832 cmd.exe fltMC.exe PID 1832 wrote to memory of 2536 1832 cmd.exe fltMC.exe PID 1832 wrote to memory of 2212 1832 cmd.exe reg.exe PID 1832 wrote to memory of 2212 1832 cmd.exe reg.exe PID 1832 wrote to memory of 4168 1832 cmd.exe find.exe PID 1832 wrote to memory of 4168 1832 cmd.exe find.exe PID 1832 wrote to memory of 4268 1832 cmd.exe reg.exe PID 1832 wrote to memory of 4268 1832 cmd.exe reg.exe PID 1832 wrote to memory of 3116 1832 cmd.exe cmd.exe PID 1832 wrote to memory of 3116 1832 cmd.exe cmd.exe PID 3116 wrote to memory of 4548 3116 cmd.exe reg.exe PID 3116 wrote to memory of 4548 3116 cmd.exe reg.exe PID 3116 wrote to memory of 1384 3116 cmd.exe sc.exe PID 3116 wrote to memory of 1384 3116 cmd.exe sc.exe PID 3116 wrote to memory of 4364 3116 cmd.exe find.exe PID 3116 wrote to memory of 4364 3116 cmd.exe find.exe PID 3116 wrote to memory of 4260 3116 cmd.exe findstr.exe PID 3116 wrote to memory of 4260 3116 cmd.exe findstr.exe PID 3116 wrote to memory of 4824 3116 cmd.exe cmd.exe PID 3116 wrote to memory of 4824 3116 cmd.exe cmd.exe PID 3116 wrote to memory of 1860 3116 cmd.exe find.exe PID 3116 wrote to memory of 1860 3116 cmd.exe find.exe PID 3116 wrote to memory of 4988 3116 cmd.exe cmd.exe PID 3116 wrote to memory of 4988 3116 cmd.exe cmd.exe PID 3116 wrote to memory of 4384 3116 cmd.exe reg.exe PID 3116 wrote to memory of 4384 3116 cmd.exe reg.exe PID 3116 wrote to memory of 2020 3116 cmd.exe find.exe PID 3116 wrote to memory of 2020 3116 cmd.exe find.exe PID 3116 wrote to memory of 1896 3116 cmd.exe cmd.exe PID 3116 wrote to memory of 1896 3116 cmd.exe cmd.exe PID 1896 wrote to memory of 4432 1896 cmd.exe cmd.exe PID 1896 wrote to memory of 4432 1896 cmd.exe cmd.exe PID 1896 wrote to memory of 4640 1896 cmd.exe cmd.exe PID 1896 wrote to memory of 4640 1896 cmd.exe cmd.exe PID 3116 wrote to memory of 744 3116 cmd.exe cmd.exe PID 3116 wrote to memory of 744 3116 cmd.exe cmd.exe PID 3116 wrote to memory of 2156 3116 cmd.exe find.exe PID 3116 wrote to memory of 2156 3116 cmd.exe find.exe PID 3116 wrote to memory of 2984 3116 cmd.exe fltMC.exe PID 3116 wrote to memory of 2984 3116 cmd.exe fltMC.exe PID 3116 wrote to memory of 3852 3116 cmd.exe reg.exe PID 3116 wrote to memory of 3852 3116 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc query Null2⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"2⤵
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV22⤵
-
C:\Windows\System32\find.exefind /i "0x0"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "3⤵
-
C:\Windows\System32\cmd.execmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" "2⤵
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"2⤵
-
C:\Windows\System32\fltMC.exefltmc2⤵
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit2⤵
- Modifies registry key
-
C:\Windows\System32\find.exefind /i "0x0"2⤵
-
C:\Windows\System32\reg.exereg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\cmd.execmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" -qedit"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f3⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc query Null3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "3⤵
-
C:\Windows\System32\find.exefind /i "/"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" "3⤵
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵
-
C:\Windows\System32\fltMC.exefltmc3⤵
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev3⤵
-
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck.massgrave.dev4⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "3⤵
-
C:\Windows\System32\find.exefind "127.69"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "3⤵
-
C:\Windows\System32\find.exefind "127.69.2.6"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "3⤵
-
C:\Windows\System32\find.exefind /i "/S"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "3⤵
-
C:\Windows\System32\find.exefind /i "/"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:123456780 /N3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\System32\mode.commode 110, 343⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $ExecutionContext.SessionState.LanguageMode3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\find.exefind /i "Full"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net3⤵
-
C:\Windows\System32\PING.EXEping -n 1 l.root-servers.net4⤵
- Runs ping.exe
-
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\System32\sc.exesc start ClipSVC3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query ClipSVC3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type3⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start wlidsvc3⤵
-
C:\Windows\System32\sc.exesc query wlidsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type3⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start KeyIso3⤵
-
C:\Windows\System32\sc.exesc query KeyIso3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type3⤵
-
C:\Windows\System32\sc.exesc start LicenseManager3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query LicenseManager3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type3⤵
-
C:\Windows\System32\sc.exesc start DoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query DoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type3⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type3⤵
-
C:\Windows\System32\sc.exesc start CryptSvc3⤵
-
C:\Windows\System32\sc.exesc query CryptSvc3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type3⤵
-
C:\Windows\System32\sc.exesc start BITS3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query BITS3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type3⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start TrustedInstaller3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query TrustedInstaller3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type3⤵
-
C:\Windows\System32\sc.exesc start wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query wuauserv3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type3⤵
-
C:\Windows\System32\sc.exesc start WaaSMedicSvc3⤵
-
C:\Windows\System32\sc.exesc query WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type3⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start ClipSVC3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start wlidsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
-
C:\Windows\System32\sc.exesc start KeyIso3⤵
-
C:\Windows\System32\sc.exesc start LicenseManager3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start DoSvc3⤵
-
C:\Windows\System32\sc.exesc start UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start CryptSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start BITS3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start TrustedInstaller3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc config DoSvc start= delayed-auto3⤵
-
C:\Windows\System32\sc.exesc query ClipSVC3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start ClipSVC3⤵
-
C:\Windows\System32\sc.exesc query wlidsvc3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start wlidsvc3⤵
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query KeyIso3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start KeyIso3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query LicenseManager3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start LicenseManager3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query DoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Service DoSvc3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\sc.exesc query DoSvc3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start DoSvc3⤵
-
C:\Windows\System32\sc.exesc query UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query CryptSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start CryptSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query BITS3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start BITS3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query TrustedInstaller3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start TrustedInstaller3⤵
-
C:\Windows\System32\sc.exesc query wuauserv3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start wuauserv3⤵
-
C:\Windows\System32\sc.exesc query WaaSMedicSvc3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState4⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "9" "3⤵
-
C:\Windows\System32\find.exefind /i "Error Found"3⤵
-
C:\Windows\System32\Dism.exeDISM /English /Online /Get-CurrentEdition3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exeC:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe {215EE2D0-1153-4CF5-92A8-3419BBB2F70A}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID4⤵
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /dlv3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "0" "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"4⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility3⤵
-
C:\Windows\System32\find.exefind /i "windowsupdate"3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s3⤵
-
C:\Windows\System32\findstr.exefindstr /i "NoAutoUpdate DisableWindowsUpdateAccess"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo: "3⤵
-
C:\Windows\System32\find.exefind /i "wuauserv"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "3⤵
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Name4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Nation4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Set-WinHomeLocation -GeoId 244"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "3⤵
-
C:\Windows\System32\find.exefind "AAAA"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Restart-Service ClipSVC3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\ClipUp.execlipup -v -o3⤵
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem1345.tmp4⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value3⤵
-
C:\Windows\System32\findstr.exefindstr /i "Windows"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Set-WinHomeLocation -GeoId 217"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:123456780 /N3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\System32\mode.commode 76, 253⤵
-
C:\Windows\System32\choice.exechoice /C:1230 /N3⤵
-
C:\Windows\System32\mode.commode 130, 323⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $ExecutionContext.SessionState.LanguageMode3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\find.exefind /i "Full"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type3⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type3⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState4⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "9" "3⤵
-
C:\Windows\System32\find.exefind /i "Error Found"3⤵
-
C:\Windows\System32\Dism.exeDISM /English /Online /Get-CurrentEdition3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exeC:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe {6AAB1661-765A-48DB-B215-801BAE6016E8}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID4⤵
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /dlv3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "0" "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"4⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
- Modifies registry key
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\find.exefind /i "Office"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc query ClickToRunSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query OfficeSvc3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "3⤵
-
C:\Windows\System32\find.exefind /i "Wow6432Node"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k4⤵
-
C:\Windows\System32\findstr.exefindstr /i "Retail Volume"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "" "3⤵
-
C:\Windows\System32\find.exefind /i " ProPlusRetail.16 "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "3⤵
-
C:\Windows\System32\find.exefind /i "2024"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "3⤵
-
C:\Windows\System32\find.exefind /i "Subscription"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "3⤵
-
C:\Windows\System32\find.exefind /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':hexedit\:.*';iex ($m[1]);"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\find.exefind /i "Error found"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
-
C:\Windows\System32\findstr.exefindstr /i "volume retail"3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x2 0x3"3⤵
-
C:\Windows\System32\reg.exereg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
-
C:\Windows\System32\findstr.exefindstr /i "volume retail"3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x2 0x3"3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-18\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-19\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "3⤵
-
C:\Windows\System32\find.exefind /i "Volume"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "3⤵
-
C:\Windows\System32\find.exefind /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"3⤵
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /upk 85dd8b5f-eaa4-4af3-a628-cce9e77c9a033⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "3⤵
-
C:\Windows\System32\find.exefind /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:123456780 /N3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\System32\mode.commode 76, 253⤵
-
C:\Windows\System32\choice.exechoice /C:1230 /N3⤵
-
C:\Windows\System32\mode.commode 130, 323⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $ExecutionContext.SessionState.LanguageMode3⤵
-
C:\Windows\System32\find.exefind /i "Full"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState4⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "9" "3⤵
-
C:\Windows\System32\find.exefind /i "Error Found"3⤵
-
C:\Windows\System32\Dism.exeDISM /English /Online /Get-CurrentEdition3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exeC:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe {8985BFB9-C941-4C84-AA2F-DF718FE46BCF}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID4⤵
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /dlv3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "0" "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"4⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""3⤵
-
C:\Windows\System32\find.exefind /i "Office"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\System32\sc.exesc query ClickToRunSvc3⤵
-
C:\Windows\System32\sc.exesc query OfficeSvc3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "3⤵
-
C:\Windows\System32\find.exefind /i "Wow6432Node"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k4⤵
-
C:\Windows\System32\findstr.exefindstr /i "Retail Volume"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "" "3⤵
-
C:\Windows\System32\find.exefind /i " ProPlusRetail.16 "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "3⤵
-
C:\Windows\System32\find.exefind /i "2024"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "3⤵
-
C:\Windows\System32\find.exefind /i "Subscription"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "3⤵
-
C:\Windows\System32\find.exefind /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"4⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
-
C:\Windows\System32\findstr.exefindstr /i "volume retail"3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x2 0x3"3⤵
-
C:\Windows\System32\reg.exereg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
-
C:\Windows\System32\findstr.exefindstr /i "volume retail"3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x2 0x3"3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-18\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-19\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "3⤵
-
C:\Windows\System32\find.exefind /i "Volume"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "3⤵
-
C:\Windows\System32\find.exefind /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:123456780 /N3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
C:\Windows\System32\cmd.execmd4⤵
-
C:\Windows\System32\mode.commode 76, 253⤵
-
C:\Windows\System32\choice.exechoice /C:1230 /N3⤵
-
C:\Windows\System32\mode.commode 130, 323⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $ExecutionContext.SessionState.LanguageMode3⤵
-
C:\Windows\System32\find.exefind /i "Full"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "3⤵
-
C:\Windows\System32\find.exefind /i "Windows"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
-
C:\Windows\System32\sc.exesc query sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start sppsvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc query Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
C:\Windows\System32\sc.exesc start Winmgmt3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState4⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "10" "3⤵
-
C:\Windows\System32\find.exefind /i "Error Found"3⤵
-
C:\Windows\System32\Dism.exeDISM /English /Online /Get-CurrentEdition3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exeC:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe {212E4BE1-937E-4A06-9235-5B2CCB6A2403}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID4⤵
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /dlv3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
-
C:\Windows\System32\find.exefind /i "computersystem"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "0" "3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"4⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""3⤵
-
C:\Windows\System32\find.exefind /i "Office"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
-
C:\Windows\System32\sc.exesc query ClickToRunSvc3⤵
-
C:\Windows\System32\sc.exesc query OfficeSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul3⤵
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "3⤵
-
C:\Windows\System32\find.exefind /i "Wow6432Node"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"3⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k4⤵
-
C:\Windows\System32\findstr.exefindstr /i "Retail Volume"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "" "3⤵
-
C:\Windows\System32\find.exefind /i " ProPlusRetail.16 "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "3⤵
-
C:\Windows\System32\find.exefind /i "2024"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "3⤵
-
C:\Windows\System32\find.exefind /i "Subscription"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "3⤵
-
C:\Windows\System32\find.exefind /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"3⤵
-
C:\Windows\System32\cmd.execmd /c exit /b 03⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':hexedit\:.*';iex ($m[1]);"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\find.exefind /i "Error found"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"4⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
-
C:\Windows\System32\findstr.exefindstr /i "volume retail"3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x2 0x3"3⤵
-
C:\Windows\System32\reg.exereg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done3⤵
-
C:\Windows\System32\find.exefind /i "0x1"3⤵
-
C:\Windows\System32\reg.exereg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
-
C:\Windows\System32\findstr.exefindstr /i "volume retail"3⤵
-
C:\Windows\System32\findstr.exefindstr /i "0x2 0x3"3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
-
C:\Windows\System32\reg.exereg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f3⤵
- Modifies registry key
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-18\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-19\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f3⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Volatile Environment"3⤵
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "3⤵
-
C:\Windows\System32\find.exefind /i "Volume"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul3⤵
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "3⤵
-
C:\Windows\System32\find.exefind /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"3⤵
-
C:\Windows\System32\mode.commode 76, 303⤵
-
C:\Windows\System32\choice.exechoice /C:123456780 /N3⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem126A.tmp2⤵
- Checks SCSI registry key(s)
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebaf6ab58,0x7ffebaf6ab68,0x7ffebaf6ab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2056 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3648 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3980 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4720 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3496 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3448 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4412 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3092 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4452 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3636 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1536 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1620 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5208 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5200 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5004 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6076 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5620 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5672 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\system32\SettingSyncHost.exeC:\Windows\system32\SettingSyncHost.exe -Embedding1⤵
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {72C984BA-0666-4D3F-A0DE-96BF43838E6E} /I {0CB6E812-BD37-4416-BFAE-E44A7C15B453} /X 0x12⤵
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\CredentialEnrollmentManager.exeC:\Windows\system32\CredentialEnrollmentManager.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicketFilesize
1KB
MD567a8abe602fd21c5683962fa75f8c9fd
SHA1e296942da1d2b56452e05ae7f753cd176d488ea8
SHA2561d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA51270b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\96ada297-d9c8-4138-bebd-29db841be4c7.tmpFilesize
8KB
MD5c8b49426fe1210ce89741d17bc603b0f
SHA1eaa86f4b435364e8c6da32e800bb1d890d25f249
SHA256a2ba83321fae2e4c878fd3acd512752d0bdf21d1007873e2d755ea119c72a2f7
SHA512a4c94b45c648fdb59e9b9cd889f1a0ed282e78e037a267e103ee6a8cb6ed9d41768c8f51431eac523f60d4c355559101705cc51ab4cdba61127e0a483369a793
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000073Filesize
28KB
MD51784d82edabfbc66aca767eb7becc500
SHA16b5e78f735d0d09fec5ff94efc3374af2a75ad74
SHA2567ea81e7c911e5ba134b67278f0d7f2baf4e652243c57bb699030ecc77e85619a
SHA512852dbdb202cd0e83dcd4b2e83a9875db060cc2202d55b9b37c3514e8e63f1d12178a3ba24ea6e2cd10b57888c56477d18a6883e520bbf7092c3f9b2d33746849
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000d9Filesize
62KB
MD51ddfad63e0fe9b8f7fc8f5c0a50380ef
SHA10e10fe40a9757af729195af1afaf826c6b1d277d
SHA256d63a4170e2e50c23971a8b98381fc2afd9488998737e147a5a130e431b708980
SHA512ef5989bc749208a0de56e14048276132eeb5d945c8d92f7922ba5476747ebf02dfc0959a06e1ee21beb31cec044b69591db04145789bbe54af7763c67f3de4b9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
10KB
MD5f4fcce1495995658fef7e8836f8303a9
SHA12fac1b22b1d31713090a31bb9f39791b32ccd183
SHA2563f947a891b8f8af11d64613aa3bf17174eea1cf69b7f7a16d71dfb8c65e3aac2
SHA51219357e9b1700f7c67260cb5f2c87bb8246c6c335e3ac6043d10012f2209420b50ae5e07995e0298f69393c7df56080f71c978a038023ed22bd911d42eb213fd6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD50354b2717c763d33f8fe4a5f363f8c42
SHA151f407bec254ab7fc5a54f4322f9a8aad6cb6860
SHA256a686594ef3691e5a27dcc1b9392cd4710435f4087a23a97df29f6c45ccf19cb0
SHA5128e4ab304ac7cc8969f3d624bc0ae1f890fd7e13d9b97de8eb8ed1def31f99c8ecdb7a066a9d4ae3985a6f280a72c796f6c3ba8cf0c3d7c1b358e9aae1923ea21
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5044f9e76e553a4c5839f000259ce96eb
SHA1d510cf1457fddde4fb57e71f1d85191e123bde5c
SHA256c9a2b97e24b81077d612473e87966047b82bbfe5b80b7cf6b80fa160ff5c4595
SHA5121edf192012616dd70b8fc5e4147f4aaca3bdb7af2072785438e04f001c7e58e94694106fa7b82164752e1a89d950f0c4b39840780fbf41722248a32ff5c2cdc8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
984B
MD52a59ba562dc6290a4ae77a9aab43d66d
SHA18b84e9f43355e8eade7f258f93562befae18b755
SHA256e20d418dbc6a50c89e496f6c2a638092a39012d954614586472d671d557a3213
SHA5128e10661912bd3ec7cbac07ae9c022008f4d7ef711cb3e7fea9eb86876ca6132b0c846a62ab8e15a65d9c185c51db2d12cc0c25590f4132e9089b7e847a791071
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
10KB
MD5678089ac5f0ebc80ac98acee9ac27841
SHA16e377f6df307a3f3b9ce618bdcf5603772216519
SHA2564adcd0e43afb8b5785382be2e9bd56389e8eb1660d3f4cf42bf8e846c80e330c
SHA512a0ca2d378b33fbd3942296abcf145471e34cff11f2c174793b157bb4dc7c2de0ef4773ea0238c5e68f84c1bcb2242819bb0929343dfc58d1a7e16611bc28e5f9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_outlook.live.com_0.indexeddb.leveldb\MANIFEST-000001Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
6KB
MD5593a3e4e0e9a50485833bca9e3eb2ec5
SHA1a2bcde9909a04ddc71b31512e880cac32f6b01c8
SHA256ba28c6bdc71efb704a6a2c48da79cd78e4e170c39af27f51b552a93bbe878681
SHA5121cc6bf852c5e6d10d96b255960a96dedbccfd6de75d03d994ada8191d764d3dce7dbdee5db162b86fe851f5792ebeae843dde0c9b679f8b9210044c2c54f091e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5aba2f40fd333f9eae61cd70da1838043
SHA14bb213b49d3fc7c2f661ed944e40514036d7be58
SHA256006e0e56397a7d275b60a1e8e1101ea366a5e9d348342034e9cd0295f4d07b3e
SHA51202d0ce0f3a09900f2586debb89fe1047118ca30723585255c4e3756a8e822e53473ea04485038798e19d26f74d06a9bfb60c1fc3703a0383e74a43c207d5a8c0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD58fb9a36a23f1379bd980652fa9fccda5
SHA1bb6e3320e7a940e678c73abc3b0bf44d0ed6cfd6
SHA25679c800c2a1ed220d7e9ae9b2edcfc4ca0f6e4215d3ef009efd77e84edde13e54
SHA512f1f42fd70fee75a8045e9170093026ae01279a54308d304db48fc8f8dc75d9bc5febef9ee7d405417ab8580e396af1b6ad2f3fdcf3c7a40b7114861af5c493a4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD5b7f96d9831b6e0d2a14e3bedb11a7c2d
SHA14dca452a8b2e91cc0f8435a74dcc5a4a06a436c4
SHA256f8a54731366f07de408226738e3a553a680a215c71c14df7fb102009c19716ae
SHA51294fb971a570f626286823849d4f96155ab5410042d17a156f2427946c8a1dea96d7f218f6c93053a810ffd76853930e23a72c8c8182fec4379b5363a1934131d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5dd9369538c842b55ece4fb02deb2b643
SHA1c109579c55184a2b52584f9105e084be612f9fc4
SHA2569dcb3ff17105e0f481cf397e1c0467ffd5a69a16a62d04de7a99bafbdd4adeaa
SHA512e4c0de4986d01f55f2b72cbea0737940d09e56432459728e6f4f592809649cf662a030a90d1254417eda07edbdc3c252ad3eb39ef1fc1386a747a36c8c893a7b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5fa5af976ae0e6416202ad0c52f28fc7f
SHA17f4711e6b656036e4e54179f0e97d53cb227b545
SHA25650d8f61f5544f45bfb176740f72ec00fffa7c60b8ea3ff8445c9c60d9dc70aae
SHA512f67c2b8b00c23c2a9658364c5a96fa1acb10a1e26749e21a760c655d173e3630118e64ad96b80a500c0c4a99c0548d77919f2f5e17c715b5714add3fcb21db73
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5935d8c14c191025d9da96e2acfc6dbc4
SHA1051b298913c354ca92fe5371505cbdd924f0af76
SHA2560096064594f398d03fe620a62f01e779dcd28b88eb4e8154dd35944929590f8d
SHA512f8efb774febd88e4e20c3a245001a5676c027974ba13326663217497042aaaf16ab2295be491033aebe1dd10ad33cdb71ad281f0cdffc5aab0c2bb92ee6da47d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
4KB
MD50fd363c28f48d10795b5025db8cbade3
SHA1b540f44e2b8d67e1749a5b7152f95c63d9bc7df9
SHA2567004537ea710f2a6a3398d2429930406993052525a92a32853ca3da5f4328d81
SHA512faabd5f57bfbecdf4accfbba5f915a05ad49c109b97b0fa417cfaf4b2efea1a403b0efaed3a79ba6fce18b35f33cb237082807c8561a66e3ed68ab016037265e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
4KB
MD5b3590e172b42df49d99767291c76e925
SHA1c3044490806af5b806c4c976bbb0d1a212408ec9
SHA25682c6861e246830e9b7c8fbd252442811a42ef405b1347de16bbba88b03bab158
SHA512d73d5d02c9011e4a2cd45ac8323a59a067c39e2ec27faefae442e9dc973f58775697b3a15f0c149aaba379629025829e965ccd6f87824cef1afc96f0a5388804
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5ae36da0c9e0e5aa26647c2dba3df5467
SHA1fd2591f8d8f4d2cfc97d365fed6aa403146fd15f
SHA2568de05d66f132ddc0b26da9a6418047a75e8fb141bddc8011906a6148fe8774f8
SHA512a65b99148df4c265ea3e330861fe865e90335a07dc5a4962d9f4324ed234b86b7d3c783ab58f68f4e4bfe84b0a30ae9a153061d11a7728bb17e7c383183197bb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD50038c68a4dadf4559dc01863e6554892
SHA14d98a8e40d2273e5f8387a44622883c18c24de3e
SHA25646cc3849180e78d5f3f81f5cc5c296002281cdf84709aa78a43e4aabd937d8e6
SHA512f01b81aba450e429a7f39908e63366749472eb4f6e1a667310bec5e38bc40fb20f7a3c47e462b69d5e7a531cd2c6e5df9c4628de0f4bfedbc3593ec71cbc1c92
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD551821f35a1a6699b60ded647ec3d378a
SHA1f10868940e5a5a5576aef6bc3ee4a5b891f054d8
SHA25664ba02c1fa6b1dc874cbdf04f5979527391bc6b9f14141b58ff67427823cc718
SHA5124d1b67a356c8028c8b178775259199bfb182c85dca4f61a6e3e86be583c72c43496108a490706a2afae49ab66d7567cc657f590f9b0f89e158a9aba7655e98b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD556bb923ee1d4ca34449bb85b7de85e68
SHA11328adff2be30b62d25260c0f39ec5946033f064
SHA2566f9452c3198e1e31d3335d971984cd4d78b152d4f046061015f4f3f2048d5592
SHA512cb47fcc7bd697371337740edead6aea18dd25abf1cb4634d533cf8bc0d0e4deb6e777f394534bb09805e14bed6f622182ac36f07d4cfd4c9e530b0b816db1ee2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
3KB
MD59c866c417474bfcb040a7bedc60212aa
SHA16d7e9a9ddfc685de61426af3ba6798b91d543fd1
SHA256b07be1699c7398f6a16bdaa7f39175fa932e26c45acfdfbdf3e603077a0d2e2f
SHA5123ffcd030aa60ce964f5b4e7fcc0031d4aa57161cb49003a2af0f8aaab4709ff1f16bb5930ad39c24589c7ad50a0edd63c1cdffe4feff0cf69bb7971db25c47b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
3KB
MD5a0b4b9f24e50d08b6332b965d8deddd1
SHA1634bbdc4b9a3ef537f6d3c3d2fa936327462288a
SHA256efe02cc052d6e5121d905fa5e8bd762ab3c7bce40b6ed010f8f1e77d763b35f7
SHA51207cf239e72566c147b81f4e724d27b164d5c43dfa08826ca49cc2bc17e78a81dfbbdf33756847e42b46506805312ebff8a80dfae8065b5d65d8b65dee6f76b00
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
4KB
MD54d0f2f590c8938cb24e1403c693af314
SHA1b1c14a19b49a3e76a3474089d1d00815ba64ad93
SHA2561f4cda04d50522f5de78e48ce83dd01b7991ea686eb30c8f7e7b79c0e275127c
SHA512b14aeabc0cd55cacbee0a25a636e8c54fca81b9a0d8c68de9a6385fef907e42b42d84e87c504f157bb0ee0bba07113e0c8b8ec2f750c61dc97ea012dac73afdc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
4KB
MD536e62fbe08b0a7466ed7d581b30bb291
SHA1203665a2e979c020d3b7e4eb8b65d88fc583bb0a
SHA256402d9866ee19776ebcbf5e1585048c2806beaf554fe925af490a174ff233dc85
SHA5128fc2efa1a282c2e1ccd658380ef385fcfb978ab435dd034aa3d2014cc5fcab161602db6151c29d2ac7a1497c9e25f46301e6202b727fa96974eac7685be63599
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD54f6dc5154371ba678a4d4771368567dd
SHA17fc326dbc0200db32ec22627cf099b9087ab39fc
SHA2567d841d6f58f199571ebb204bb0ecfd187eef533f516e447b64ff541d32fa4b06
SHA5123ee1f215c36f7ef5aedc4b985cdffa8347fc4ef8509e9bc009ae41b97c916895b3be1930f2b9ddcd2d77de7c4da4e144835fab1c7403f6fd8cca388e20540759
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD518ca2e4e551656f02f293544799c2ca2
SHA1aadfd0b9296bf4b60c991039e2f40c583bbc13a0
SHA256b965048f6b4903774ff6bf6bac99f6705e27f6b27576b175017f37dd9e74d82d
SHA5128a759351b8ee8919169185cb9ff78cca8108a5301d53a14005bab13ff21124813c5836ab6c90e5dc93fcf0ca134d06c592b1e3da595fb6d0a0416f9f4d0d6271
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD570e8aa5436668fb83c00dce1a307131e
SHA14e7b68eaea1f20f8fa793933d06a3ff8d18c70d8
SHA25635f51f4a1d504be1ad7b1485c164d056935afaad44df5569fd31a708a8c787a2
SHA512832959dd3ed5ebcee648114fa544c2521c90d107900b8a44c958f3b1e3b789b05ebd1915f1a181227f45f386cb45d3ef07d741a9b69cda8746e4f51eb2632aaf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5ba0a3540ea2fe28450d4ad6ab5748758
SHA146953243e7db683b7568902cad43463cb524cf82
SHA256599788933c8b8ba4deca1a501b5fcafddb5c2e10dd79a0e26685c2092779001b
SHA5128b31b1a2e329032db8334ea7d3492571c3a10912a96cd66a7c709c45d9e2cc5a0e862dd6444e16de63554aa288951cf11015c3cf78d4ef793631efac70caebc2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD598e23bf2e9013eb09d90d044f2f6fe62
SHA1fd4f0d2e0bd634e858480d6f40c41e503f5e0ef0
SHA256b5bb644ed9a5592d807b06450565234e335e9f8dabd5478ad84c8c434a6fa712
SHA5129a5e9f5fa23166c29ab2f4f91383acb55e25b6a473cce76f6a5c713d97d4e32f17e0780e46b5c383313f72c500099d83b95ef242a19dcb99303c94d0c56fcf38
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5a51d9ba58f9d1de8cdfa4017d5a26ed3
SHA1b46a2d04ef6b7b3ceece2911742ff517eeaf8684
SHA256c87efd7399e9fc18910612d3ecb2d6c374fb49af42b2cd1f33b72dcc09fef3af
SHA512c7f1dbd0933c2754f11540db104ae26b7f5cf8a95c4d6b0dbc2dbb5dd75e04c548ebc4c3ae2f8a4d9508deccbf7aa7aaf85b47d5ad16943c989a12e078e98736
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD512b7b2aa79a2377d17af09385b7d07bf
SHA1ad0c7cc1fce55abb4a3973e142d7d4afff26cf70
SHA256cc05fe4b8ed4bf5c2a421d6838bb29a695db965425c99a84c82b24a45ba09174
SHA512859af3995e390c460a02d9a68caa90a20f17b50ebe1e543abbd78b59104e599687578fd6e31ee4af0e0df20dbb38091da4707387f394c39ccf5e379264db47a9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
4KB
MD584393f6249b14b6e0f5801a026892665
SHA13a2ae966b62a49095be2364066b1faf30146409d
SHA256bfd358a00c62ebb647a9f8ef4852c0bb67b8340444f9f6c8d8804fee7bc23d7d
SHA512c1d08f94b93e04a8a37a8db73bbc175dfadf33864b17f66544b1df309048822b1e5e0c3328bfdef4b02763007f24dada09b68cbe3dda5ea55149c6862a4010ab
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5a58a97326c8be3aada16ad6421da12c3
SHA1d29e17b29ff2f7b3f987591e75eff2b083e77f0b
SHA256a22afc56b94bf4ebf02ede27d24f12defb3eb1715adb969ab980d6b56e581304
SHA5126f9fd6f4847d47268b096f6f9603781f45988c9338ea8a6064b437823d9a4c1d80bf73683276c9bde3261a7dd4316d605c99919b0612333c33295745363a8190
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD52cf0c24bf54ce99a553624e9ab6eb0e7
SHA174f14d353202c96480d441ed5aefe3ac8f7fbf52
SHA2564b4a342201dc1845283c25314633e23d6c73773194ad45cabb5dceeebcc90e8d
SHA512b15477afcbd15487901db9f72c18c5d60bed1203ab031ff4ba33cb4098304b49e6f59d3a764c9fe6104cdfc717ce252849a41bbd5a35dbc4d68d3f4e18d5c6c6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
4KB
MD58bcca50d36a1d8e3e20f09c64178b59b
SHA1e8ad3eec32d4193892c2416ed831bf1307362902
SHA256125e7780f9579fbfcc40a5d1f70f4236a7473e711e3aa7b816de0ad56ed47684
SHA512fc018182d1bf64e1733d8f0cc7dc570d785cc150fa01369edf1366a3a3d690d9bcdc1b60ad1655aedc689c0b4727a0b6185a4e5583257bb4527812c06d630b20
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD512a75beda9f246e828cb0c96e70d032d
SHA1a2b358a105ee1311205d8b8b3d63610107815726
SHA25682715038550ffa97523737031013a7996e2071140a459e41c2666408c80848d6
SHA512c5abbaff3c56f090d3b9f671f84e988c8bb0810b8b8c20412bdc67b6cabe37dab0db0b4675b34594554a88ea9970d91cae34c2b6718f6d08cdead09be0b1acfa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
4KB
MD57bb4abd9808fa1239fbb08061fa90d04
SHA132b3a8e94c28137148f038179ff12890630c0b9e
SHA2567f42c279494da7b5a4dc9c3eeb9dce0c16bb2b5c251f1f9afcbde522032d8b4c
SHA5124f005f32957a7d3d1115e4677fbce2b21a7f391c3e1aa87bc68789d7e5a3bce8ace9ca940119cb5f0384d3033b56e39f31dbfee3762ea1a26cabe0be8748385e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD53a4ee881a0b288fd2461f78fb34189a1
SHA19c4f21f2fff246a935c1d76d7a30ccf5458c497d
SHA256b206272f101ce50bbea0923f1c669b3953d893bc7f3c063386c9bcaf9924f18d
SHA51235a2d20b6f55358403fb9ae1cd027c84cc750b06e14e4bded70090d889632f55ed8b9de256c1957ffb3fd92fd67262b7215b168048842739ed88d4bc58635041
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD56d0eda8f93b85eb8ace48430272f6953
SHA174606774bbafb978413100377c4dc4b005922973
SHA256e3b7f7340d785697a11af84a30648363b64a31b122b08de75ac7c8abd63d17f0
SHA5121708c8990fc4501868595d684147c2a05010c5499bb8d38c07d9b099919b41153dc595446ed56f3119af2c6dd9eacb6a3eb41bc70dc7bb491e57051809542986
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5fc901c1e9b138ce528c62bb43cd29f31
SHA1393eca1906c6e9930d22216e7c50d2aa63acd532
SHA25639e70ed2ffb5660281cd7074f9bc9cc8b53455ad886d60d09201bdb5725ebbdf
SHA512e6a20a6ea8bb7f94d601f033491a91909d4797745fb4ce394399f501e0d3b057335a46133f51090efae10fe8a15dfefa5059d8353d0077964603e397d5937e22
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5394b9e5ca67e79b96013c6fec7e7fe0c
SHA16c254bd09e978e9d2f910aed610c71763bdbd2ee
SHA25638d2dc5d63fe78464b241aac1285d063b3a12054ac24bdd10eb805f2dff733f7
SHA512e42a55dc9282668251f5441b573659ba09f9ff11ff274b456c8ae5fc0cc5263cdd2b1bd3d10721c325ca7abb0524ca77854b27c6166ebfb31434140fcd0f5158
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5d1cd9fea1c5a0457512133349fd63afb
SHA18a9138d0e68bd7030906a181681f8d69b0e3c8a4
SHA256e6f8a473cf45f85944c728cac3cd40072ecbc3eb62da00a59778d794afe66ddc
SHA512ba1dcc28e06aca5c18290d485d404c31b5bb75fe20932b497afdbe1e6166b262ae002cde7458d3cab99df1b9750e8feb1317963ee1d3a7585b813a26c083ae0c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
4KB
MD5fd197c24f5db8f68c34fcaa823aa1cfb
SHA1e731220406002ef30bfc04d6287b6adb66d7440a
SHA256bcc036b8a233dfa4292bfdd47903ee8141eedb25c289c15db5928e588caa5692
SHA51262941d60407baef0d502fcdc2d3ac185c81395804e653366a3ce3e6576b5249a2fdd52b528e16570fea1a3dd6156e7d48dc3e37299c560d22b9170f5a08bcd3d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5736cd3475e87f0db7f2fe8c3b8e15d0a
SHA1051a35833c245f806362f44a52a92197c6c5c8da
SHA25664bbc7951902b6ff10a835b6dd0dafb102bbf1d6a6279f1e691c066d22b75a03
SHA5125338709b4c103d19e15451b1d16dbe3d2440f7e53ba15d9623516759903da2634680c6a5ac951ea063c251757a0c15e07d85e7fc6f7442fa737eb633b167e454
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5301e1fd4d45425aea725be0eddceac9c
SHA1c6182d7484970ec775dcbea25c039c2bcb89a957
SHA25645bdd0ed15d0c34c39f8600c82acece058567b6d5b984d71b6101dccf72cf483
SHA512712710dcae9cca31faad9163c7aab25b1b16a7ffe601157f454e7cbeb5ed02e319494494dc476b8de06c2d0a8e6e351422101ef27c89de524c296b345fbd68ad
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5fc5b7bb6e085d5fb074978a0ffcd841c
SHA16d4bf57ee964b04b9851c54270ac03df21c133eb
SHA256ae05b2a1ed1cd5055206ea165a641595b492b6c26ccbc03d2c57a6b17d84a890
SHA512114e70693dadf0cd8a08c64edc6cbe8fe7ded1044ef63f8b7377fd88eae32ab0e289cb906d2dbca4dd2896c4dfb51e717586b975ee3213e433131a593d8ec188
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD527d6feb11e97cce605182ca0ca821c7a
SHA1d393f7e9c4017c12c4e1f2c54400fd6e14eb3aac
SHA2569a504e11771fe54dc8ea2554595e22d0a9959240919c97e9769ce0b0e65b61cd
SHA5122576471d1a57f51e593f50c70c08f75b199258097ce6535ab06d22650b7c4a66b3e36347eb678ebcc40787e0d2b593ab1a76fdae51f054f4d266127559d2eb3c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD53d09c308514b4293740f16a7e94fa953
SHA14939c879b7bf497c554cbd76891d02c5a48e6b73
SHA256e5ff2cfecfa9ce6391c98994369216a15037253b4c50c2533a5cbaf6ba3300de
SHA512bbfc7cb0b9593c9526b84328936bb9ee095493e1be587fb8894e682f222f22f74ae58a664cd4918fe6b05541fa8aa641873e406b80fe1d53c6363aa236c42803
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD55efe7d641c8844e82cc16832c8353354
SHA1260c184935b9bf497bea43ad4c1290b7320c357e
SHA2560bb308da1d2fe52a86e47c7feb9efa841b5e6db7bd3e7343abb44ef22c62f52f
SHA5126b32c544e1964f281a62e83a62ff3aab4b2831c723d50708546c5f2fbfae213a334d487e531da7e7bf3d757e62a3ba184e2536ee4e31cc1174c914cd9190e898
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\6742526c-4550-4ded-bdb3-e284e891eecd\index-dir\the-real-indexFilesize
96B
MD54bdbe9f036c51fa27bef75cd51662bc7
SHA1fd3b804ccdf95337a49bf4df9e507dc7665e5933
SHA256f3f1f69241c037ddb2cbfc9c51b6bfd3d66c3cad1d8825d946b8f3a4b8e7a68a
SHA5129f76938db9202427102bf451cdb9d7b5c2ee8338601e8af825de63b50d725a6e768e87391c31877651951e93de3831316fb946db75f66d16fdccdd6146e0ce0e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\6742526c-4550-4ded-bdb3-e284e891eecd\index-dir\the-real-index~RFe6196e0.TMPFilesize
48B
MD50f987e9bc585b500f093fc57dcccdead
SHA1b48e81f9c2fdb2b9baf30a04f776ab2fa33e18db
SHA256bc65325c1bad7eab010ed20371d24fe02c4b34331b5d867cca61376aabbca6f4
SHA51283523684a387728e3685b98e7126226a3d976a8a78a76869aaafe14baf60a9c56284a0b7ffaa07795e4eee47923d68c6dfff6037366839b79083d37674a60f92
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-indexFilesize
13KB
MD5ca64c5e4cf2949ef9b81e9bfd2570708
SHA1aee486ec2a6cc77d349a391e7757dddc4766feaa
SHA2567fcd5cb39378bba9b9a88d3c790432b596e7426791a91c17208375510ec70c04
SHA51201f1ca256ca7f5267198184c7aec019abf3f806671a0ee08358c012d913e8e3f4f75b055c8de6b5436700816c0f0a274f7209da9e889f3fa3cf3bf0c1411bd8f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-indexFilesize
13KB
MD582302bb17ba05dceca8a4b2f64a32d63
SHA1701095341fda0309a1f65939dafe8e22b09fcb7e
SHA25690e18370f8ccfa2aa8aa5fbd848a1b11fd87986a21c6dcc6a5710f75d61d473b
SHA51272fcd9f6fa0496821922c736fe049ff3f7b4045fbbaa497f99791316fc06bb39d2896fdaebfd6e1df202d18f809eefbc0889b976ed767a26b6be76bb2107485d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-index~RFe61ac7b.TMPFilesize
48B
MD57d708560d7c48eaf77e5edf8a6d31338
SHA1dd750aa801c193c80829349ca1738862c530407b
SHA2568bea4a6fa07eaa72b6ee1d5100e977f40d9874db617d6b183b2eb071d3e5fc08
SHA51231dc78b0dbe0c262e995f8eda49a39cc959f76b1cab0d134147935be3f2b68625a04495fb8eeb0b8ad052fdbfb5739bc979d7dcae54e8538a3007eb3ac9b4124
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\indexFilesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\index-dir\the-real-indexFilesize
72B
MD579a3e83a5f85d233ee8057c5ab11bd38
SHA1de307ae53c184fece4666ccdb32dd68b3db33c7e
SHA2564f6e3cdd7faac1e812554a28371c036f70bdbe50116d419a2f70a7a37731ee67
SHA5123b08cf0bb911c8720f2631f9ece83f239d8166f06bfc11ee8e5fcb6ccc9bec788dc29bbc8e42df378f5b538b0e0f868ef94dddb1f4d96badc44fbaf5a238256a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\index-dir\the-real-index~RFe61a96e.TMPFilesize
48B
MD551bf0864496dd1c6766df5ac6d8f4423
SHA1a8a0929ff9386c79c93d98b39247b2ef6f8b56ba
SHA256296237b87601d70f6cab7c618e4abd1a6850f34f8e86a099e6e3ef21b37bf6e0
SHA512d6f3e64fc9261e5218bf84fc0a0da8642429a41a9988b7eec46b06153f68b6e1cc0502aea1ecd2c4408904302e79e38df4521a9c67c0707133f7a70f0d863007
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txtFilesize
270B
MD50ce6042cb591fec35169d1c4007c1b87
SHA1fccf7e0822f6536f4281ac44d90a331f3f8caa27
SHA256f6cf29495f5a6c54b8f6d14e63e79522aeb88ed45a7331138bbeaa04c78cd29d
SHA5121cf15685f1cf68a934b452c1f553b273a456b3a4e3e924f03d8efa53c9ed5ae6aa70d7259ba9e5a914b39b80e7894af98ce782984c290152364b75c9c1ce2646
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txtFilesize
192B
MD51c400a98ba1985e15dd9b66ef46851fd
SHA13360163c876f8fedf944378d956c1e9cb2dc3d84
SHA2569ad8af62597cd6b904cf43fcdb4ad7054cde38eca2175f4393f1ea8c90b3a81d
SHA5127c9e4675990fb8f0e97f0b6ea884e7e9e9088243703d7fb5b8b2bbbba67ebc8e32c0b9b6c39fc69903be394117050d2ec74d323d167202653c0a95b581778930
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txtFilesize
273B
MD575bbf54f26efab926ba975f24262f4aa
SHA1e594adfc5cece11a6962b87aa54e7eeb095d57d3
SHA25684aa77d07f05c613d3ea60969b990a42c7f797c341ffa719fa512e22bc2e4a30
SHA51202aedf9fbe9c5906b8718ee0ee518f9715c88b4f596246cc3c81d71232953363ee41ff0b162c31e8672c1c074fddddba32a3e0410747639914a646606598ab52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txtFilesize
270B
MD5519e3b6864f0c65b308aa491028ebf51
SHA14ba0d6f37045aa5e5df4ce34eb73d26f3d96bc88
SHA256d684f5b1eda9a073502582d572e3a1869e6a1e5f6b7cabfb3b554d939a95e4ea
SHA51212f7b6db65a06230202cddcbd26ffb78fecad1619627c1335c41d476d82844617a43c21d7415e283e76df3235bc30fdff89478364449ad1ce56328ef3017ee16
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txtFilesize
198B
MD5378276438abf4b12461b5575e175733f
SHA182a6b2c3a7ae702b72beae6236cba5f10a79cfee
SHA256ecc825ddde07c7b981fcdd825a2d9820e3c21460ba1ec409468c088cdeef95a1
SHA51297d8b5e3af0cd531c54ba5de7273d95d5c070220a6384c3be9ed150198f06498f3829260ae1c7c38816b9a623e285319499318767268e49ceea9f74e250c71db
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txtFilesize
125B
MD560792ace472681e4e7af06ea7311e2e6
SHA1f3559a5432a78334e9ef427300f25882cf98726d
SHA2566d8e491eb0036c2466e67ca60ae33c6bb7480cd46cd974d7a9ebcf418bcadd71
SHA5122635a3e6e52fe1632bede2fd19210405733d65005fd4784833fb0226345a1c62a1f5fb93a20cf95b1bf18a8e2e1e9f4b0d2b7e2aae91e1f6dfb6044935ed1085
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txtFilesize
132B
MD5342568911a0c69f88d977c579dca65eb
SHA121205c31c2cefc7689caa612b92bbe59c69e76cf
SHA25631c61250923f7a0d1dd71e3180bc62f0f8fcea59af3ea403399c9b2ce61a522d
SHA5125b0e20b8e78ed5cb414a8f968faf6153a52d53e3026f10ebf7ec0b7cb8e20a522ce2a1149d86453a32e12dc5431b4c0a9c094aee970cf6b0a441b15f40d83d6e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txtFilesize
58B
MD5b44bc8bc0db9431c30193a77bccf2f1b
SHA1f7c41ccbc7ef13596ace28e3762ebdd94af5319c
SHA256be0a572425d0f41823ff2a6cd0e26f30f82b5db7de65d776e236684298685d18
SHA5122eb8caf795f0de22784d460adff9bd084707496bf7aa1d8b23382f2d0f2b570e81b0e8e04a3988c816e0778933ff21f88083422c1c51e923069b857180cfe508
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt~RFe614862.TMPFilesize
124B
MD50fea942f43803cb87fa48442a5c90c34
SHA1c99d9b82a78c61d33f5988332a424a93b8a5a071
SHA2560394c9b9aa3a1ea3c7b5e523a7b5738e52889f12d41bbfe23ef0b9213139d9d0
SHA5129198ff12aa6fcd167ba8c5e436c3e30266144592f3b3544e75952d9a1ca216fda5d2f5c8a757ac25871d7ae6f837e96e3b71623eb4939c94956de473957a60cf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-indexFilesize
72B
MD5d97ad49ac1d46f679503a535eb6b0156
SHA15728e67169b78a54b2e1dfc8da0b29256fb0897e
SHA2560c3e5886f456d8d0cc2358276cb6b650982750ac47b5252eb182fcdc8ccbdaff
SHA512642c2884bc5e29e563154a561a2ecda2b2950939e2a8b42798924ee81673712d3dc8a385134f1e58f868155f17f901d279d508adc6ccac026669f59b56088a53
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-indexFilesize
48B
MD56cb762347e9e87aae96f4a5a2448513a
SHA12a4d9380cfe7cab9e7de790c34db4e13675e1432
SHA2560954574ff443d12efbc7b57d48cf51ac63992770423bc876f99c26d40df1b70a
SHA51283fd1b41fb2a1701b8f55366dff8b73f8040231fc5eb8c59071845e8b9a2dbb372c85ccff54883114da458e6376b63bef5a494359f4adfc4c69228ae24e0bb49
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-index~RFe613cf9.TMPFilesize
48B
MD5a3dd97c608c032d3e79bf108d8f1500f
SHA13c8f836e8ba640418687ea8e8f81ba4acbe952e9
SHA25687370627f0e009e2a2739429a2854e2491c0325350811fb4d36b087f533e9d30
SHA512d5f91476a3eaa8576a7bf2879afbb34c9f5d522e37b32211a45d2c20b5f825bdf33afb5fa6ed86777e1664d8d41e2008994ad8a8811e9c3cce0eef0c624e6054
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txtFilesize
124B
MD54c938d6eb665658e7275cfd722726e4d
SHA10c8de1ac38aeac9d4e299c0b6383b880e98f055a
SHA256d37cc09a6470ded4f8b56b90e54094ea5e99dab8f605bb388c3b5e48206c5ed5
SHA512b03712310148c9c181fbc9bd3fc55ac2a374074d7cfcae17977bb73890202599b01dfaa6de7161b4a09dd76e6c540bdb6c92e4da0dbd075c68e23c394180151a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txtFilesize
125B
MD566d2cebb55cbdcf9ccc8635cd56c0c5f
SHA14cb0722b4f53dc4f03d4ca630ed3489638ab62ce
SHA256bca2e98693e231f372ff811d1ee558d3790b7e6c6d48c0340e5dc4cf68a7f19b
SHA5128dcc6431a2b402376c08b387a445e86464c95cae16dd3aca48e094e7384e984ad118979dccfc7f41166228ed9bd7b71e6295ddf85e989e25cb42c30aac50d48d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txt~RFe613d27.TMPFilesize
131B
MD5cc7b03102ca98962821c1feec5b833bf
SHA1f8e7dcd7662af6c7eefe731f415a1352a41bc904
SHA25626d505b6c7eeaa9ab806d5050cdbad6cc8021fa3bac1ba85ed1d82e0aa3260f2
SHA51289c2a93cbb7f85916baa721d8f646df84b137d3be5c2faa137b1119f0e7667513a46d4cf630a8656c4f0453a40cb869185cbb4ac09af24cf2effe8ef411354c8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
120B
MD523073689bf885e2f6a8f477c97d79f61
SHA11348c084677f13adee8c753093b922459fbf02e7
SHA25623f82c123fb43aa3a1509fb7e4b6fff32e6eb657cca6e61460b07924873d23a5
SHA51289f0fb6b60c65d13dbe42df259a95bc3b6fa0c1ce42a954f7301dc9fe7e57fa144a2e48cfbec28b406b9e3940d2ed6550d9579780d3407b20fff8d538a997b8b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
278KB
MD542b7b6d870516836392c550ee8f6213a
SHA12278ae456620f35da7f25fb57241726320d0be05
SHA25634337592d4f8f544e6dec300ce2de99cc17626ecec07af3b89e355841f65b18e
SHA512b9b7704edcdfebacdd4bae36b424087dd61be3017dd2adb815d1045dcb56255d56bdfacb81eebabd769818b86d8cce9f5668c1b13823a03f76a99465f509b066
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
278KB
MD5e8ab30682a6621d761eac609abc45c3e
SHA1b155bfcb5bc5633298a1adb800c1cead775768f2
SHA2564a2b7301fcbb1e3ea80fbcbb46ac605d10573bc663490b0687ac6c992858fde9
SHA512610be783e0c840862cb5c759a37d7b963efc90a1082d9fffd9991a48bbc81e7388e1c2ff00883ab424e00b75607b6a8f1e546d62e41feb9f736d1aca67eebecd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
278KB
MD5303c052341340d8144d681a50979d595
SHA1ee5c989933117ac5f03151e3bb0aae846ad7ad91
SHA256b8679fe579a4af2a0d822656109fb155d1e1da1186fa1aeaa9f4b328fafe17e2
SHA512afe0ca32a36f66796424bef9cd65a27ad5dabf423b2fbe9c4e49fe43f0e5c92d82928b47f005a389bf6474ce6a39fc654fa00f22e122766fbeea3e9a7e6ff311
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
92KB
MD5bd29a8a07e15487074c75d500ef5ed4f
SHA1852faf1b0b9d2228f76fa0e15484c926cfdc41ed
SHA2569acbdb73b42b05f8aceabd04dde43a46d1388841fad9812f113ec7e7176d294a
SHA5129c8071b8ce8bac1e1b19611b8b5477db4d455921566bcf93be54dd9cc95a95616f28cb6ce853d84e4b8657eda68d7de1f36a4ffc99ce14c83706d688024f6c06
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5be730.TMPFilesize
89KB
MD546056e22cb4b9008fe226a070dd02072
SHA1a0a72f53c1b0ab075b1209c7f1e874351b96d791
SHA2569eb68dd370c3883279d58f7e6456343103d19fbd039e77ebef3d2bf6359abd03
SHA51211ccec7ad54723f99c129600d97322a68d1d8a5977044be496fa062fc411ef8777f65dc92c9bed643b071d0e44faaf447b27a4de62af06671fc8c699df55e512
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7KRX8WJ8\signup.live[1].xmlFilesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A3FZEC79\msft.hsprotect[1].xmlFilesize
94B
MD572aeabca3cba8aa087e9d28257a11f1a
SHA17365f0a2d6bc306724bcd9da2f67f65f47583f3c
SHA256f8ee819650ca1ad05c24278815663fe0419bbe16724c639824bf1c54920b2987
SHA5122cf83edfd53f0b34361983115e3a8208c9691b3d92d34f5f2045fc5ece5def2057a58066b0ee3de2eb322a06284e548693a31ddb273ca625b83b39d3420212f0
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A3FZEC79\msft.hsprotect[1].xmlFilesize
356B
MD593f8a291161a802b6bb55bd373dfda56
SHA10ed92541156096f211af20775ca2809e44ae8c76
SHA2567db754d23c2dc73c1f964a3e27858809f40673e8e1440c586e681cda1aae5c93
SHA5125611f88dd31c02a1b992e8a26392f63f916918ce4f11f4e8b2ba506ebebb9d042bcea5ef9b3fed8ff6586a7799546ffa14d316fa4d2afe273200b1072eff7289
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\2B15BCF5-27C4-47C0-BB1E-B34F330E721BFilesize
397B
MD52f82426450332b558a61ae9ca551abd9
SHA1abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d
SHA25657d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52
SHA512dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\EDE1A75C-3BF4-4CE5-94C9-2D5E10C38D60Filesize
1KB
MD585ad173999ed440af6120f3b4fd436fa
SHA1eebe3bae40b0c82db581b905e2a4c4a90055c9b3
SHA2562fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165
SHA5123c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\427a833a6fd8c60b323447dd7e7cbf9705d67d5f.tbresFilesize
9KB
MD5e795bb071ae45bcafb34d26b6979635b
SHA16f0643459d037f0cb1227eca6562a35f6f08081b
SHA25618ff082f8e51c3edd00518f7136e60f9029cc8b0ca642b8121e610a1639cb7b2
SHA512a4d96e96a57c6f4f20e1e4cce5272aeec9796917cbdb36710d5a3af69f00a669f6aaae7a499e3077119e9631f6769d90d6b738107a508064511e171672c42598
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresFilesize
6KB
MD5f90121b08e70c4ad8cb1670f4a527fe0
SHA1c7320b27a68a09096d0499eb60c14c1c506e1518
SHA25623e2025142db1d38a5304d52125825c4ceb13766c3a0ebb32f1ffbeab8d9a087
SHA512024bd78e31e16cb452b9d5d8ac2f1da2cfe062c5691d220a98f08807461f2f005d699584aebfa90f6dc7369b8bbaafc4aab83e76169b2f47c4d564dc96a41dee
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\6386bdd51a3972bfe10f158d594c808af29a2432.tbresFilesize
9KB
MD59aec6dd5aeac90b41b839a362f7d41d5
SHA1aaf698a061bc54ab73f397347fd494c5fa8c1d23
SHA256ee1ca9aa1de5492b413ab1dc2213fbddba858b93e192e6aa9e51db1ac65e99a5
SHA512afd34183d28d21c97ab65baf1f5d13d08f0442378fa2ffc0b83020e393894dc06eb2444928604910a25b8a170610135115061dbc32d5edec1de0e52e8546599d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9b0c889ff339813be4d0dafa66cc5844226f38e2.tbresFilesize
9KB
MD51eddc4a4f525a2b364cd2e9ab76f9d3d
SHA10d1662ef6d64ecd1f8408de1e7309a804d6de22f
SHA256f56ee404dabba29bf1a1a4d889e61511992d86059757f40bab3fed6fb5132ee9
SHA5124959075dfa4ba2fb1b2e45ecc4b552271b75dced9b94c644f8d0831a4e0de8ea6fd187073cee9d60fa908db8c8c6417edd25305760932173d8374ca59f10e704
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\b515e778236d075fb60ed7266f260eaf90fab988.tbresFilesize
8KB
MD5a71b58190ec957a901493aad0aee9376
SHA174725d0b0d56f59652726c02353e380f22b20f95
SHA256f640f3be4e2923aa3ee64b82a7be4ff77559adfc77182bdce1d9aa1ecb5970d1
SHA512284b49d1dfdee691270ba3c01e847e13744907a60deccd28d73a9ee9a44fc48bea645f87147a20854a8b806f1783884e9a8e3e379d452274ee633116090a3d60
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e35b480af2edfe0aaf0a0d8204630ad8db7dce6b.tbresFilesize
9KB
MD54b65b241c19ed576a7091dd414136a54
SHA1497e95c2d7de74d5994ca8f7ad2ec7ae61494437
SHA25603ce65972a7cb816536b4b17d662ce53b55640418d301f0fafcfd50f6cca66fb
SHA512f78a70b6574a8133ad141d979a12c5c9b3e79e1f7a1892bdde854c13da001a2ab57d3bc46c8d068206ad4ba191e9b1204208e27707b7aab4a0d72c59a96d1da1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\CommonDiagnostics[1].jsFilesize
40KB
MD508fbff79b5eec28ddff4d772223b81a9
SHA1aaabd7e0b32698e8295139c4868e9aee5edbd112
SHA256773a678845579e6334f19d4e62f29446e7898bd816359c74574e37884503f909
SHA512f94a2c8d756313a616f4e3dbdb9661af3cc843f74cf066243c649f943e4aeab696e01e37e33cc57df16f73504b529702d28c779931adc2630c6d4fd318ffddc7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\jquery-1.12.4.1.min[1].jsFilesize
94KB
MD5dbd7b1d283bb02ccfb777c11d73d9056
SHA131459140706b1a8a5ba0db3ec72b2184eb4ed64e
SHA2563ac82b5a773ea82258a30c60d277acffa832ce446397fcb6abf39726c4330fb5
SHA512bd46b6a103733f2320ed8c9b140602c2dc56a0cc35a6a0d300dee303a8194b464b23b8795efb406fd44ca0a3e94ee342d3d9c4a0d533730d11d4a1749c14fae6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\hrd.min[1].jsFilesize
16KB
MD5e051edec194749aab43851567a27c286
SHA1ae34370f5f74ce740be0aab15c5231042094147f
SHA256282e4d51d2b827c4d52d7219febb54e8068aa1f9e5981a2ca4d9fc1ef89892ae
SHA512f3da52ed0df9a417f6d3eb936d8dac906de6a43bafc381a42094ed25322ecbaccf7c8652c0323f0b8edd7eda0c918d501281760d473d956fd8bfa8991efb8c93
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\hrd[1].cssFilesize
22KB
MD58fa25b1b1147660a775d31cb82ae4b4c
SHA14c2e4f2f11e843a47b472cee9cec331c5b40bc92
SHA256a179bad5af9f3240b7d0a9858eeca55def89872332b11d9190b3489be77ff440
SHA512d3d92c13c7ac4a2d3931cf038a27c5226b9c9e9c068f63ecf291d9d6407b06450ed245c5bc0ef953e9cbe2fe112bc5080c190dcb311bb3a62b3f3a9bfed03226
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\jsonstrings[1].jsFilesize
3KB
MD57bf7077081c36cd1c279edd956e28e12
SHA175f18bcb3dcbd851791db887baf6d2e7f822d1d3
SHA256bc813f4e19b7c3a0d0df54256ba40cd8a935f7561c84501ef0281ad732d92c6f
SHA512fb8a882a5a8180f678b64f976802ba470609b94eb96d55b866549c5a47e6b7035067b0066899ea3180bd5a311155982f7f6ec8c950af225b2a48ceb42a1fea34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\knockout-3.4.2[1].jsFilesize
58KB
MD5e956a74c005b7a243f0884d67e60f8f3
SHA1c4fda6eee21550785a1c89ce291a2d3072e0ed9b
SHA256a305fbb2ba223bf3b56bb8776b85f6f40d60dd082a74dbe28d143b5794c7e393
SHA512eca283f482092f7793b4c1580cc834f59bd1f958b61b20af05ac1c5c20499676dfb99b58bffcf8ef0b166fa0481850bf78b1f4f4e5450116a0361d6cce950b34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58857491a4a65a9a1d560c4705786a312
SHA14f3caf2ad5d66a2410c9cca0381d26a46e832cb4
SHA256b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360
SHA512d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD54edc5d8588de3394e8a8d79ae5b943dc
SHA1f79737afd4a1e21580ec1a165334b416911345ad
SHA256a81d7b3bd76b4a17da3876d10b186920939834c8c877ad13ce475a8f07bd56d6
SHA512b294a1b8eb74f6a33fee7371429755662c4620b051cf909b056e72f8c0088dc0d0c7651aa8fc4af1bd78559551a3984ca4a6ab816b8ab956b290c192df557d15
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb.logFilesize
512KB
MD5fc53efc8046748a1708e527dfd2c28c7
SHA1b57b22b10cd3db380dcdef6436b592d8561cd25d
SHA256e2e7af783840333e1356601dc4b4afffd4e7edd874a4fdbd5f659bd7c5f2dee6
SHA5121c6faa46bdb7a3ced6ae0840e62598e07bb226dceefe06ec768ac40c3eb989a4e3f596cfd89b275bdf17a583953dea79781c6e9d24e8f5631e97ee3e2c567aaa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\edb.logFilesize
512KB
MD54f4d4d09efe62331cd4224a217863422
SHA193920aab0ce893bd6ca92b7608094af6dc50fb0f
SHA256078eadea7e5d8ad2741c8eaa1462c28094864ca2362153718ba562bbe9bf3f95
SHA51262a7c400d1832090d9498941b7a12228b11453f3b673f558bdb93591c6192db0e2dcd400698c42537e5f914b27a73f285fa23be1b1fbafd15b0e6aa96850ec76
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD51348e4e8fc451e8021f935f4b1376c95
SHA1c6fecb47e09a1a255cbe9a9f03d91d2100cd1737
SHA256cdf0440a375c4d4a180a358ea3c87448482622fbc71833bc797ec1410e54bb01
SHA512ef23469825048d1fdc7f693a9efce5a1bdb8472743917288fa06244c7172d933347d8403440598a9f4062b3514ee313462655e21bc1c1a8dde78cfb607796703
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD5a2d5c41311177bf18a795638cc4e2777
SHA140625aa169f3bceb6b96060b8a0634bf8cf5eac1
SHA25663b9d5b599c016878ea7fa9de88fd0a6e89b09210475f4869b0d8e5a71946c23
SHA512e5c5cacd31a05a67449ea44fd403f4585960ff3a45104bc1044d2cac2acdc1a3e309241092a327df4f186367cde75355c7622d213925efbbd813cdb22fdc7ec0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD5861844a1e60337f63283dd46f927efe7
SHA158d8936597bc3f4486ad80a30009c5e7d0afec82
SHA25640343f8b1fb6d58b69502eb2c7bb660484f6e8c2b9bb188576465debb6067227
SHA5127feb5b6bc8d9b465da384b5865c3a2d20c3079ebb44891da4915dab637ad3ef3ad35f7a489d9b5fd1c634ffa2b448e19c957c639ddf94e9d610dd6272162dc6c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD5c75fb6c2f7d4bce3e92e71212aa9f908
SHA12fe10fb75576fd0835f9e8cc7787fc9cf6f44957
SHA256ef0026722623f63e93c756aea62689193afec567768013c438c3283e53d2fe3c
SHA51247f9b982ef1f5970ab9028e5647c16c8d3b547541e6b8f80404c25c7a3d1d0ede2e1c184cf40186e26e735f5d8bf8a3eb5eec4363f38c2d5c6f4f4b07730ec63
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD5878f1b9f64e4fb5fb252a5e9c4165ba3
SHA15fde0f04f6f2d5e871059897877ce7ef54280411
SHA2563dba58f72ddf8c89e652b88de57b0cd4c10f3de0a5e6b459351e6709302a8ef9
SHA512cc9399d06047efc6e91de71a4a3b2a0e3601fb10b2ea0589847885a0849dd145f525f239d00ee0a5cf423c9e6cfb2ea3f89f4e19c249a42aae00b825acc209a4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD5b1967c3d3ddfdd9d53833305d8892aaa
SHA10d3ac5311d921f4bba94b84c49eb6e6c858afb05
SHA256fccfaa31a572f29bc74e62b33d00e01453c086912bdd4c397039988d703f5cbf
SHA51251ccc21759b7ff7df4e91ad464e89479a23a17079d9ef072f3c8846bdf47a50fc2ff14e174acde3ba75bd90d47b15b8e9baf23bd4c291905e7ae4edcdb77cdf4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD59c32516132d3fb495845fc6d80d03be9
SHA1b0f9a7898309c2fbc5538bd10065cced3f6d7114
SHA256a0533c03fe02f9d7956c3b3f1e1a85fa9da7ac5004f881f15dc2a793abc52a22
SHA512e1a8488d25e72557007211b49c0606bded23b04e7d0844611cbe7e9b6cd090c35758fa56c08fe48f4f3b118fe939926a30db24b4cb513d14a8a64200a8caa051
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD5b742e2b02e010e4507d59ab375513174
SHA105458811335e96fd069dd3d164927513041c7b4b
SHA256e8d103e92fbaf535f09c8328980ef1f9740a5eec44c1e5fddd8c8586a969c44b
SHA51238538de76e552f7ac059e3697ceaee9f64a55aca7d7ed667d584dc07b99d057f93dd91b768ed54c846eb884034da5e85f6497eb9876338586bcdf93ecf5b1536
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD51ef45d5fbc69215234805a431a6b631e
SHA152eda8754e902c7f746a7e3d27bc1dd6c576efe7
SHA2561374c3682d657eceab5ef8fbd5a8e5656e25e88d5ac5c695ede082d287237e8f
SHA5125f74313320525fa24d65b0b99d63556943d68cf233b230e7a162becb45e49f38851243215eaf23df0577e1c4578ce3d44a0f346ee7925938a929af60a6314a16
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\AppxProvider.dllFilesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\AssocProvider.dllFilesize
112KB
MD594dc379aa020d365ea5a32c4fab7f6a3
SHA17270573fd7df3f3c996a772f85915e5982ad30a1
SHA256dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907
SHA512998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\CbsProvider.dllFilesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismCore.dllFilesize
402KB
MD5b1f793773dc727b4af1648d6d61f5602
SHA1be7ed4e121c39989f2fb343558171ef8b5f7af68
SHA256af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e
SHA51266a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismCorePS.dllFilesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismHost.exeFilesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DmiProvider.dllFilesize
415KB
MD5ea8488990b95ce4ef6b4e210e0d963b2
SHA1cd8bf723aa9690b8ca9a0215321e8148626a27d1
SHA25604f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98
SHA51256562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\FfuProvider.dllFilesize
619KB
MD5df785c5e4aacaee3bd16642d91492815
SHA1286330d2ab07512e1f636b90613afcd6529ada1e
SHA25656cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271
SHA5123566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\FolderProvider.dllFilesize
59KB
MD54f3250ecb7a170a5eb18295aa768702d
SHA170eb14976ddab023f85bc778621ade1d4b5f4d9d
SHA256a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461
SHA512e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\GenericProvider.dllFilesize
149KB
MD5ef7e2760c0a24453fc78359aea3d7869
SHA10ea67f1fd29df2615da43e023e86046e8e46e2e1
SHA256d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a
SHA512be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\IBSProvider.dllFilesize
59KB
MD5120f0a2022f423fc9aadb630250f52c4
SHA1826df2b752c4f1bba60a77e2b2cf908dd01d3cf7
SHA2565425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0
SHA51223e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\ImagingProvider.dllFilesize
218KB
MD535e989a1df828378baa340f4e0b2dfcb
SHA159ecc73a0b3f55e43dace3b05ff339f24ec2c406
SHA256874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d
SHA512c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\IntlProvider.dllFilesize
296KB
MD5510e132215cef8d09be40402f355879b
SHA1cae8659f2d3fd54eb321a8f690267ba93d56c6f1
SHA2561bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52
SHA5122f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\LogProvider.dllFilesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\MsiProvider.dllFilesize
207KB
MD59a760ddc9fdca758501faf7e6d9ec368
SHA15d395ad119ceb41b776690f9085f508eaaddb263
SHA2567ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f
SHA51259d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\OSProvider.dllFilesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\OfflineSetupProvider.dllFilesize
182KB
MD59cd7292cca75d278387d2bdfb940003c
SHA1bab579889ed3ac9cb0f124842c3e495cb2ec92ac
SHA256b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f
SHA512ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\ProvProvider.dllFilesize
753KB
MD570c34975e700a9d7e120aaecf9d8f14b
SHA1e24d47f025c0ec0f60ec187bfc664e9347dc2c9c
SHA256a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7
SHA5127f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SetupPlatformProvider.dllFilesize
159KB
MD51ae66f4524911b2728201fff6776903c
SHA168bea62eb0f616af0729dbcbb80dc27de5816a83
SHA256367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3
SHA5127abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SmiProvider.dllFilesize
246KB
MD5ad7bbb62335f6dc36214d8c9fe1aaca0
SHA1f03cb2db64c361d47a1c21f6d714e090d695b776
SHA256ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb
SHA5124ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SysprepProvider.dllFilesize
778KB
MD58bd67d87dbdcf881fb9c1f4f6bf83f46
SHA110bd2e541b6a125c29f05958f496edf31ff9abb1
SHA256f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204
SHA512258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\TransmogProvider.dllFilesize
1.3MB
MD584ae9659e8d28c2bd19d45dbe32b6736
SHA12a47058eafab4135a55575a359fbd22390788e93
SHA256943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4
SHA512d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\UnattendProvider.dllFilesize
228KB
MD5f7bd21c4170b1397eb098fa18ef45d4b
SHA105d36abc4853eda468eab68d289337962c76195f
SHA25605da5af89fafe492adf5255a7dbf16468be6d130ee8a9d713ab2182c72346db0
SHA5128a804bfe27f25b9d7c87cfb6951e1f1254e984ff9eada0b1547c30352397438d2c9e2f1c3b42c2db43f693b08224e0c7b7a17cd0b21ced893e12c330b91355ff
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\VhdProvider.dllFilesize
560KB
MD5c6488a9b3569230669c72f3239cbc108
SHA187b9b2ab5de52f246c1936480463bd402ad519b9
SHA2564ed23b46188dae12523f96a2755434c0574cd27584f9921133b0b4c1017b8a36
SHA51247ae886893032306e9b69b2d1c736ce23061b5be7552d2ed1d680b91e45fe0225b5acb12b83f6d572ef0b270dbaa47af3320516f4bfadb0a2889a9ffed45a66f
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\WimProvider.dllFilesize
589KB
MD5229df404d67e69e57f9e284a66f2adeb
SHA17f4f703dbe8c274f5104d4d104dafcadf0c3857b
SHA2568b7821a1fb9170c6aa1ec25eea378f43661812eba25064bb95999156b472c377
SHA512917912cdfcf1d46f691cadc6e7aaae1a302a66721beec0e9b22e394592b290605caf410221045f2ce89896e5d9602ee4946202f2de9390e92c8aaa5a609b3a54
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismprov.dllFilesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\en-US\IBSProvider.dll.muiFilesize
2KB
MD5d4b67a347900e29392613b5d86fe4ac2
SHA1fb84756d11bfd638c4b49268b96d0007b26ba2fb
SHA2564ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5
SHA512af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\en-US\SysprepProvider.dll.muiFilesize
3KB
MD593d076056dd01dfc64d95d4c552a2dff
SHA1a90fd06a62c6d63d87e00f5f7e9646b44d2c726a
SHA2564389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4
SHA512b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\AppxProvider.dll.muiFilesize
25KB
MD5842ef8185050a821269f5e2ed5f0490a
SHA1b39d06f75aa4b9b46f342d07f26c84f64ba517d9
SHA25641c8b7200845f5ffd7466dcae1db7b8c25833f2f8118593f8c2770246a322a4d
SHA5120ce48d990885e90a06f9829e626a73c3be7a8b214816d2792af75ff7c708ac55d047895d773052a2b67f80e3c61def222a0b78450ae3e48b5ad7c20faaeafc6e
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\AssocProvider.dll.muiFilesize
9KB
MD52168d71b7fd5330ab5fcfcb5ab1b1c07
SHA12d8042e479875499aa2093c8bd245c2291739144
SHA256f4b88cb87179472655041518d123149eb49f1f484fe581805e3a2e35c4b1e344
SHA512409ee809194bbc5bbfa5081a368f8834828f396e56d00436ac8f1c30bf7b0974bbae1b8790dfc08a1b6d83f771493ef7b0372cce4feb079533254f5ed665e360
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\CbsProvider.dll.muiFilesize
59KB
MD5e5fe9e638b4744b799579563e433aeaf
SHA1380b3f0fb659fc43f5fadfbcccb4fee049a668c4
SHA256b6517203d9dde04a3b8a715cf47f83825928e4316e09763fe3cf0f6e1b1d8cd3
SHA5125bc2100c11847c4744673e894d3c8722053271f3bf15788e4f25bcc2a14089cffb761784b260af593463abbf3a9efaf7988f946005f94be016743b8369e695b2
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\DismCore.dll.muiFilesize
7KB
MD5f91875c04330d1f8cbb6bcfa1637be8c
SHA1abb88cf8347b02b9a3939d8eaa0a762f09520e9a
SHA2564ca363ac6299a3eff6f099c6897ad45793fe0e2093f6f2782614b7a98bc40ff1
SHA512c1439fb8c0ac0872247d64fb98ad49b158cb0d742f40d836e2086c97606b6bec0ad29b8c5fae6ea72c6695cf34efe2e3dacf87be5874fcadacd0439ca19d08f2
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\DmiProvider.dll.muiFilesize
20KB
MD5f1414df5b1c4c9aa010b60fc0f49c28a
SHA175649556f45c3c0e4566307598472937f994b725
SHA2563717e900e1490eab331474a0cf20010a5f775d6c45bd6d3406cfda8e6241f864
SHA512d0b33c06fbbaf9a721803e7ecf1130c91e2234fd3dcedff291fae1d828a6c486229f670d8d3fa0143bb2604bc7b370f71e9f618fd7aa609acdfdf1667d014fc1
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\FfuProvider.dll.muiFilesize
9KB
MD54fe1ece3b234048791d5d97844fe3304
SHA1dba744f5c41dd136e498acc442da8bd5e0455ba8
SHA256a7a6297f75e30830ddde1f5dded0a9131a1e9d9dba0182ce7d9f5fb8fdb72726
SHA51274e74eb1c561be31edb1c944838170e9ffc554ed0484fd7a99381e4cd61bb559e4ce7aa6a785f294df991b0d76b4bec841032e1f9e4c23217051017c3fbf5feb
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\FolderProvider.dll.muiFilesize
2KB
MD5c514bf1f906c4505b159ac558b3192d2
SHA10c97fa7adda3da788f6cdbec0aef00e68bc46402
SHA25609eb31cca48ab46aa3ffeb1efa50ee1a0bb58fef66328fa2f71e06e9f0ef5a2e
SHA512e9b6c78179f394d5c69718d9ce82bd6f6b278067b68a79e9138cf92d48554ffd65c47a722dc02b9031a89ed23065c5fffb529f2ff35856c20c41d5d849fbe915
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\GenericProvider.dll.muiFilesize
5KB
MD55699303a2d4970f89360068b6dde8674
SHA1371a7b79e71bad4d7da3fc5d79b0be08251fd7b6
SHA25626995bef958d5c2b5748f3f17d2767a9918ef8f2a82b98859913656b70e23358
SHA5128a8d07a4127510950a96701870aca16e315732c88a3d359133c08820a4f0fc4df8eb62364b80af1e7792da5a5bb4c453938c96acea208434f9e6995efc7002bf
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\ImagingProvider.dll.muiFilesize
19KB
MD5cc4d83d9206a2352295b036204b1e1bb
SHA189647c71480550dbd8ed0fe5039d53996715be9f
SHA256116a74db2b5024a38307080651aeeb98d15212b1c2547822421f38dd43699714
SHA51287285d309a6410e006eb5b3277de4219bc836f531211677e615e875ea903462a38ac8be66ed08dce804d7b782eb4f4c01f73de5c3a0f90a36859b87b56fa0c4b
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\IntlProvider.dll.muiFilesize
33KB
MD57a667def21a5d84e95c0153e463667e5
SHA1f980aab6026c343c535441fd52283713183e128b
SHA256db2888717225eb457283c28424f1ce53397d0aa321b7619ebe0884cd10fe6c15
SHA512dde58035cf1e53d4afe66aa69fee934ca31264fb4c12dff62c39a4bd47381e4c07a977b58dd4020d41f0c7bbc502d5ee6f3c43628d4fba8261a82662ea4c666a
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\LogProvider.dll.muiFilesize
6KB
MD549546b639236f0f120a4982ba840f563
SHA1cc080e0ce4cfc5a5e1bcc02823875234c05759f6
SHA256bf2d54f231f3e814a401b6598793dc3604e2d381c3b3d9b5479c9fea87dad2bb
SHA5128e6f8cd409a601be098fb1e61e733e5ce7fc06e365442e7a2ec508dd44bad2b10bd45288419bb672be5a278501da965831c8e92da545af8a3070ba66a4b01a8a
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\MsiProvider.dll.muiFilesize
16KB
MD58cf549ca23aa04d862ebf6e6e607cc54
SHA16348fbe4f32a01460de297e472343b3c0b32e34b
SHA256634ca4c93f54c358d1c541059a2e60fdc4a11f38ab676ed379a9e38a2fb3797d
SHA5125cb719abbaac3498cdded40ea191158621255f1fb958835e01809ef7532e5e8b3ad03af1170f0464dc7bdcf49230457e86c8c58640716c629fe659e94112fce9
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\OSProvider.dll.muiFilesize
3KB
MD5d1f7a1ea380d32e97056793baba7cb6b
SHA1f5bae8cfdff3e45aaea570d0425b47833e2da197
SHA256344d70160791fa6d5e4b39afa0ebe996a4e6092672ce1e0750b4c640ca8e6a18
SHA51295def4c80bf43a8e9e7cf6dc272e4eb7e1847e5fa997c8a3f2ba53b9bb337289bacd8fd8a719b75818d44ae33ff817fdbf572296b258254543aaff98792a4649
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\OfflineSetupProvider.dll.muiFilesize
2KB
MD519575370d599f89404fe876b132fd170
SHA1968fdaee7daed95a62cfa33cd03c42804dc96652
SHA2562ca9f61d307e874e29fbfcc90645a797c82a0891d9ecfd7c3aefa8ea759a2bc5
SHA512d35a383e49e2614019fdfdf585b607caab3ecaee6e577793863b8a1b84df2bc76de09577c9474b098d026523539f6e7b7d63071dfdc601821b5aad73f060e00a
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\ProvProvider.dll.muiFilesize
4KB
MD5465ff43b338a4059ee0308a8de105a98
SHA10811614122cf0b8e23f805789b1910f788b20ffb
SHA25649d4ef65391503ab867354dceeb241e7690c92383458fd3349a85c669b80bd49
SHA51205ccaeea8e613ca50612b73b16175d77f68171a1e5af5111d382fccc88ecc41f83ae84f4c4d91885649197557e0b4c19bee3b23adfd13022b482cb8a92c3b728
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\SetupPlatformProvider.dll.muiFilesize
6KB
MD554e7735303befc4017c8f7f79c70ac7a
SHA10e165c98d94ccadb80aaa8bba7644f50dd16c119
SHA25679bd40a61064b856fa169d2ab92e0f41202f08fe78b5c749c9bfb96f471792fd
SHA512125cff3faea70c3a7e0a3279022685d23bd0829ae7316ee2dc9afb568d03cdad4ce5d948776a736fecfc4f90d9dd655639ab4f2ab7610ad1ee41c48959ab71e0
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\SmiProvider.dll.muiFilesize
2KB
MD5fe9a7502d09360933fec35a1dd9cb46e
SHA158721b66c428b32619d7f09568e86fa1a9339849
SHA256ee5a25b54776a63bc5bdd9a5ac3c6cacc7bf2b7f3761d2b489ef0060e5ac031c
SHA5129f8c752a19e8404c7c9497fc9b457404eeaed2d6a071aeb4927fea7c2d3fabb1547e479d8525547f4c190a56113a26a53575b4a7e4bb76c65ea656304b753a0a
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\TransmogProvider.dll.muiFilesize
17KB
MD5dd549e06e8b1a71eef97ebcd494fcc10
SHA1b020953e0bb6dd6ae80f881f59591d067e75c63a
SHA2561be0b61e8978639eb2f66956a1604f6f0a2d668f868a9ff48b5db33dea812901
SHA5120d3f4700bd676a03d39460a7af08780eb06bfba2c9bbb6827ff8a39f37d0dc946de057ec2fd70715ce8839f55927cbea57c7d8b85a859252b0dc8d9a23c7b540
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\UnattendProvider.dll.muiFilesize
5KB
MD57601ef496c3f171373605aca6299eb4b
SHA192c25a096a96c690cb405b2d5e2df35a06044104
SHA256e2988f7e6ad35863b56534824069aaaf34fadd2d27524e5d030b706576fd359c
SHA5120729514091ed0e0468a9466ba3d6b73bfd10eb0a60e1905671c443f66121d84fab57f511bf989580a715e4ea9ff9172aebfe2cc177674c8c14adce5b8a8de157
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\VhdProvider.dll.muiFilesize
7KB
MD5bc6b19d90559744702c1687b0e5b376f
SHA1a3752de9ad56f2256a5190b01c641f173b60bfed
SHA256631d6c84c00fcf1e7260734e92bee36243b8c40e97b853be1723dcae277ffaef
SHA5129be6cdcbfb665a57e132388a0045a5ce6560740cf2d2d0537acaa7331cf1db2c6d0e1b2200d7cb892c7b6be47b73073a38e1ed6296631b7550a474110ef10800
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\WimProvider.dll.muiFilesize
30KB
MD5263b263e5fe8c078a3866eadf7b2bf79
SHA19dad2d78e5f130b72a39c15fc548935dc9b96005
SHA25643bc4c6ed713d8f04d359151edd47d6d63eb64a87ec37fb95c0fc8f056c8c023
SHA512d8ba69b15420aaa6c1afb1bded5d0afb821c73e1ef538f06dff0f4d87520622cf0a5a989a480755a3cb35b9949098575c6beb51bb747352c280916e87fbf68cf
-
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\dismprov.dll.muiFilesize
2KB
MD5bc47aa123dc9506548cade2321707cc7
SHA1dd401731adcb6623d37e35dcbe8bcdf6b6adee7e
SHA256b9c42d0a45fbdf2db979922d60e3f3dea41c2dbccae80de432674758fb23bc0f
SHA5124d3cc7027323020c6c6bdaf6c52541ffbfe144d2285b549004ae6b724f24b9efddb7d3a7ca5053786d67e6181e1a3ff2acc9b231ba42e36113603dd6402204db
-
C:\Users\Admin\AppData\Local\Temp\TCD9A6.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Local\Temp\TP_3A77.tmpFilesize
1KB
MD511b8a58e4630b73c48180c5e812dfc1d
SHA1d79ab1567d0dd76985f18c337aec6fa9e14b375f
SHA256da68ef21bbee40fd047143031d56ab3197d7a4e5f9be63d60e7aaa643d90ecb6
SHA512bddb041ddd3cac8cbef1fb3ef5ccc71b011847dd6ce021c9f83dad68cff1fe53ecfbf36a20efb14d79b21e5ccdfbff01e97c51fe9c4229f0d5f15093847291ef
-
C:\Users\Admin\AppData\Local\Temp\TP_3A77.tmpFilesize
1KB
MD50aa0806ecc2f4db6888f0b6055c551a6
SHA1792ff3cd4c37e77ec7c94e7cb5c380e5516ba5c5
SHA256b3473c2c13089b77ec4a7cd1fbdb5ee42ebc10bcd5361a339e5378e3094b0865
SHA512b935daa3a2fcf2361a24ed5160e8c021045176b31e516e9de6036dbf406f199e3b384becadca83dc60b721b8018cdbb255ecf50a66611650ed0b3aa80a36f758
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izr3agk2.zwg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD59cff2861e70e46a581c46580bc0cc64a
SHA1bfb77ac471e29df39a4d0f908f977e51914975d5
SHA256a06aef3700510e2ccce1cd60f4b4ab12c60bf2297abcef90ceca7894f931bdf0
SHA51238448eee75c38d57f14e4d5aa3726135f517f602e8b77dedbdba2a05055c6afe91c5c88baa9cd331d82c283763d43ff0f24cce80b3841b0ac40356532b44bdb6
-
C:\Windows\Logs\DISM\dism.logFilesize
243KB
MD5edb423df3e785acde9dda9cc85d37d6b
SHA1456da55e581b285d2057c6bb19f43620d2805184
SHA256a3450ad8b20ccf2a84ec4da112b01caa26825734010641f6ac08c59f27d1a90f
SHA512aeda3c7bedcf9def748e0b3edb9a7afd5f7067d468db3741896512e5171536cdc520a45ce79f9c6d9f76ab3028dd6cdcc382f347f740255b7b98941269a06e7c
-
memory/744-469-0x000002182DB50000-0x000002182DB60000-memory.dmpFilesize
64KB
-
memory/744-476-0x000002182DB50000-0x000002182DB60000-memory.dmpFilesize
64KB
-
memory/744-470-0x000002182DB50000-0x000002182DB60000-memory.dmpFilesize
64KB
-
memory/1244-484-0x0000016973FC0000-0x0000016973FD0000-memory.dmpFilesize
64KB
-
memory/1244-483-0x0000016973FC0000-0x0000016973FD0000-memory.dmpFilesize
64KB
-
memory/1244-490-0x0000016973FC0000-0x0000016973FD0000-memory.dmpFilesize
64KB
-
memory/1300-905-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmpFilesize
64KB
-
memory/1300-1512-0x00000199F18C0000-0x00000199F19C0000-memory.dmpFilesize
1024KB
-
memory/1300-906-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmpFilesize
64KB
-
memory/1300-904-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmpFilesize
64KB
-
memory/1300-910-0x00007FFE874B0000-0x00007FFE874C0000-memory.dmpFilesize
64KB
-
memory/1300-907-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmpFilesize
64KB
-
memory/1300-909-0x00007FFE874B0000-0x00007FFE874C0000-memory.dmpFilesize
64KB
-
memory/1300-908-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmpFilesize
64KB
-
memory/1368-486-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmpFilesize
64KB
-
memory/1368-489-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmpFilesize
64KB
-
memory/1368-485-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmpFilesize
64KB
-
memory/1456-876-0x000001F42C230000-0x000001F42C256000-memory.dmpFilesize
152KB
-
memory/1456-875-0x000001F42BFD0000-0x000001F42BFDA000-memory.dmpFilesize
40KB
-
memory/1456-874-0x000001F42C1A0000-0x000001F42C1B6000-memory.dmpFilesize
88KB
-
memory/1456-873-0x000001F42BFB0000-0x000001F42BFC4000-memory.dmpFilesize
80KB
-
memory/1872-0-0x000002A1BB990000-0x000002A1BBA12000-memory.dmpFilesize
520KB
-
memory/1872-10-0x000002A1B96E0000-0x000002A1B96F0000-memory.dmpFilesize
64KB
-
memory/1872-11-0x000002A1BB900000-0x000002A1BB922000-memory.dmpFilesize
136KB
-
memory/1872-12-0x000002A1BBC30000-0x000002A1BBD32000-memory.dmpFilesize
1.0MB
-
memory/2240-2698-0x000001C2D2D40000-0x000001C2D2D50000-memory.dmpFilesize
64KB
-
memory/2240-2723-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2715-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2714-0x000001C2DB320000-0x000001C2DB321000-memory.dmpFilesize
4KB
-
memory/2240-2717-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2682-0x000001C2D2C40000-0x000001C2D2C50000-memory.dmpFilesize
64KB
-
memory/2240-2718-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2722-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2728-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2716-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2727-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2726-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2240-2724-0x000001C2DB350000-0x000001C2DB351000-memory.dmpFilesize
4KB
-
memory/2808-48-0x000002A359680000-0x000002A35969E000-memory.dmpFilesize
120KB
-
memory/2936-471-0x000001D80AC80000-0x000001D80AC90000-memory.dmpFilesize
64KB
-
memory/2936-472-0x000001D80AC80000-0x000001D80AC90000-memory.dmpFilesize
64KB
-
memory/2936-475-0x000001D80AC80000-0x000001D80AC90000-memory.dmpFilesize
64KB
-
memory/4160-411-0x000002327A5A0000-0x000002327A5AA000-memory.dmpFilesize
40KB
-
memory/5332-2612-0x000002619A2B0000-0x000002619A2D0000-memory.dmpFilesize
128KB