discordrat | b7178a09ec2b18d3ec02b0b7c746e27605bee55dc05969d67beb054c38f410b4

Analysis

max time kernel
323s
max time network
325s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
15-07-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rostrap_protected.exe
Size

4.6MB
MD5

0028b642807c9e2140dc244e30e489e8
SHA1

c9cc4100fb893d8573ea09ca1b65c2db12e293a8
SHA256

b7178a09ec2b18d3ec02b0b7c746e27605bee55dc05969d67beb054c38f410b4
SHA512

4af2b3e47c6d91ce9e692f212837a99bc46273638f6a8f6edc4a30f2a9048e1637cadaa53ab0f37d561bba04867261ae19cb75db64c5bf3ad13359ab49ea8968
SSDEEP

98304:YnTmKmZl5qO4nVJCVJ5mFF5bVaP+q4WDi/6vnqAGLSj8hc7hw3lg8r/br:YnTmp5Sow5VRBWDpvnqAhR78lg8rj

Score

10^/10

discordrat evasion persistence rat rootkit stealer themida trojan

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MTcwMjM0NDQ4ODUyMTgwOQ.GItusX.BlaHBlSUZLcFqixVU_n9ThfF3DpKJGJou_LNIE
server_id
1261770885514137682

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rostrap_protected.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rostrap_protected.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

46 3804 powershell.exe
48 3804 powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rostrap_protected.exe

flow	pid	process
46	3804	powershell.exe
48	3804	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rostrap_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rostrap_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rostrap_protected.exe

Executes dropped EXE 1 IoCs

Processes:

dismhost.exe

pid process

3984 dismhost.exe

Loads dropped DLL 23 IoCs

Processes:

dismhost.exe

pid	process
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe
3984	dismhost.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4272-6-0x0000000140000000-0x0000000140C52000-memory.dmp	themida
behavioral1/memory/4272-7-0x0000000140000000-0x0000000140C52000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rostrap_protected.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rostrap_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rostrap_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
17	discord.com
52	discord.com
61	discord.com
62	discord.com
1	discord.com
48	bitbucket.org
53	discord.com
45	bitbucket.org
55	discord.com
58	discord.com
60	discord.com
13	discord.com
54	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rostrap_protected.exe

pid process

4272 rostrap_protected.exe

pid	process
4272	rostrap_protected.exe

Drops file in Windows directory 3 IoCs

Processes:

Dism.exedismhost.exeClipup.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\SystemTemp\tem1D05.tmp	Clipup.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3656	sc.exe
1624	sc.exe
564	sc.exe
3908	sc.exe
1956	sc.exe
1104	sc.exe
4972	sc.exe
1584	sc.exe
3988	sc.exe
4624	sc.exe
1200	sc.exe
740	sc.exe
1572	sc.exe
412	sc.exe
4668	sc.exe
4912	sc.exe
4632	sc.exe
1120	sc.exe
1940	sc.exe
704	sc.exe
2072	sc.exe
1408	sc.exe
3064	sc.exe
1704	sc.exe
4052	sc.exe
3488	sc.exe
2920	sc.exe
1512	sc.exe
4068	sc.exe
4776	sc.exe
2356	sc.exe
3264	sc.exe
4336	sc.exe
3144	sc.exe
852	sc.exe
3876	sc.exe
3724	sc.exe
4044	sc.exe
2336	sc.exe
4972	sc.exe
1820	sc.exe
4396	sc.exe
2064	sc.exe
2740	sc.exe
4360	sc.exe
4500	sc.exe
3616	sc.exe
4828	sc.exe
3172	sc.exe
900	sc.exe
2068	sc.exe
4828	sc.exe
1552	sc.exe
2516	sc.exe
2740	sc.exe
2800	sc.exe
4624	sc.exe
2672	sc.exe
3500	sc.exe
832	sc.exe
2084	sc.exe
4208	sc.exe
3500	sc.exe
1984	sc.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

clipup.exeTaskmgr.exeClipup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1464 timeout.exe
Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe

pid	process
1464	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4788	reg.exe
852	reg.exe
4340	reg.exe
1200	reg.exe
924	reg.exe
1616	reg.exe
3684	reg.exe
5016	reg.exe
1652	reg.exe
1408	reg.exe
5116	reg.exe
4588	reg.exe
1032	reg.exe
444	reg.exe
3508	reg.exe
2612	reg.exe
3160	reg.exe
4136	reg.exe
1052	reg.exe
684	reg.exe
3500	reg.exe
5000	reg.exe
4920	reg.exe
1256	reg.exe
1644	reg.exe
3788	reg.exe
1940	reg.exe
4052	reg.exe
2736	reg.exe
1500	reg.exe
2700	reg.exe
3452	reg.exe
2396	reg.exe
3728	reg.exe
1340	reg.exe
3180	reg.exe
1600	reg.exe
1904	reg.exe
4060	reg.exe
4396	reg.exe
4052	reg.exe
2192	reg.exe
4812	reg.exe
3736	reg.exe
2532	reg.exe
4384	reg.exe
3616	reg.exe
1584	reg.exe
3052	reg.exe
4108	reg.exe
444	reg.exe
932	reg.exe
988	reg.exe
1676	reg.exe
3144	reg.exe
3120	reg.exe
4300	reg.exe
4920	reg.exe
3820	reg.exe
4928	reg.exe
3100	reg.exe
696	reg.exe
4376	reg.exe
1224	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3012 PING.EXE
832 PING.EXE

pid	process
3012	PING.EXE
832	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Taskmgr.exepowershell.exe

pid	process
5004	Taskmgr.exe
5004	Taskmgr.exe
3804	powershell.exe
3804	powershell.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Taskmgr.exe

pid process

5004 Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rostrap_protected.exeTaskmgr.exepowershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4272	rostrap_protected.exe
Token: SeDebugPrivilege	5004	Taskmgr.exe
Token: SeSystemProfilePrivilege	5004	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5004	Taskmgr.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeIncreaseQuotaPrivilege	4500	WMIC.exe
Token: SeSecurityPrivilege	4500	WMIC.exe
Token: SeTakeOwnershipPrivilege	4500	WMIC.exe
Token: SeLoadDriverPrivilege	4500	WMIC.exe
Token: SeSystemProfilePrivilege	4500	WMIC.exe
Token: SeSystemtimePrivilege	4500	WMIC.exe
Token: SeProfSingleProcessPrivilege	4500	WMIC.exe
Token: SeIncBasePriorityPrivilege	4500	WMIC.exe
Token: SeCreatePagefilePrivilege	4500	WMIC.exe
Token: SeBackupPrivilege	4500	WMIC.exe
Token: SeRestorePrivilege	4500	WMIC.exe
Token: SeShutdownPrivilege	4500	WMIC.exe
Token: SeDebugPrivilege	4500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4500	WMIC.exe
Token: SeRemoteShutdownPrivilege	4500	WMIC.exe
Token: SeUndockPrivilege	4500	WMIC.exe
Token: SeManageVolumePrivilege	4500	WMIC.exe
Token: 33	4500	WMIC.exe
Token: 34	4500	WMIC.exe
Token: 35	4500	WMIC.exe
Token: 36	4500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4500	WMIC.exe
Token: SeSecurityPrivilege	4500	WMIC.exe
Token: SeTakeOwnershipPrivilege	4500	WMIC.exe
Token: SeLoadDriverPrivilege	4500	WMIC.exe
Token: SeSystemProfilePrivilege	4500	WMIC.exe
Token: SeSystemtimePrivilege	4500	WMIC.exe
Token: SeProfSingleProcessPrivilege	4500	WMIC.exe
Token: SeIncBasePriorityPrivilege	4500	WMIC.exe
Token: SeCreatePagefilePrivilege	4500	WMIC.exe
Token: SeBackupPrivilege	4500	WMIC.exe
Token: SeRestorePrivilege	4500	WMIC.exe
Token: SeShutdownPrivilege	4500	WMIC.exe
Token: SeDebugPrivilege	4500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4500	WMIC.exe
Token: SeRemoteShutdownPrivilege	4500	WMIC.exe
Token: SeUndockPrivilege	4500	WMIC.exe
Token: SeManageVolumePrivilege	4500	WMIC.exe
Token: 33	4500	WMIC.exe
Token: 34	4500	WMIC.exe
Token: 35	4500	WMIC.exe
Token: 36	4500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3264	WMIC.exe
Token: SeSecurityPrivilege	3264	WMIC.exe
Token: SeTakeOwnershipPrivilege	3264	WMIC.exe
Token: SeLoadDriverPrivilege	3264	WMIC.exe
Token: SeSystemProfilePrivilege	3264	WMIC.exe
Token: SeSystemtimePrivilege	3264	WMIC.exe
Token: SeProfSingleProcessPrivilege	3264	WMIC.exe
Token: SeIncBasePriorityPrivilege	3264	WMIC.exe
Token: SeCreatePagefilePrivilege	3264	WMIC.exe
Token: SeBackupPrivilege	3264	WMIC.exe
Token: SeRestorePrivilege	3264	WMIC.exe
Token: SeShutdownPrivilege	3264	WMIC.exe
Token: SeDebugPrivilege	3264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3264	WMIC.exe
Token: SeRemoteShutdownPrivilege	3264	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Taskmgr.exe

pid	process
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taskmgr.exe

pid	process
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe
5004	Taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

1268 MiniSearchHost.exe

pid	process
1268	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3032 wrote to memory of 5004	3032	cmd.exe	Taskmgr.exe
PID 3032 wrote to memory of 5004	3032	cmd.exe	Taskmgr.exe
PID 3032 wrote to memory of 3804	3032	cmd.exe	powershell.exe
PID 3032 wrote to memory of 3804	3032	cmd.exe	powershell.exe
PID 3804 wrote to memory of 2628	3804	powershell.exe	cmd.exe
PID 3804 wrote to memory of 2628	3804	powershell.exe	cmd.exe
PID 2628 wrote to memory of 4684	2628	cmd.exe	sc.exe
PID 2628 wrote to memory of 4684	2628	cmd.exe	sc.exe
PID 2628 wrote to memory of 1704	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 1704	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 3392	2628	cmd.exe	findstr.exe
PID 2628 wrote to memory of 3392	2628	cmd.exe	findstr.exe
PID 2628 wrote to memory of 3900	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 3900	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2416	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 2416	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 3480	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 3480	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 4136	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 4136	2628	cmd.exe	cmd.exe
PID 4136 wrote to memory of 2072	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 2072	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 4972	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 4972	4136	cmd.exe	cmd.exe
PID 2628 wrote to memory of 3024	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 3024	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 896	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 896	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 3488	2628	cmd.exe	fltMC.exe
PID 2628 wrote to memory of 3488	2628	cmd.exe	fltMC.exe
PID 2628 wrote to memory of 1164	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 1164	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 2060	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 2060	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 696	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 696	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 2408	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2408	2628	cmd.exe	cmd.exe
PID 2408 wrote to memory of 3684	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 3684	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 2092	2408	cmd.exe	sc.exe
PID 2408 wrote to memory of 2092	2408	cmd.exe	sc.exe
PID 2408 wrote to memory of 4060	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 4060	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 3336	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 3336	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 644	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 644	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 4876	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 4876	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 3984	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 3984	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 3128	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 3128	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 900	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 900	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 4744	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 4744	2408	cmd.exe	cmd.exe
PID 4744 wrote to memory of 3352	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 3352	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 2168	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 2168	4744	cmd.exe	cmd.exe
PID 2408 wrote to memory of 4336	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 4336	2408	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rostrap_protected.exe
"C:\Users\Admin\AppData\Local\Temp\rostrap_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1916

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\Taskmgr.exe
taskmgr
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_18118704.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\System32\sc.exe
sc query Null
4⤵
PID:4684

C:\Windows\System32\find.exe
find /i "RUNNING"
4⤵
PID:1704

C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_18118704.cmd"
4⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:3900

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
4⤵
PID:2416

C:\Windows\System32\find.exe
find /i "0x0"
4⤵
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
5⤵
PID:2072

C:\Windows\System32\cmd.exe
cmd
5⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_18118704.cmd" "
4⤵
PID:3024

C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:896

C:\Windows\System32\fltMC.exe
fltmc
4⤵
PID:3488

C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
4⤵
PID:1164

C:\Windows\System32\find.exe
find /i "0x0"
4⤵
PID:2060

C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
4⤵
- Modifies registry key
PID:696

C:\Windows\System32\cmd.exe
cmd.exe /c ""C:\Windows\Temp\MAS_18118704.cmd" -qedit"
4⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
5⤵
- Modifies registry key
PID:3684

C:\Windows\System32\sc.exe
sc query Null
5⤵
PID:2092

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:4060

C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_18118704.cmd"
5⤵
PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
5⤵
PID:644

C:\Windows\System32\find.exe
find /i "/"
5⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
5⤵
PID:3984

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
5⤵
PID:3128

C:\Windows\System32\find.exe
find /i "0x0"
5⤵
PID:900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
6⤵
PID:3352

C:\Windows\System32\cmd.exe
cmd
6⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_18118704.cmd" "
5⤵
PID:4336

C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
5⤵
PID:2256

C:\Windows\System32\fltMC.exe
fltmc
5⤵
PID:4068

C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
5⤵
- Modifies registry key
PID:4340

C:\Windows\System32\find.exe
find /i "0x0"
5⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
5⤵
PID:3144

C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
6⤵
- Runs ping.exe
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
5⤵
PID:3192

C:\Windows\System32\find.exe
find "127.69"
5⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
5⤵
PID:2800

C:\Windows\System32\find.exe
find "127.69.2.6"
5⤵
PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
5⤵
PID:3004

C:\Windows\System32\find.exe
find /i "/S"
5⤵
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
5⤵
PID:5060

C:\Windows\System32\find.exe
find /i "/"
5⤵
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
5⤵
PID:3248

C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
6⤵
PID:4920

C:\Windows\System32\mode.com
mode 76, 30
5⤵
PID:924

C:\Windows\System32\choice.exe
choice /C:123456780 /N
5⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
5⤵
PID:628

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
5⤵
PID:3180

C:\Windows\System32\find.exe
find /i "0x0"
5⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
5⤵
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
6⤵
PID:3008

C:\Windows\System32\cmd.exe
cmd
6⤵
PID:980

C:\Windows\System32\mode.com
mode 110, 34
5⤵
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $ExecutionContext.SessionState.LanguageMode
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\System32\find.exe
find /i "Full"
5⤵
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
5⤵
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
5⤵
PID:1812

C:\Windows\System32\find.exe
find /i "Windows"
5⤵
PID:2000

C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\find.exe
find /i "computersystem"
5⤵
PID:3880

C:\Windows\System32\sc.exe
sc start sppsvc
5⤵
- Launches sc.exe
PID:2072

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\System32\findstr.exe
findstr /i "Windows"
5⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
5⤵
PID:3912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
6⤵
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
5⤵
PID:4856

C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
6⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
5⤵
PID:704

C:\Windows\System32\wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
6⤵
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
5⤵
PID:1136

C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
6⤵
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
5⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
5⤵
PID:2236

C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
6⤵
- Runs ping.exe
PID:832

C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
5⤵
PID:5012

C:\Windows\System32\find.exe
find /i "0x0"
5⤵
PID:552

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
5⤵
PID:3192

C:\Windows\System32\find.exe
find /i "0x0"
5⤵
PID:4412

C:\Windows\System32\sc.exe
sc start ClipSVC
5⤵
- Launches sc.exe
PID:2800

C:\Windows\System32\sc.exe
sc query ClipSVC
5⤵
- Launches sc.exe
PID:2356

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
5⤵
PID:2880

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
5⤵
- Modifies registry key
PID:1052

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
5⤵
- Modifies registry key
PID:1200

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
5⤵
- Modifies registry key
PID:4920

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
5⤵
- Modifies registry key
PID:1032

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
5⤵
- Modifies registry key
PID:924

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
5⤵
- Modifies registry key
PID:444

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
5⤵
- Modifies registry key
PID:4788

C:\Windows\System32\sc.exe
sc start wlidsvc
5⤵
- Launches sc.exe
PID:4668

C:\Windows\System32\sc.exe
sc query wlidsvc
5⤵
- Launches sc.exe
PID:1956

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
5⤵
- Modifies registry key
PID:932

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
5⤵
PID:3652

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
5⤵
PID:4948

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
5⤵
PID:4688

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
5⤵
PID:2336

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
5⤵
- Modifies registry key
PID:5016

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
5⤵
- Modifies registry key
PID:3180

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
5⤵
- Modifies registry key
PID:5000

C:\Windows\System32\sc.exe
sc start sppsvc
5⤵
- Launches sc.exe
PID:1104

C:\Windows\System32\sc.exe
sc query sppsvc
5⤵
- Launches sc.exe
PID:3172

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
5⤵
- Modifies registry key
PID:3452

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
5⤵
- Modifies registry key
PID:1652

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
5⤵
- Modifies registry key
PID:4376

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
5⤵
PID:3656

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
5⤵
PID:2244

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
5⤵
- Modifies registry key
PID:4812

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
5⤵
- Modifies registry key
PID:1644

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
5⤵
- Modifies registry key
PID:1600

C:\Windows\System32\sc.exe
sc start KeyIso
5⤵
- Launches sc.exe
PID:1408

C:\Windows\System32\sc.exe
sc query KeyIso
5⤵
PID:3020

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
5⤵
- Modifies registry key
PID:1500

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
5⤵
- Modifies registry key
PID:988

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
5⤵
PID:888

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
5⤵
- Modifies registry key
PID:3616

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
5⤵
- Modifies registry key
PID:1676

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
5⤵
- Modifies registry key
PID:1904

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
5⤵
PID:708

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
5⤵
PID:3400

C:\Windows\System32\sc.exe
sc start LicenseManager
5⤵
- Launches sc.exe
PID:4624

C:\Windows\System32\sc.exe
sc query LicenseManager
5⤵
- Launches sc.exe
PID:4632

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
5⤵
PID:2000

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
5⤵
PID:1700

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
5⤵
- Modifies registry key
PID:3160

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
5⤵
- Modifies registry key
PID:684

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
5⤵
- Modifies registry key
PID:3736

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
5⤵
- Modifies registry key
PID:2736

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
5⤵
- Modifies registry key
PID:3120

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
5⤵
- Modifies registry key
PID:4136

C:\Windows\System32\sc.exe
sc start Winmgmt
5⤵
- Launches sc.exe
PID:3264

C:\Windows\System32\sc.exe
sc query Winmgmt
5⤵
- Launches sc.exe
PID:4972

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
5⤵
PID:4536

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
5⤵
- Modifies registry key
PID:3500

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
5⤵
- Modifies registry key
PID:4060

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
5⤵
- Modifies registry key
PID:2700

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
5⤵
- Modifies registry key
PID:3820

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
5⤵
PID:1552

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
5⤵
PID:1416

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
5⤵
- Modifies registry key
PID:3788

C:\Windows\System32\sc.exe
sc start DoSvc
5⤵
- Launches sc.exe
PID:4912

C:\Windows\System32\sc.exe
sc query DoSvc
5⤵
- Launches sc.exe
PID:4360

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
5⤵
PID:1036

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
5⤵
PID:2660

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
5⤵
PID:4304

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
5⤵
PID:2256

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
5⤵
PID:4336

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
5⤵
- Modifies registry key
PID:852

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
5⤵
- Modifies registry key
PID:4300

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
5⤵
- Modifies registry key
PID:1940

C:\Windows\System32\sc.exe
sc start UsoSvc
5⤵
- Launches sc.exe
PID:3488

C:\Windows\System32\sc.exe
sc query UsoSvc
5⤵
- Launches sc.exe
PID:832

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
5⤵
- Modifies registry key
PID:3144

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
5⤵
- Modifies registry key
PID:4052

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
5⤵
- Modifies registry key
PID:1224

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
5⤵
- Modifies registry key
PID:1584

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
5⤵
- Modifies registry key
PID:4396

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
5⤵
PID:2356

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
5⤵
PID:2880

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
5⤵
- Modifies registry key
PID:4928

C:\Windows\System32\sc.exe
sc start CryptSvc
5⤵
PID:780

C:\Windows\System32\sc.exe
sc query CryptSvc
5⤵
- Launches sc.exe
PID:1200

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
5⤵
- Modifies registry key
PID:4920

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
5⤵
PID:1032

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
5⤵
PID:1312

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
5⤵
- Modifies registry key
PID:444

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
5⤵
- Modifies registry key
PID:2532

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
5⤵
PID:2484

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
5⤵
- Modifies registry key
PID:1256

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
5⤵
- Modifies registry key
PID:2396

C:\Windows\System32\sc.exe
sc start BITS
5⤵
PID:4832

C:\Windows\System32\sc.exe
sc query BITS
5⤵
- Launches sc.exe
PID:3876

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
5⤵
PID:3496

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
5⤵
PID:3688

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
5⤵
- Modifies registry key
PID:1616

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
5⤵
- Modifies registry key
PID:4108

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
5⤵
- Modifies registry key
PID:3508

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
5⤵
PID:3364

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
5⤵
PID:3136

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
5⤵
- Modifies registry key
PID:2612

C:\Windows\System32\sc.exe
sc start TrustedInstaller
5⤵
PID:1968

C:\Windows\System32\sc.exe
sc query TrustedInstaller
5⤵
- Launches sc.exe
PID:3656

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
5⤵
- Modifies registry key
PID:3728

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
5⤵
PID:4568

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
5⤵
PID:1900

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
5⤵
- Modifies registry key
PID:3100

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
5⤵
- Modifies registry key
PID:1408

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
5⤵
- Modifies registry key
PID:4384

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
5⤵
- Modifies registry key
PID:3052

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
5⤵
- Modifies registry key
PID:5116

C:\Windows\System32\sc.exe
sc start wuauserv
5⤵
- Launches sc.exe
PID:1120

C:\Windows\System32\sc.exe
sc query wuauserv
5⤵
- Launches sc.exe
PID:2920

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
5⤵
PID:1140

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
5⤵
- Modifies registry key
PID:4588

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
5⤵
PID:1624

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
5⤵
- Modifies registry key
PID:1340

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
5⤵
PID:3708

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
5⤵
PID:4632

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
5⤵
- Modifies registry key
PID:2192

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
5⤵
PID:1700

C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1704

C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
5⤵
- Launches sc.exe
PID:740

C:\Windows\System32\sc.exe
sc start ClipSVC
5⤵
- Launches sc.exe
PID:4500

C:\Windows\System32\sc.exe
sc start wlidsvc
5⤵
PID:3104

C:\Windows\System32\sc.exe
sc start sppsvc
5⤵
PID:1240

C:\Windows\System32\sc.exe
sc start KeyIso
5⤵
- Launches sc.exe
PID:2068

C:\Windows\System32\sc.exe
sc start LicenseManager
5⤵
- Launches sc.exe
PID:4208

C:\Windows\System32\sc.exe
sc start Winmgmt
5⤵
- Launches sc.exe
PID:1820

C:\Windows\System32\sc.exe
sc start DoSvc
5⤵
- Launches sc.exe
PID:4972

C:\Windows\System32\sc.exe
sc start UsoSvc
5⤵
- Launches sc.exe
PID:4828

C:\Windows\System32\sc.exe
sc start CryptSvc
5⤵
- Launches sc.exe
PID:3500

C:\Windows\System32\sc.exe
sc start BITS
5⤵
- Launches sc.exe
PID:1984

C:\Windows\System32\sc.exe
sc start TrustedInstaller
5⤵
PID:4060

C:\Windows\System32\sc.exe
sc start wuauserv
5⤵
- Launches sc.exe
PID:1512

C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1552

C:\Windows\System32\sc.exe
sc config DoSvc start= delayed-auto
5⤵
- Launches sc.exe
PID:2516

C:\Windows\System32\sc.exe
sc config UsoSvc start= delayed-auto
5⤵
- Launches sc.exe
PID:900

C:\Windows\System32\sc.exe
sc config wuauserv start= demand
5⤵
PID:1896

C:\Windows\System32\sc.exe
sc query ClipSVC
5⤵
- Launches sc.exe
PID:4044

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:3096

C:\Windows\System32\sc.exe
sc start ClipSVC
5⤵
- Launches sc.exe
PID:3724

C:\Windows\System32\sc.exe
sc query wlidsvc
5⤵
- Launches sc.exe
PID:2740

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:4916

C:\Windows\System32\sc.exe
sc start wlidsvc
5⤵
- Launches sc.exe
PID:4068

C:\Windows\System32\sc.exe
sc query sppsvc
5⤵
- Launches sc.exe
PID:4336

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:4056

C:\Windows\System32\sc.exe
sc start sppsvc
5⤵
- Launches sc.exe
PID:1940

C:\Windows\System32\sc.exe
sc query KeyIso
5⤵
- Launches sc.exe
PID:2084

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:2236

C:\Windows\System32\sc.exe
sc start KeyIso
5⤵
- Launches sc.exe
PID:3144

C:\Windows\System32\sc.exe
sc query LicenseManager
5⤵
- Launches sc.exe
PID:4052

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:1808

C:\Windows\System32\sc.exe
sc start LicenseManager
5⤵
- Launches sc.exe
PID:1584

C:\Windows\System32\sc.exe
sc query Winmgmt
5⤵
- Launches sc.exe
PID:4396

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:5032

C:\Windows\System32\sc.exe
sc start Winmgmt
5⤵
- Launches sc.exe
PID:3988

C:\Windows\System32\sc.exe
sc query DoSvc
5⤵
- Launches sc.exe
PID:2064

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service DoSvc
5⤵
PID:3248

C:\Windows\System32\sc.exe
sc query DoSvc
5⤵
- Launches sc.exe
PID:2336

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:2924

C:\Windows\System32\sc.exe
sc start DoSvc
5⤵
- Launches sc.exe
PID:4776

C:\Windows\System32\sc.exe
sc query UsoSvc
5⤵
PID:1104

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service UsoSvc
5⤵
PID:5112

C:\Windows\System32\sc.exe
sc query UsoSvc
5⤵
- Launches sc.exe
PID:564

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:5116

C:\Windows\System32\sc.exe
sc start UsoSvc
5⤵
- Launches sc.exe
PID:3616

C:\Windows\System32\sc.exe
sc query CryptSvc
5⤵
PID:1816

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:5100

C:\Windows\System32\sc.exe
sc start CryptSvc
5⤵
- Launches sc.exe
PID:1624

C:\Windows\System32\sc.exe
sc query BITS
5⤵
- Launches sc.exe
PID:4624

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service BITS
5⤵
PID:1464

C:\Windows\System32\sc.exe
sc query BITS
5⤵
- Launches sc.exe
PID:2672

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:2608

C:\Windows\System32\sc.exe
sc start BITS
5⤵
- Launches sc.exe
PID:4828

C:\Windows\System32\sc.exe
sc query TrustedInstaller
5⤵
- Launches sc.exe
PID:3500

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service TrustedInstaller
5⤵
PID:2700

C:\Windows\System32\sc.exe
sc query TrustedInstaller
5⤵
- Launches sc.exe
PID:704

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:3724

C:\Windows\System32\sc.exe
sc start TrustedInstaller
5⤵
- Launches sc.exe
PID:2740

C:\Windows\System32\sc.exe
sc query wuauserv
5⤵
- Launches sc.exe
PID:852

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:4068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service wuauserv
5⤵
PID:5028

C:\Windows\System32\sc.exe
sc query wuauserv
5⤵
- Launches sc.exe
PID:1572

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:2552

C:\Windows\System32\sc.exe
sc start wuauserv
5⤵
- Launches sc.exe
PID:3908

C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
5⤵
- Launches sc.exe
PID:412

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service WaaSMedicSvc
5⤵
PID:4748

C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
5⤵
PID:1104

C:\Windows\System32\find.exe
find /i "RUNNING"
5⤵
PID:1780

C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo TrustedInstaller-1058, WaaSMedicSvc-1060 "
5⤵
PID:2244

C:\Windows\System32\findstr.exe
findstr /i "ClipSVC-1058 sppsvc-1058"
5⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
5⤵
PID:1332

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
6⤵
PID:2764

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
5⤵
PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18118704.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
5⤵
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18118704.cmd') -split ':wpatest\:.*';iex ($f[1]);"
6⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "6" "
5⤵
PID:2180

C:\Windows\System32\find.exe
find /i "Error Found"
5⤵
PID:2436

C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
5⤵
- Drops file in Windows directory
PID:2072

C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\dismhost.exe {C2A340AC-F96A-478C-A28B-F9FD1346B3C8}
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3984

C:\Windows\System32\cmd.exe
cmd /c exit /b -2147467259
5⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
5⤵
PID:2924

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
6⤵
PID:1956

C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
5⤵
PID:924

C:\Windows\System32\cmd.exe
cmd /c exit /b 0
5⤵
PID:3756

C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
5⤵
PID:4320

C:\Windows\System32\find.exe
find /i "computersystem"
5⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
5⤵
PID:3904

C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440"
5⤵
PID:2244

C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
5⤵
PID:332

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
5⤵
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
5⤵
PID:3728

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
6⤵
PID:1140

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
5⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
5⤵
PID:3564

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
6⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
5⤵
PID:4028

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
6⤵
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
5⤵
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
5⤵
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
5⤵
PID:4744

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
5⤵
PID:1952

C:\Windows\System32\find.exe
find /i "windowsupdate"
5⤵
PID:1368

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
5⤵
- Modifies registry key
PID:4052

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
5⤵
PID:2084

C:\Windows\System32\findstr.exe
findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
5⤵
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo: TrustedInstaller-1058, WaaSMedicSvc-1060 "
5⤵
PID:2728

C:\Windows\System32\find.exe
find /i "wuauserv"
5⤵
PID:552

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
5⤵
PID:3380

C:\Windows\System32\find.exe
find /i "0x1"
5⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
5⤵
PID:3848

C:\Windows\System32\find.exe
find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
5⤵
PID:4056

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
5⤵
PID:4676

C:\Windows\System32\cmd.exe
cmd /c exit /b 0
5⤵
PID:1200

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
5⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
5⤵
PID:2884

C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Name
6⤵
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
5⤵
PID:980

C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Nation
6⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
5⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
6⤵
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
5⤵
PID:3452

C:\Windows\System32\find.exe
find "AAAA"
5⤵
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Restart-Service ClipSVC
5⤵
PID:3928

C:\Windows\System32\timeout.exe
timeout /t 2
5⤵
- Delays execution with timeout.exe
PID:1464

C:\Windows\System32\ClipUp.exe
clipup -v -o
5⤵
PID:424

C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem235E.tmp
6⤵
- Checks SCSI registry key(s)
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
5⤵
PID:712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
6⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
5⤵
PID:632

C:\Windows\System32\find.exe
find /i "Windows"
5⤵
PID:4388

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
5⤵
PID:696

C:\Windows\System32\cmd.exe
cmd /c exit /b 0
5⤵
PID:2884

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
5⤵
PID:2924

C:\Windows\System32\findstr.exe
findstr /i "Windows"
5⤵
PID:2072

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:4632

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem1D05.tmp
2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
53fbb36e3de882ade26ea8b023b9a6ce

SHA1
ff48acf3b1475f0933c950856f58aebb26ca4af9

SHA256
c1ed4103218a9267eb4c0266f7a5d599950aa178523cc33357e49b727bb65130

SHA512
a2536a0500b3075e9f87ea66fee73061d6660af246637d04cfb7d80d51ddaa35692682a08663c21db9533cecc0e140a6b610d8656cc1aa02d3969b5d2a83f2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e16230c01991373e9431ebee63505e40

SHA1
352ff273303185e7fd3e1c7b8bdec40b5315b3c3

SHA256
07632f6f4a596d9119a5c4fde348a9b6c001646849c2409937c42d45e5abc77d

SHA512
99f240645697825aefaa83d7928044475e5f7866370eedc9ed1dff7891725ec052d974c0a1bf5245367f29774c3694090b2b03f89c0d0270d8cf1eefb30fa034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
deace1f3e3f4fff66c9e1ab8fdd10b75

SHA1
a6a793f8e6628020a852b817f4941fa5fe85c326

SHA256
1773e2aa319ae388e654acd214635d9c2334f0922471d7b79f5360a355a9a27f

SHA512
1c74bff974f4b248f6b5fd79dc6ea6a50518cd57e91e4415497c36371b36c4a310069fc5ae6a6435c2eed21c991fe9ed33427bcfd46d3fe71fbfd28a233f31b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6e4f082f58b6d0bbb968fb9d7422096b

SHA1
d48f1d6c46c3134e8395877be1dd6fa5f58d92c9

SHA256
71594b511be9dffe2c2a6addbb6f0cda7e25f04d0e4f09e8d8d2f9370d3403b1

SHA512
3c7509518525d0a562798ac2c50b98a76ee8ded1595a9aa8de01117fccbaecc72a1d79434b6e651b4a257870dedab5995a64ddb87947fd7e562ee6272c07defb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7ff9440dc25523a288d278b38add13a1

SHA1
d67faf5afe85cacd9d816349f17ded3686ecf1a7

SHA256
ac518124d3bd39440bfba66739f8fab57ff82ea778f707ea2c902b29efde0ee0

SHA512
7116fcf6760a69efebfbffeba5abcfef903cc8647e142117023e022bb34c5fe6d1a35c727faab1e6d6505b2bd69689cf52f8ecef5253ca12d99d425021799911

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
fa818effcde20598c3b9ec9eebc345dc

SHA1
a26401fd9c0b51b32e036e18f3b6ae3a14240227

SHA256
065e354a76c8f6f6db86558fe1376dd6bd479104bd75f95b4022b2be16fc69ec

SHA512
df9686a22117e1f1c8fdcc29526fe7301323a37afcd67dd83d3183546bf02849cade68f5af8eef59f415f00076d890b1f5055b94ea96ce395d416499644d0943

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\AppxProvider.dll

Filesize
664KB

MD5
a31cb807bf0ab4ddbbe2b6bb96ae6cd1

SHA1
cf63765b41aee9cd7ae76c04dfbb6151e909b3c9

SHA256
37f45e6fc1e531279dcffed70c420df7b073504efe43bbb99a33a9ec24b75a47

SHA512
6a83378c7e88fe04dde20685889d76fd7efdf4e02342a952ba2e6ab0fa354e3293560986e5fded00718e4c14417970db0c06e6384277ae1e50021bb4dc87fad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\AssocProvider.dll

Filesize
136KB

MD5
702f9c8fb68fd19514c106e749ec357d

SHA1
7c141106e4ae8f3a0e5f75d8277ec830fc79eccc

SHA256
21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358

SHA512
2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\CbsProvider.dll

Filesize
1004KB

MD5
f51151b2d8d84cddbedbeffebdc6ec6a

SHA1
adc9c19aa0663e65997f54835228968e13532198

SHA256
7fe4e4924fbbfdf6d772cb9d0a4963d49f6aa18b3c86a2e8df6ca49e22f79884

SHA512
802b58617be5e92bfc0c7f8c8d7443128d81908ae99d9a4ce0a785f858dc7832c70dc305f2ad39c9f57db01c05f483f6bf949ad8811fc6fb255c5aee88c729b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\DismCore.dll

Filesize
444KB

MD5
c73ee8f61bce89d1edad64d16fedcdd6

SHA1
e8fe02e68fd278fd4af501e350d412a5a91b269f

SHA256
b1045fc7dce8fcf5612f82f8f97f8d243008e4c6b7389187e6babc554dd1e413

SHA512
8a5960e6bf35cf07e555558db13c89bf940c92d206adae0eb6e28404b7e499500a8158d29f3400f0b24ab8cedbacb75a28b0138be2e029b70a5cc66cce7cef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\DmiProvider.dll

Filesize
436KB

MD5
e54120aa50f14e0d3d257e77db46ece5

SHA1
922203542962ec5f938dcb3c876f060ecf17f9dc

SHA256
b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54

SHA512
fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\EdgeProvider.dll

Filesize
200KB

MD5
c22cc16103ee51ba59b765c6b449bddb

SHA1
b0683f837e1e44c46c9a050e0a3753893ece24ad

SHA256
eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b

SHA512
2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\Ffuprovider.dll

Filesize
680KB

MD5
a41b0e08419de4d9874893b813dccb5c

SHA1
2390e00f2c2bc9779e99a669193666688064ea77

SHA256
57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3

SHA512
bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\GenericProvider.dll

Filesize
172KB

MD5
20fb116831396d9477e352d42097741c

SHA1
7e063ac9bc173a81dc56dc5864f912041e2c725a

SHA256
6a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4

SHA512
851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\IBSProvider.dll

Filesize
84KB

MD5
f6b7301c18f651567a5f816c2eb7384d

SHA1
40cd6efc28aa7efe86b265af208b0e49bec09ae4

SHA256
8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61

SHA512
4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\ImagingProvider.dll

Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\IntlProvider.dll

Filesize
312KB

MD5
34035aed2021763bec1a7112d53732f1

SHA1
7132595f73755c3ae20a01b6863ac9518f7b75a4

SHA256
aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731

SHA512
ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\MsiProvider.dll

Filesize
208KB

MD5
eb171b7a41a7dd48940f7521da61feb0

SHA1
9f2a5ddac7b78615f5a7af753d835aaa41e788fc

SHA256
56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55

SHA512
5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\OfflineSetupProvider.dll

Filesize
213KB

MD5
3437087e6819614a8d54c9bc59a23139

SHA1
ae84efe44b02bacdb9da876e18715100a18362be

SHA256
8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74

SHA512
018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\ProvProvider.dll

Filesize
800KB

MD5
2ef388f7769205ca319630dd328dcef1

SHA1
6dc9ed84e72af4d3e7793c07cfb244626470f3b6

SHA256
4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf

SHA512
b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\SmiProvider.dll

Filesize
272KB

MD5
46e3e59dbf300ae56292dea398197837

SHA1
78636b25fdb32c8fcdf5fe73cac611213f13a8be

SHA256
5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339

SHA512
e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\SysprepProvider.dll

Filesize
820KB

MD5
4dfa1eeec0822bfcfb95e4fa8ec6c143

SHA1
54251e697e289020a72e1fd412e34713f2e292cf

SHA256
901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494

SHA512
5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\UnattendProvider.dll

Filesize
256KB

MD5
7c61284580a6bc4a4c9c92a39bd9ea08

SHA1
4579294e3f3b6c03b03b15c249b9cac66e730d2a

SHA256
3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8

SHA512
b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\Vhdprovider.dll

Filesize
596KB

MD5
8a655555544b2915b5d8676cbf3d77ab

SHA1
5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2

SHA256
d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27

SHA512
c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\WimProvider.dll

Filesize
672KB

MD5
bcf8735528bb89555fc687b1ed358844

SHA1
5ef5b24631d2f447c58b0973f61cb02118ae4adc

SHA256
78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c

SHA512
8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\dismprov.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\en-US\AppxProvider.dll.mui

Filesize
23KB

MD5
f70750a86cda23a3ced4a7ecf03feebd

SHA1
1c2d9d79974338ce21561b916130e696236fbb48

SHA256
8038c5177461aef977ac6e526ac0851bf7eff5928972462657176ff6b6d06050

SHA512
cfb6b5cdb451b12e7aee6e69ab743b91bec8bd417d4d2384def03010851fef0d7f2a65ff6349c4e62e564b44e742597aeb108e71a962a48020b1988a6c6f1a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
3a26818c500fb74f13342f44c5213114

SHA1
af1bfc2ca2a1dcbc7037f61f80a949b67a2c9602

SHA256
421bbff0c63377b5fd85591530f4c28d0109bc1ff39162a42eb294f0d0e7c6bb

SHA512
afa1d62788d24cd6d739ad78cff19e455b776a71904af1400a44e54e56b55b149eca456db9c686c3a0b515d7fd49d96dc77b217ec769e879b0937bedad53de7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
8644aa200968ce8dfe182f775e1d65c4

SHA1
060149f78e374f2983abde607066f2e07e9b0861

SHA256
46b59cfae0ea50c722718cdb8c07b3f5d6f02174cc599cd19a157eb6016c6030

SHA512
29b4299ae749587c4fc9fd4b9cf3bbe3e9677088b159a40506a2cbd5796808e7432e7af08f0a2eef6c26bacb39b23afa65d0143c72774f38d55dedaef36eba1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429B45D-B929-4073-9A18-06A5AAF8C69F\en-US\DismCore.dll.mui

Filesize
7KB

MD5
0a4338fdfb1adaa6592b8f1023ced5cf

SHA1
b96bd2067f43e5142e19f9c66e4db7d317d9cd2e

SHA256
0b6ac5a720dc9163dea36e565c82da1e375041688e6594de15d97652ab7aca80

SHA512
cf8cbb592dc5f09a95892d897680d4ca4f59e74afaeea2701d7258ace84c4c1182e032e7dd76cbd52a77ea08c8d3858e9b5f900691a6d80c728f5e56701382db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1q5w5pnf.gsl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
16KB

MD5
159fdfa8f56cc43b133a334497a395c4

SHA1
d7f9cb2b780b364f32b80975e2ca1c5225d0bfde

SHA256
4b23a429ee3239419fbd3250eb6b921c1dd5463a2ee3378eb8a4a2cf40cff5d1

SHA512
2839a0c85647b162b4a21de1a9d9b19ae19029a6af86ed8108b0f4bfef38533268e179dcf7ae81f75543e453a67e02b8db234ce61296576200814d3fdecdb7c9

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
23KB

MD5
9903713364a4e314c0fb772454fa2745

SHA1
2b8ac1df0fecadde60bd1b3ecb43a87ec049ae0d

SHA256
52dcbaef483bfc7da7e95b5f1c76eb6577497608951094f5e23cb4ba5d783f10

SHA512
d375842418fbc5c20390eadb75ba806cff13c66b12cf00e0d7beec8360e3377b9f9d242c1172ebb42b9146b3fd7e28a83bba8ec4d6b2cf10c231d199a604361c

Download Submit
C:\Windows\Temp\MAS_18118704.cmd

Filesize
438KB

MD5
7ea05ffbbd048f4287885124108c3b67

SHA1
68f4800311750f9f57e0f52a3a2badad06560320

SHA256
0a2c531e3fc248016c087f501759f2e30684fd245f75dfe6e4f685c3670131f0

SHA512
b87cfed8c5799dca70ea27ba6acf7a44354d9785bcfbb6a45fdd674570e4743204ce7cba7869439677a4a3a4a6bfb218887b3b41313716691adcb60d9b4ee820

Download Submit
memory/424-366-0x0000021308CB0000-0x0000021308CC0000-memory.dmp

Filesize
64KB

Download
memory/424-367-0x0000021308CB0000-0x0000021308CC0000-memory.dmp

Filesize
64KB

Download
memory/424-373-0x0000021308CB0000-0x0000021308CC0000-memory.dmp

Filesize
64KB

Download
memory/1768-355-0x000001962AA50000-0x000001962AA60000-memory.dmp

Filesize
64KB

Download
memory/1768-354-0x000001962AA50000-0x000001962AA60000-memory.dmp

Filesize
64KB

Download
memory/1768-359-0x000001962AA50000-0x000001962AA60000-memory.dmp

Filesize
64KB

Download
memory/3192-368-0x000002400D6B0000-0x000002400D6C0000-memory.dmp

Filesize
64KB

Download
memory/3192-369-0x000002400D6B0000-0x000002400D6C0000-memory.dmp

Filesize
64KB

Download
memory/3192-372-0x000002400D6B0000-0x000002400D6C0000-memory.dmp

Filesize
64KB

Download
memory/3804-46-0x000001F8DAD60000-0x000001F8DAD82000-memory.dmp

Filesize
136KB

Download
memory/3804-47-0x000001F8DB170000-0x000001F8DB1B6000-memory.dmp

Filesize
280KB

Download
memory/4272-12-0x0000000140000000-0x0000000140C52000-memory.dmp

Filesize
12.3MB

Download
memory/4272-15-0x00007FFAABC40000-0x00007FFAABE49000-memory.dmp

Filesize
2.0MB

Download
memory/4272-8-0x000000001BAB0000-0x000000001BC72000-memory.dmp

Filesize
1.8MB

Download
memory/4272-10-0x000000001FBE0000-0x0000000020108000-memory.dmp

Filesize
5.2MB

Download
memory/4272-7-0x0000000140000000-0x0000000140C52000-memory.dmp

Filesize
12.3MB

Download
memory/4272-6-0x0000000140000000-0x0000000140C52000-memory.dmp

Filesize
12.3MB

Download
memory/4272-5-0x00007FFAABC40000-0x00007FFAABE49000-memory.dmp

Filesize
2.0MB

Download
memory/4272-9-0x00007FFAABC40000-0x00007FFAABE49000-memory.dmp

Filesize
2.0MB

Download
memory/4272-14-0x00007FFAABC40000-0x00007FFAABE49000-memory.dmp

Filesize
2.0MB

Download
memory/4272-3-0x00007FFAABC40000-0x00007FFAABE49000-memory.dmp

Filesize
2.0MB

Download
memory/4272-1-0x00007FFA80000000-0x00007FFA80002000-memory.dmp

Filesize
8KB

Download
memory/4272-16-0x00007FFAABC40000-0x00007FFAABE49000-memory.dmp

Filesize
2.0MB

Download
memory/4272-2-0x00007FFAABCE7000-0x00007FFAABCE9000-memory.dmp

Filesize
8KB

Download
memory/4272-0-0x0000000140000000-0x0000000140C52000-memory.dmp

Filesize
12.3MB

Download
memory/4632-360-0x0000021344920000-0x0000021344930000-memory.dmp

Filesize
64KB

Download
memory/4632-353-0x0000021344920000-0x0000021344930000-memory.dmp

Filesize
64KB

Download
memory/4632-352-0x0000021344920000-0x0000021344930000-memory.dmp

Filesize
64KB

Download
memory/5004-56-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-50-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-48-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-49-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-54-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-60-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-59-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-58-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-57-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download
memory/5004-55-0x00000182FA6E0000-0x00000182FA6E1000-memory.dmp

Filesize
4KB

Download