dharma | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

Resubmissions

18-07-2024 00:13

240718-ah91wawelp 10

18-07-2024 00:06

240718-ady3tayhqh 10

Analysis

max time kernel
350s
max time network
351s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2024 00:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

EFI_[unknowncheats.me]_.zip
Size

22B
MD5

76cdb2bad9582d23c1f6f4d868218d6c
SHA1

b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256

8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512

5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (522) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

120 5524 powershell.exe
123 5524 powershell.exe
Downloads MZ/PE file

flow	pid	process
120	5524	powershell.exe
123	5524	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CoronaVirus.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe

Deletes itself 1 IoCs

Processes:

CoronaVirus.exe

pid process

1924 CoronaVirus.exe

pid	process
1924	CoronaVirus.exe

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 2 IoCs

Processes:

dismhost.exeCoronaVirus.exe

pid process

3028 dismhost.exe
1924 CoronaVirus.exe

Loads dropped DLL 19 IoCs

Processes:

dismhost.exe

pid	process
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe
3028	dismhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

116 camo.githubusercontent.com
122 raw.githubusercontent.com
123 raw.githubusercontent.com
205 raw.githubusercontent.com
206 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\Info.hta CoronaVirus.exe
File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe

flow	ioc
116	camo.githubusercontent.com
122	raw.githubusercontent.com
123	raw.githubusercontent.com
205	raw.githubusercontent.com
206	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail.png.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\af_get.svg.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-256.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\ui-strings.js.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\ui-strings.js.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\desktop.js.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\selector.js.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FirstTimeUse.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\BuildInfo.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\SmallLogoBeta.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fil_get.svg.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\hprof.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-250.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INF.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt.id-AC844449.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-24_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-black.png	CoronaVirus.exe

Drops file in Windows directory 2 IoCs

Processes:

Dism.exedismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3228	sc.exe
5380	sc.exe
3272	sc.exe
1120	sc.exe
5256	sc.exe
5900	sc.exe
5796	sc.exe
5544	sc.exe
5288	sc.exe
2120	sc.exe
5896	sc.exe
2136	sc.exe
2496	sc.exe
4664	sc.exe
5916	sc.exe
5036	sc.exe
2632	sc.exe
1864	sc.exe
5760	sc.exe
5948	sc.exe
728	sc.exe
5640	sc.exe
4820	sc.exe
2608	sc.exe
4564	sc.exe
5684	sc.exe
3028	sc.exe
5132	sc.exe
1932	sc.exe
5836	sc.exe
384	sc.exe
5864	sc.exe
728	sc.exe
5924	sc.exe
5792	sc.exe
1088	sc.exe
5392	sc.exe
5152	sc.exe
4348	sc.exe
1192	sc.exe
1876	sc.exe
3092	sc.exe
5328	sc.exe
5804	sc.exe
5948	sc.exe
4596	sc.exe
1396	sc.exe
4780	sc.exe
5920	sc.exe
4172	sc.exe
748	sc.exe
380	sc.exe
528	sc.exe
5908	sc.exe
5964	sc.exe
2632	sc.exe
5064	sc.exe
5480	sc.exe
5052	sc.exe
5900	sc.exe
5668	sc.exe
2024	sc.exe
1396	sc.exe
5272	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

clipup.exeClipup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

20712 vssadmin.exe
23084 vssadmin.exe

pid	process
20712	vssadmin.exe
23084	vssadmin.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "155"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-47134698-4092160662-1261813102-1000\{2353BAAE-BB2A-403B-A0D6-501B69BD53F7}	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
5848	reg.exe
3464	reg.exe
2660	reg.exe
3900	reg.exe
3700	reg.exe
5640	reg.exe
5268	reg.exe
1200	reg.exe
544	reg.exe
5504	reg.exe
6124	reg.exe
4208	reg.exe
2716	reg.exe
5548	reg.exe
5688	reg.exe
5436	reg.exe
528	reg.exe
6100	reg.exe
1604	reg.exe
5628	reg.exe
5644	reg.exe
5944	reg.exe
2552	reg.exe
3436	reg.exe
2192	reg.exe
5260	reg.exe
5412	reg.exe
5688	reg.exe
5916	reg.exe
6100	reg.exe
5924	reg.exe
5932	reg.exe
1896	reg.exe
3228	reg.exe
5908	reg.exe
4236	reg.exe
5424	reg.exe
5368	reg.exe
5888	reg.exe
2876	reg.exe
1176	reg.exe
5408	reg.exe
5428	reg.exe
5876	reg.exe
1492	reg.exe
5656	reg.exe
3188	reg.exe
4548	reg.exe
1192	reg.exe
5388	reg.exe
5656	reg.exe
5272	reg.exe
5256	reg.exe
4564	reg.exe
5644	reg.exe
5352	reg.exe
5236	reg.exe
1864	reg.exe
4512	reg.exe
1028	reg.exe
2840	reg.exe
5344	reg.exe
6128	reg.exe
4068	reg.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 329039.crdownload:SmartScreen msedge.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

5268 PING.EXE
5740 PING.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 329039.crdownload:SmartScreen	msedge.exe

pid	process
5268	PING.EXE
5740	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeCoronaVirus.exe

pid	process
4468	msedge.exe
4468	msedge.exe
4824	msedge.exe
4824	msedge.exe
1400	identity_helper.exe
1400	identity_helper.exe
3640	msedge.exe
3640	msedge.exe
5524	powershell.exe
5524	powershell.exe
5524	powershell.exe
4596	powershell.exe
4596	powershell.exe
4596	powershell.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
2608	powershell.exe
2608	powershell.exe
2608	powershell.exe
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe
5876	powershell.exe
5876	powershell.exe
5876	powershell.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
5224	powershell.exe
5224	powershell.exe
5224	powershell.exe
3516	powershell.exe
3516	powershell.exe
3516	powershell.exe
380	powershell.exe
380	powershell.exe
380	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
3468	powershell.exe
3468	powershell.exe
3468	powershell.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
2524	msedge.exe
2524	msedge.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe
1924	CoronaVirus.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
648

pid
4
4
4
4
4
648

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	5524	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeIncreaseQuotaPrivilege	5416	WMIC.exe
Token: SeSecurityPrivilege	5416	WMIC.exe
Token: SeTakeOwnershipPrivilege	5416	WMIC.exe
Token: SeLoadDriverPrivilege	5416	WMIC.exe
Token: SeSystemProfilePrivilege	5416	WMIC.exe
Token: SeSystemtimePrivilege	5416	WMIC.exe
Token: SeProfSingleProcessPrivilege	5416	WMIC.exe
Token: SeIncBasePriorityPrivilege	5416	WMIC.exe
Token: SeCreatePagefilePrivilege	5416	WMIC.exe
Token: SeBackupPrivilege	5416	WMIC.exe
Token: SeRestorePrivilege	5416	WMIC.exe
Token: SeShutdownPrivilege	5416	WMIC.exe
Token: SeDebugPrivilege	5416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5416	WMIC.exe
Token: SeRemoteShutdownPrivilege	5416	WMIC.exe
Token: SeUndockPrivilege	5416	WMIC.exe
Token: SeManageVolumePrivilege	5416	WMIC.exe
Token: 33	5416	WMIC.exe
Token: 34	5416	WMIC.exe
Token: 35	5416	WMIC.exe
Token: 36	5416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5416	WMIC.exe
Token: SeSecurityPrivilege	5416	WMIC.exe
Token: SeTakeOwnershipPrivilege	5416	WMIC.exe
Token: SeLoadDriverPrivilege	5416	WMIC.exe
Token: SeSystemProfilePrivilege	5416	WMIC.exe
Token: SeSystemtimePrivilege	5416	WMIC.exe
Token: SeProfSingleProcessPrivilege	5416	WMIC.exe
Token: SeIncBasePriorityPrivilege	5416	WMIC.exe
Token: SeCreatePagefilePrivilege	5416	WMIC.exe
Token: SeBackupPrivilege	5416	WMIC.exe
Token: SeRestorePrivilege	5416	WMIC.exe
Token: SeShutdownPrivilege	5416	WMIC.exe
Token: SeDebugPrivilege	5416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5416	WMIC.exe
Token: SeRemoteShutdownPrivilege	5416	WMIC.exe
Token: SeUndockPrivilege	5416	WMIC.exe
Token: SeManageVolumePrivilege	5416	WMIC.exe
Token: 33	5416	WMIC.exe
Token: 34	5416	WMIC.exe
Token: 35	5416	WMIC.exe
Token: 36	5416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5544	WMIC.exe
Token: SeSecurityPrivilege	5544	WMIC.exe
Token: SeTakeOwnershipPrivilege	5544	WMIC.exe
Token: SeLoadDriverPrivilege	5544	WMIC.exe
Token: SeSystemProfilePrivilege	5544	WMIC.exe
Token: SeSystemtimePrivilege	5544	WMIC.exe
Token: SeProfSingleProcessPrivilege	5544	WMIC.exe
Token: SeIncBasePriorityPrivilege	5544	WMIC.exe
Token: SeCreatePagefilePrivilege	5544	WMIC.exe
Token: SeBackupPrivilege	5544	WMIC.exe
Token: SeRestorePrivilege	5544	WMIC.exe
Token: SeShutdownPrivilege	5544	WMIC.exe
Token: SeDebugPrivilege	5544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5544	WMIC.exe
Token: SeRemoteShutdownPrivilege	5544	WMIC.exe
Token: SeUndockPrivilege	5544	WMIC.exe
Token: SeManageVolumePrivilege	5544	WMIC.exe
Token: 33	5544	WMIC.exe
Token: 34	5544	WMIC.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

23776 LogonUI.exe

pid	process
23776	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4824 wrote to memory of 400	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 400	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 872	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 4468	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 4468	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe
PID 4824 wrote to memory of 5100	4824	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\EFI_[unknowncheats.me]_.zip
1⤵
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc0e8146f8,0x7ffc0e814708,0x7ffc0e814718
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1348 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_60117008.cmd" "
  2⤵
  PID:5880
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:5948
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5956
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_60117008.cmd"
    3⤵
    PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1460
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:3208
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:3700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:1120
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_60117008.cmd" "
    3⤵
    PID:5124
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:6124
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:1992
- - C:\Windows\System32\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    - Modifies registry key
    PID:6100
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4780
- - C:\Windows\System32\reg.exe
    reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
    3⤵
    PID:2040
- - C:\Windows\System32\cmd.exe
    cmd.exe /c ""C:\Windows\Temp\MAS_60117008.cmd" -qedit"
    3⤵
    PID:1708
  - - C:\Windows\System32\reg.exe
      reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
      4⤵
      Modifies registry key
      PID:3436
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      PID:5288
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5220
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_60117008.cmd"
      4⤵
      PID:5332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:5308
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:5296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:5384
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:5404
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:5408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:5436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:4848
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:5132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_60117008.cmd" "
      4⤵
      PID:5140
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:6140
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:5596
  - - C:\Windows\System32\reg.exe
      reg query HKCU\Console /v QuickEdit
      4⤵
      Modifies registry key
      PID:2716
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:2660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      PID:4172
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        Runs ping.exe
        
        PID:5268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
      4⤵
      PID:4132
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:3660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
      4⤵
      PID:5652
  - - C:\Windows\System32\find.exe
      find "127.69.2.6"
      4⤵
      PID:384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:1604
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:2752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:5788
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:5672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:5684
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:4416
  - - C:\Windows\System32\mode.com
      mode 76, 30
      4⤵
      PID:4672
  - - C:\Windows\System32\choice.exe
      choice /C:123456780 /N
      4⤵
      PID:5836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:5868
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:628
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:4688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:976
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:5036
  - - C:\Windows\System32\mode.com
      mode 110, 34
      4⤵
      PID:728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $ExecutionContext.SessionState.LanguageMode
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Windows\System32\find.exe
      find /i "Full"
      4⤵
      PID:4192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:5320
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:5300
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5416
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:5428
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5132
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5544
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:5148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:5400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:5668
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:4532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:5804
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        
        PID:5912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:5456
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:5888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:5152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
      4⤵
      PID:5792
    - - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        5⤵
        Runs ping.exe
        
        PID:5740
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:2552
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:4664
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:1088
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:2136
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:5864
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:3228
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
      4⤵
      Modifies registry key
      PID:528
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
      4⤵
      PID:5088
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
      4⤵
      Modifies registry key
      PID:3900
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
      4⤵
      Modifies registry key
      PID:5848
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
      4⤵
      Modifies registry key
      PID:5876
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
      4⤵
      Modifies registry key
      PID:4564
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
      4⤵
      Modifies registry key
      PID:5916
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
      4⤵
      PID:2472
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:2496
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:2632
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
      4⤵
      PID:4252
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
      4⤵
      Modifies registry key
      PID:6124
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
      4⤵
      PID:1608
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
      4⤵
      PID:4780
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
      4⤵
      PID:948
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
      4⤵
      PID:2564
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
      4⤵
      Modifies registry key
      PID:6128
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
      4⤵
      Modifies registry key
      PID:6100
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4820
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:5328
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:5260
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      Modifies registry key
      PID:5368
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:5236
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:5924
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:5272
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      PID:5332
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      Modifies registry key
      PID:5932
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      PID:1876
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:5380
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:5392
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
      4⤵
      PID:5128
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
      4⤵
      Modifies registry key
      PID:5412
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
      4⤵
      PID:5420
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
      4⤵
      Modifies registry key
      PID:5436
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
      4⤵
      Modifies registry key
      PID:1176
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
      4⤵
      PID:2188
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
      4⤵
      PID:3548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
      4⤵
      PID:3988
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:5052
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:5544
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
      4⤵
      Modifies registry key
      PID:1604
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
      4⤵
      PID:2064
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
      4⤵
      Modifies registry key
      PID:5628
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
      4⤵
      PID:1548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
      4⤵
      PID:4108
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
      4⤵
      Modifies registry key
      PID:5656
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
      4⤵
      Modifies registry key
      PID:2840
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
      4⤵
      Modifies registry key
      PID:5644
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:2024
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:2608
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      Modifies registry key
      PID:5688
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      PID:2688
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      PID:4416
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      Modifies registry key
      PID:4208
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      Modifies registry key
      PID:5504
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      PID:5904
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      Modifies registry key
      PID:1896
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      PID:4512
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:380
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:5152
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
      4⤵
      Modifies registry key
      PID:3188
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
      4⤵
      PID:3092
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
      4⤵
      PID:2132
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:1028
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:1864
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
      4⤵
      PID:216
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
      4⤵
      Modifies registry key
      PID:4548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
      4⤵
      Modifies registry key
      PID:3228
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      Launches sc.exe
      PID:528
  - - C:\Windows\System32\sc.exe
      sc query UsoSvc
      4⤵
      Launches sc.exe
      PID:1396
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
      4⤵
      Modifies registry key
      PID:5908
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
      4⤵
      Modifies registry key
      PID:5944
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
      4⤵
      PID:5868
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:2552
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
      4⤵
      PID:4564
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
      4⤵
      PID:5916
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
      4⤵
      PID:2472
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
      4⤵
      PID:2496
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      PID:2632
  - - C:\Windows\System32\sc.exe
      sc query CryptSvc
      4⤵
      Launches sc.exe
      PID:728
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
      4⤵
      PID:4284
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
      4⤵
      PID:5064
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
      4⤵
      Modifies registry key
      PID:3700
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:4068
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:1192
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
      4⤵
      Modifies registry key
      PID:3464
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
      4⤵
      Modifies registry key
      PID:2192
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
      4⤵
      Modifies registry key
      PID:5256
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      Launches sc.exe
      PID:5288
  - - C:\Windows\System32\sc.exe
      sc query BITS
      4⤵
      Launches sc.exe
      PID:4596
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
      4⤵
      PID:5872
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
      4⤵
      PID:5224
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
      4⤵
      Modifies registry key
      PID:4236
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
      4⤵
      Modifies registry key
      PID:5388
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
      4⤵
      PID:5300
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
      4⤵
      Modifies registry key
      PID:5424
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
      4⤵
      Modifies registry key
      PID:5408
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
      4⤵
      Modifies registry key
      PID:5428
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      PID:5416
  - - C:\Windows\System32\sc.exe
      sc query TrustedInstaller
      4⤵
      Launches sc.exe
      PID:2120
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
      4⤵
      PID:2292
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
      4⤵
      PID:5600
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
      4⤵
      PID:3516
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
      4⤵
      Modifies registry key
      PID:5548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
      4⤵
      PID:5148
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
      4⤵
      PID:4456
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
      4⤵
      Modifies registry key
      PID:1492
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
      4⤵
      Modifies registry key
      PID:2660
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      Launches sc.exe
      PID:4348
  - - C:\Windows\System32\sc.exe
      sc query wuauserv
      4⤵
      Launches sc.exe
      PID:5760
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      PID:4108
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:5656
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      PID:2840
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      Modifies registry key
      PID:5644
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      Modifies registry key
      PID:2876
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      PID:5824
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:5640
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      Modifies registry key
      PID:5268
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5900
  - - C:\Windows\System32\sc.exe
      sc query WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5896
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService
      4⤵
      PID:5912
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description
      4⤵
      PID:4276
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName
      4⤵
      Modifies registry key
      PID:5888
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:4512
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:5352
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName
      4⤵
      Modifies registry key
      PID:5344
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start
      4⤵
      Modifies registry key
      PID:1200
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type
      4⤵
      PID:2392
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:4664
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:1864
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:2136
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:1932
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      PID:2068
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      PID:2268
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:1396
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      Launches sc.exe
      PID:5908
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      Launches sc.exe
      PID:5836
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      Launches sc.exe
      PID:5948
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:5964
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      Launches sc.exe
      PID:3272
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4564
  - - C:\Windows\System32\sc.exe
      sc config DoSvc start= delayed-auto
      4⤵
      Launches sc.exe
      PID:5916
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:5036
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3208
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:2632
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:728
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4516
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:5064
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:4780
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5152
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1120
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:1192
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:6104
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      PID:4192
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:5256
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5328
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:5924
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:5272
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:388
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:1876
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:5920
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Start-Service DoSvc
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1916
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:384
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5672
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:4172
  - - C:\Windows\System32\sc.exe
      sc query UsoSvc
      4⤵
      Launches sc.exe
      PID:5684
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:2876
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      Launches sc.exe
      PID:5668
  - - C:\Windows\System32\sc.exe
      sc query CryptSvc
      4⤵
      Launches sc.exe
      PID:5640
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:6076
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      Launches sc.exe
      PID:5900
  - - C:\Windows\System32\sc.exe
      sc query BITS
      4⤵
      Launches sc.exe
      PID:5804
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4672
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      Launches sc.exe
      PID:5480
  - - C:\Windows\System32\sc.exe
      sc query TrustedInstaller
      4⤵
      Launches sc.exe
      PID:5796
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5196
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:5792
  - - C:\Windows\System32\sc.exe
      sc query wuauserv
      4⤵
      Launches sc.exe
      PID:3092
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3544
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      Launches sc.exe
      PID:1088
  - - C:\Windows\System32\sc.exe
      sc query WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:748
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1264
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:1932
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:2068
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:2268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_60117008.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
      4⤵
      PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_60117008.cmd') -split ':wpatest\:.*';iex ($f[1]);"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "7" "
      4⤵
      PID:2632
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:4284
  - - C:\Windows\System32\Dism.exe
      DISM /English /Online /Get-CurrentEdition
      4⤵
      Drops file in Windows directory
      PID:4516
    - - C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\dismhost.exe {0AA46966-3206-4BBC-A0B8-B11B24E764BD}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3028
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:1168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
      4⤵
      PID:5912
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        5⤵
        
        PID:4364
  - - C:\Windows\System32\cscript.exe
      cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
      4⤵
      PID:380
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:2392
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:1360
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:1088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:528
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440"
      4⤵
      PID:5804
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:460
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:628
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:5868
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:5956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:2496
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:2816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:2552
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:2632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3516
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
      4⤵
      Modifies registry key
      PID:544
  - - C:\Windows\System32\find.exe
      find /i "windowsupdate"
      4⤵
      PID:1384
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
      4⤵
      PID:5648
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
      4⤵
      Modifies registry key
      PID:5688
  - - C:\Windows\System32\findstr.exe
      findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
      4⤵
      PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo: "
      4⤵
      PID:5268
  - - C:\Windows\System32\find.exe
      find /i "wuauserv"
      4⤵
      PID:4208
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
      4⤵
      PID:3700
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
      4⤵
      PID:8
  - - C:\Windows\System32\find.exe
      find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
      4⤵
      PID:3952
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
      4⤵
      PID:5456
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:6140
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:5740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
      4⤵
      PID:4056
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        5⤵
        
        PID:5084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
      4⤵
      PID:1360
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        5⤵
        
        PID:3900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      PID:528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
      4⤵
      PID:1476
  - - C:\Windows\System32\find.exe
      find "AAAA"
      4⤵
      PID:3780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Restart-Service ClipSVC
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:976
  - - C:\Windows\System32\ClipUp.exe
      clipup -v -o
      4⤵
      PID:4376
    - - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temC1B5.tmp
        5⤵
        Checks SCSI registry key(s)
        
        PID:4172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:4208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:4364
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:5352
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
      4⤵
      PID:2292
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:5916
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
      4⤵
      PID:6124
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:4568
  - - C:\Windows\System32\mode.com
      mode 76, 30
      4⤵
      PID:1004
  - - C:\Windows\System32\choice.exe
      choice /C:123456780 /N
      4⤵
      PID:6108

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:3552
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temC0CA.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:5320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5256

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Checks computer location settings
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1924
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:5332
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:840
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:20712
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:25988
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:23272
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:23084
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:23520
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:23404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:8060

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa381a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:23776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-AC844449.[[email protected]].ncov

Filesize
3.2MB

MD5
7fdde8e62c140029ffbbee74f5c510ba

SHA1
974fdb4a01892be54f4501602de86657d89b8645

SHA256
0ebc6207f88cdd88b5b1772e654dfe9bf13ef7fbb0f4e581573391ace92f4bf1

SHA512
d91173504e8cbc1e8884452ba1c637e27cb7cf822e4acfcfe8569aa8cd278e3bb180795c43e0fdaa87fefb1044256f9b6534035a2ad920fd75bd7340ba7cda2e

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27f3335bf37563e4537db3624ee378da

SHA1
57543abc3d97c2a2b251b446820894f4b0111aeb

SHA256
494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a

SHA512
2bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5db85f3d-363f-49fe-af39-c1539cf2b278.tmp

Filesize
1KB

MD5
c5233533761c534bf352d13b46fd6e5e

SHA1
d2fe20138e09aec79f837d4ea95b91f306aee72b

SHA256
347a5f850d6da84f5a5b57828a144a392752758f77647813501fadc9ccb9b615

SHA512
b737fec80dbc79a4e2927ff581eccdf4db6531e9bfc0619170a590c97754001a91c45a20242b6874bd754cc7cb181f8891a8313fa0fcc47aad734b1ac5a4137c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
d34f421295c1e75d8931c3e7fea11b25

SHA1
e83ccd11a1d57ff0cb2bd56b8acdf8525f1721b7

SHA256
8faf393bd11c5916f3828716d5886d770b291e6ea4847d54d242943dbe8d722c

SHA512
f92d6366d337513c5d077d220f1d3bd1129c2e91a171e39c3980aca1031bbca9c48a16683d88caa9241f5150a9369c9964414b607d7a1cadaf3e51956d4bdf7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
9d3881d3c9400536a0b3d78c867ab8be

SHA1
8544210a4e0bb56e91b98a7615e0144432fa4a06

SHA256
147e0558bde7300e6fadc9284009077a4cd6794ef77d909e502510b23e69f7bc

SHA512
2c5a1665e3c3c459b9917944009b1c9027912e7876618cf584eaf9e72040494cc547aa232c925032e7d9a461e95590d1c2cce9f8b1560fcfb714bd69f731b5c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
37KB

MD5
f9a90d58144602c12373f3a51ae11c3e

SHA1
50930fadc719a0cf689f480f053fe55eaab64817

SHA256
477adbd55274ba5f7057f114fd4c4908fe46d7f486c7cd6dfe452a80ff0b7c82

SHA512
0f06561a943bdafdc0f6355ce4a5dd2a3daa348d621ac8c0d95632d5bf0458b4068803af0f3e9819496ed750299a63e6eea88c53bd2816c757a0e4c721d7e4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
37KB

MD5
f379276efec34127fed6f06101a024d3

SHA1
279e8e9dc86c622343e5bba17043d893c9224086

SHA256
1f92cc266344c34ab3ba73fd7107c0b7d53de896e47f3683c9e7ea4b1e74b8cf

SHA512
a87e994179341eedf39393fd4b7a57e8ac341f43bcd846c3bc16da9632921c08566be9ccb1b3afc0a1b9a9152c6a1339bff584401aaeb7f1cff7a36af66db5a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
20KB

MD5
6686ec56c4536362ed40e1a3471e4a1e

SHA1
a0f9d0126bddcb40743d717cc9322c6b91d35b2c

SHA256
823063b7a7f06616d10539be8eee67b351e66a7e7cdaf928679ce88c9bde42ca

SHA512
067ed2eb82ae2d10a5d7a05cf2bf8dc82f8fea0eea1722d93ed95caba12583f8382245348634365ff92fffa547a55f579957ade966226a674875c43a6f18191e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
18KB

MD5
4e3c3d1baf2cd51127ec83266c8903d0

SHA1
4768007b563449e66a04ce8ba8fdb0a8445ba689

SHA256
d28aca638adb186dbaa143e62e7b0ccf0d6785ac5408ce8cf0b035f897fea5d8

SHA512
c187badfffbc662eb5483c3fa5435332dcf94dfb849c5cfdd7a9ba1bb5e6df76f06cfd624024be062902e0590be1a454b1511336dada9c9c571e65e7f520776b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b85f421fc8bcb1cc07f3f244eb4ba442

SHA1
d3c383bf9bd0dc6b6abfd1ce7539f03b1b74f5b5

SHA256
969c6534b6b92332270362c898ea08f7ba6075aad4a04b057766bb7b09356367

SHA512
8f6c3745746bea462c957c66819ce6bb80ce3dcc381a84f0119eb3b9d447eee87645f7c72d4b0a212093339232157db47c78ea0f6c971bea06190480545fcb87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
268757486d90bf7ca689249487561b68

SHA1
a609ed43c12e9ea4c6c1f5fd2f1a96bd8107b4e4

SHA256
24b5385d4c8050e3d76e7657324198d7dab6fa7e2d9b5b91ef062f4dc5c3824c

SHA512
4b16e33dba3355e91b15afee71face92b32fbc74101708f75888a16bf1853e38ca020cea033e45e62321e3600ea241ffd73c4ff76e32da874306d640f9ee2cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
bbd3b3f2ca4f5ac715c55ceecb0d800f

SHA1
f81330d5ec74d18d2e200d3e27696dffa76c332f

SHA256
fb119ce22706daa1b8ecc7d34d59fcb33b29935c4818d2ea1ca0f25e0ee2050f

SHA512
84e7b56e011b6f11d2fdd8fd214be0d4218788e2311841dab1abe770d7b4be7d1fb393e648a40b3b4869e2047a5574a0bb25f79a895d197bfe3a4fd68e6e8629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
36a57325e9119e7d2271e031b2090550

SHA1
bb98b4c5f4626c46ef614119369c5a2af3636cee

SHA256
c0cf114d580003e660c59feb30d5bb9c6d6df8675288db58543891136278f272

SHA512
74b60be130f53cb7552a6dd2badd7cee18660b4b0d01d52f64515ecf07846b5660a23869d5bf34cee07f7755be45e78ddae196814f4984e8fced5bc2d38c4274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d52c97bda342498d91556b1ef8ecd6e3

SHA1
878255ba353e194a2531a920f364edcd168358e4

SHA256
f36e9a196b314331eab37062bb86b3433f23578339f22fe5ccacd728394916d5

SHA512
475f42501dd0c8dcc460c6604b148c2d4b0f89cf48d4fbaf6f714deaa6419df2663bd8cab65297c33073c9e6eca4babbc0dfd4f9c9e7d5c84b3e7a24306737f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a1e48c21448093848c4b2f3e5451c09

SHA1
3203d817c9c46410b7d6794641a45a32cd90268d

SHA256
dca440c9c300d68a1d8cbce9698d7779fb9bc5a98ea97843417aec57dbe9aecc

SHA512
79eb3a51da4c19a96321a4d209aa1f2a648aa5a8990534520412f57d879b1ffa5b6fcabd3c64bc15c46393aaebba547e6b9ea7a597a66304d0dd6bbf3da7f62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d4cebbe12eeab7462299275195dc8ec2

SHA1
0954b53997b0d0f0fc7424b95b43ebec39c8d522

SHA256
fd741e5fdac991ba1c9bd58c076741b74130ae7e48d5dfc8fe0af6ae838e0c3c

SHA512
dc2c969a2a00a17bceaaa7af7f6b740a0c28f0c85b9ee5ad79366e0dccdc2771d4ad0983d9140d03c58f3c9b19f4c9d2c2cd7ba1f0ea185d0abf76dac6b1971d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b976c5ee2a01258ddb5b3c8857e629dd

SHA1
362a773621c9daebd38522fd6f0ca929f9558c76

SHA256
8ce6a05e9fbbe56cdffc97cf08fbd028c7c795eec865b3716f30d5d1ed12400c

SHA512
642adb6f40130eb64b04ac1e88ccd179d378507cab47a02d8290c62f074de97f8a29b7a7c736d9a9466504c73125336d972a0160ea04b1fb515162fc3bf46b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
18e23e8de2530e5f4dd36988b205efc7

SHA1
ff06c747b097d2b5156b70eb3b72833a361aca93

SHA256
5fd5b0b69518698f013c5fb3ba1f2215e54f82a7aacb5b46d3810e8027acd98f

SHA512
75b6880e52d16763036c2e74f11b5cb2d599e2f89dda4e309cf65573bac0537475e1dc00aa1cd309871157b0ef7153d8db02251427586787be77ab3b40f6d87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
58afdf136b0cce1ba9b28534047129c7

SHA1
32d19bf0cb4f7b40aed61cbf9882c1340ee7f8af

SHA256
482ec41758ccca8af5a94b0a729a7260d01bc8b4c5c53d7ffe99cecf1e7df5a9

SHA512
adf24699d13154477924794f534abce93e5a31519cc203a110effe351849971c2d3c5454c5720dd9b4ec7f306fab5148cf00eb5e6e8a121760b5f15526e79fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e87d07d07eb943cc7741355e162bc89e

SHA1
5a9d2c54be3f74bdcf7800d97f2eae31a8a205c4

SHA256
dd998c62b7d6822c8bff2b731fbaf10276f9959d68bbb590025659caf708c680

SHA512
f0b005333d1a76939adba1482838c0c52e98f1f63524618f1fec589088610719c4e64b8c6a7992e10eb40ad782b539b01478389d2e7e3cd1ec6c4d4f55272701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
76e2d848ba91652b45a76b43a691efd4

SHA1
e43a86bf9060a997788832cb4791db48fc745ee4

SHA256
3c6e92b16ade4f33cfc04794482f25224fda274d3348f6cd132b0e67eec6aeda

SHA512
012005e6f7e7ee938e4a278dddd6e257ceb29161b884b2e609380e2eeb669b6514b619d113e37918dd68cc4f1145d848ed1b62a67b29680fc40760c1f387a6c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d8437e5b4371392eff2fbf0b14b97d55

SHA1
8cf3a73ee00db2dd94be084c9404dd0f1143ca1c

SHA256
9b70f8e72b3d48f39943c1e1b628342b29bb74ce81d8398407a0cff74c78c36c

SHA512
633d2af812dbb4c992c41ef35acc5b5a73e912a6f288b6f0025ea92f75b7796cdafeb4cb5a3d0c7ee7453ba0eba6a426eb02ab1bab312c3fc614c1184ceda061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
6520d697e65b17ed1f4af730444e2cdf

SHA1
39dfd0cf0ab25884f0df89f48dfa6629879a876f

SHA256
af0eee94f529591f9ffb11c20fdb4b1f08e2dd348e0040aa5ef76cfc027c525d

SHA512
f64b44f5fab6976b9ebd006094f01e415e3847673f4a6145b04e281735b9a8a728de5cad3d3b34f404031ba53948e7481abed744060b2dd900374f98205ca224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
531784c167cc7114c4049527fc3cd2f3

SHA1
509893fa8803317833fb9f0e2147a4bcb0da2141

SHA256
1741839423dc6580515bfa971b9d45eb9ad6d4cee192a8ce7b4d641d2883d0f2

SHA512
593a0cdff3f7ec5eb6fa012ffb6411aafe01152e452fab24dd6f61daa2a64e74296192b29dd5da420311ba82a979a9f6087b1bcf265f32294c398fb098ab67bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f8cebed1c42076b61f6a6de6fdcdca48

SHA1
274f57d8d17b70ca3f793250b26d036a34c958d1

SHA256
9c844ad81eb6590605f319119b64b7d97061a8d94480f5cab7c3d084b1eaef5e

SHA512
6d71f9027838877809a35aaa4f69d1898230aef563feff31bc79a157e66080a2e5f75fca5e37aaea2a386c6df23b5eecd3078198433bad6bf7bd1bcb9050bb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6064f7f8ca7dee3a3211a6ce15fd3502

SHA1
04d042bbb0d2eaf74fcb0613773fe673ce0b63d3

SHA256
c0d5bdec44a65ab4d200846e9d04a06566992e1a596c7ca6b0ef58af67575976

SHA512
93e1f46fb039ce963e763587603a8ba6a0ac7f1da5dcd806f89de8eac4e7ee4aab1ec77880111bdff4ee75354cdeba1f1aa9c280cdf8d7d1712d545a20d4e081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c4ae1bf88d6d2144bd5642914a2e5804

SHA1
2c239f3a9d08b2513e0967df00f9ae59c3efc757

SHA256
6ca8a8494c3c6c56e326d1ae050c7ec0a701bf2d57ceae57f9a4b76ee9d8191a

SHA512
26fa01b3f09da17ac74ed3fa9485ded20930d7204a56544005e515d592e2282016a6df9cf2f37e2ae98248279b5aa6f49d38ebb7c8bc6ea7a3b98302440d01b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
be7e89e42bf23991a76883797d2b44e5

SHA1
1e5f9a4e587292732b9ccd1e47a2ced2671bf46e

SHA256
aad5bb1afe8323fc19bfd32bbf6d5e59f2f693cd5376adabbb499cab67fea0df

SHA512
6bb27edb702581e359346a1b772fc4cbdf06bae869430517662c702881d0e4621038cf5d725ff97b5b514336ff26c4b47e5ce0fcbebcb17c234c5536e60b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b47dfd83aba10cc5cee38d2926179cc9

SHA1
4b93a5d50f0047f09671fcc116f8358ba8a3eb3e

SHA256
7d85b0881c26434e4010ad5d9a993bc3f0d6800942c91d28e0b88d504ecd7932

SHA512
fb65d7eb3e48fac963da4c487e637ca3ee17700f585693a3139d28339cb7c69855f6d789aa655a8007a388c03b05a90569eec79f00d1314358912d7276e7b279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c74c66f234b4578ba4ccf01ddb5335f3

SHA1
5d76f561dde0ecf244bd8ddab76b2f706a29d338

SHA256
8be39b4006122950ba8de081d828940bf9e2eac2833565a58dfee9fa37ad9ae4

SHA512
5baeb8eed1936d944e632b3bb6b6581dfa0ec8fb6e81d13b348a1feab113f105eed029fa453c3039ca0e29eae5f2ae1465f5e4a739db00edbc899a4d7b6781fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
94ed65c97a5be82c62f413d84fd4f33d

SHA1
b18fdc5dc7438a29ec9fff3f5b854abc096930ee

SHA256
d3cf04378e4b4459c3e91146367a2cc761af394a416dc8c8889ee4b6f47af718

SHA512
46125cdf31fa0c058ce9b83311d364766c0f14f50073a8dc8eaf3c1941373e7dcb79035e13825bf1937201626484d2ab65d4c735407a8241cb14043c138df7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9e1ffe933dfe20a27dbeb6d8801ff8c

SHA1
2278aa42f79a829d24831066e6eeabe158cfca4f

SHA256
93849ac29db8bc175f842665089b77c0f2abf1c7333ae5b747047a2581ac4b33

SHA512
cb15ab544cc6bb1fce63e0b634ae09f29155a394302d04a7a601bc50ce219cdb799a06315b92d8c64df447393363b78e2fe4fd35607740cd7c5811e3a0968938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c3a21c7eb1e2777892b9a9186faf966

SHA1
47bf53cf522dff86bb0a93e8a6a53bac469c9473

SHA256
7ac8875368f98cc2b30846de4866d0bc3f33214b08705cd668a23567b6812e4a

SHA512
185f9f1824fff352bffebabb376b967b9f5cd4047694c674aa47c90b7a277c4db5c91b79602100ed44be99a9df5fd76abc1d1306e3f582a8f6c1a166cda72367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f0dc6b9f1f0e03fad2e6f9a38bd9db5d

SHA1
9af09e07f0c8ecff9ce1a9505d5bd97fec3ddc6d

SHA256
80ca3db830265b6c1e12525614b76e64d68b8f8d4377bbbf6f5f32e9188658f0

SHA512
c60448798e07d0ec5eb05a706749509acb5c1a81f45539d4008f02e7dfaeb8861f2ac41dc3663976ede1065a147bd43bd58682ad0a8c92a72a462c707cdd6dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
974de2b76bc9606ed886c5c1da060d08

SHA1
3cc70ea6d2133316a5dcfa95e634dea0a9e25cbe

SHA256
6f48837337259596db380e1a3b82bb84c0232aa6a64f168d960c3d090af18cf7

SHA512
8da75ce2528af11d8f34d7291c5f5332332f368a281453db200cbd9a7225477730057d3b66ee7345151a414d486aaceb673df62761925d2a5dd5daa9ba269412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5825d3.TMP

Filesize
538B

MD5
bccc6aeb1c8250aa4d737dc961c8a103

SHA1
45f10eed98159d592218dc85bd393219454a82b5

SHA256
e485771da1189ea8362cf9b5ea095aab4365f614f852f0bbf04fbb61aebd4d6f

SHA512
b52da7baea15061012f7ffb8bbac7ef2302dccb4cc492aece810a5b6c4c9b33627d6720816f2b39bfc1c5c57d70c9e8d9c91fdb9e07d7f0e2cb526f2692df2de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
414ea9ad75d43f47060d5b1963a77329

SHA1
782f33826842977969930cd62e963cb0ba4cddbd

SHA256
ea4d33ee74350b60f16e953c1a2965dcc8bc5f603e524134a192714c2ee35f4c

SHA512
1a9c642905dde90bacf76ab1f42d886262234892dc221f7eae4144ca4c095e9145bb07a64a1fcd7535c1b524413c908ade3f5002f4c55e55d5b7a0a5a76c27cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6b3a887883c9809b22335aa29c0d30ca

SHA1
4395c53d14eee2f4151508c6c81386da6916f212

SHA256
defafad1c539d871493907fbf0313e5f43004fda87a486aca4bd621706efb4e3

SHA512
385bff3b7f98bebb00f6f3df0d86e791ed9849afda97857e5560ed1fe2539aa6006aee9a8fb143354b96fee66488539c51126d17a663229ddc7a84db713bb65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b7edcf8b326809ee7811d9953f0c234

SHA1
5501119dd5649ba78d667566ea86adc007506192

SHA256
888b8a5f5a982ad48c7666645c59f3b918106835f7c01f7e4481d9742a651cb1

SHA512
82cf5b59a98d832d8fd779ebf4b288e75ab9140c414cddb1c189215247ee16f233184ea1639cf0b352b79cfa6ed03d58b1546d1a8ac5f75af386ee20270c4f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34c22f7746a16b896186f43e08e2f413

SHA1
ed175cf051e3e9230ecdeb8c4a69f90bf9ebbae1

SHA256
d66283c4702d50464484dd38d36af2d9e570757c7fb1c57abd0344bfcf63e0c0

SHA512
340530064ec737d405ff23486c7347e35f1af1070c5262e777ef80254ad1b18106378ff0c097a2c2ce36d9becd65cb20b6a0a5e7efd7f635d5f69e88aea64270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1542328a8546914b4e2f1aef9cb42bea

SHA1
7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

SHA256
7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

SHA512
b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\FolderProvider.dll

Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\GenericProvider.dll

Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\IBSProvider.dll

Filesize
59KB

MD5
120f0a2022f423fc9aadb630250f52c4

SHA1
826df2b752c4f1bba60a77e2b2cf908dd01d3cf7

SHA256
5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0

SHA512
23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\ImagingProvider.dll

Filesize
218KB

MD5
35e989a1df828378baa340f4e0b2dfcb

SHA1
59ecc73a0b3f55e43dace3b05ff339f24ec2c406

SHA256
874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d

SHA512
c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\IntlProvider.dll

Filesize
296KB

MD5
510e132215cef8d09be40402f355879b

SHA1
cae8659f2d3fd54eb321a8f690267ba93d56c6f1

SHA256
1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52

SHA512
2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\MsiProvider.dll

Filesize
207KB

MD5
9a760ddc9fdca758501faf7e6d9ec368

SHA1
5d395ad119ceb41b776690f9085f508eaaddb263

SHA256
7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f

SHA512
59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\OfflineSetupProvider.dll

Filesize
182KB

MD5
9cd7292cca75d278387d2bdfb940003c

SHA1
bab579889ed3ac9cb0f124842c3e495cb2ec92ac

SHA256
b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f

SHA512
ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
22b4a3a1ec3b6d7aa3bc61d0812dc85f

SHA1
97ae3504a29eb555632d124022d8406fc5b6f662

SHA256
c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

SHA512
9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\GenericProvider.dll.mui

Filesize
5KB

MD5
d6b02daf9583f640269b4d8b8496a5dd

SHA1
e3bc2acd8e6a73b6530bc201902ab714e34b3182

SHA256
9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0

SHA512
189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\IBSProvider.dll.mui

Filesize
2KB

MD5
d4b67a347900e29392613b5d86fe4ac2

SHA1
fb84756d11bfd638c4b49268b96d0007b26ba2fb

SHA256
4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5

SHA512
af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\ImagingProvider.dll.mui

Filesize
18KB

MD5
f2e2ba029f26341158420f3c4db9a68f

SHA1
1dee9d3dddb41460995ad8913ad701546be1e59d

SHA256
32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3

SHA512
3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\IntlProvider.dll.mui

Filesize
27KB

MD5
2eb303db5753eb7a6bb3ab773eeabdcb

SHA1
44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4

SHA256
aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f

SHA512
df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\LogProvider.dll.mui

Filesize
6KB

MD5
8933c8d708e5acf5a458824b19fd97da

SHA1
de55756ddbeebc5ad9d3ce950acba5d2fb312331

SHA256
6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6

SHA512
ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\MsiProvider.dll.mui

Filesize
15KB

MD5
c5e60ee2d8534f57fddb81ffce297763

SHA1
78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2

SHA256
1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145

SHA512
ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\OSProvider.dll.mui

Filesize
3KB

MD5
0633e0fccd477d9b22de4dd5a84abe53

SHA1
e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9

SHA256
b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706

SHA512
e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\OfflineSetupProvider.dll.mui

Filesize
2KB

MD5
015271d46ab128a854a4e9d214ab8a43

SHA1
2569deff96fb5ad6db924cee2e08a998ddc80b2a

SHA256
692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec

SHA512
6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438

Download Submit
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igkuqqhb.21q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 329039.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
220KB

MD5
22875034a0e97052632484273e8fa22d

SHA1
a32c68bc28ad00a51712707c270f325c12a134a4

SHA256
c2e3e7e65b9c23164957608b4b1e951b7a74568a7a3980eb1bb1371dbb312238

SHA512
098fc750d20392f8ae9e050a0f503c68b36266f0726283b4c3cd3184fcf8663a6abacf716db69913d888029d028e477f7ebb010e5bacaa0ed2d4561bca3bf0b9

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
243KB

MD5
43a4135b34a7cb98144e41f4afa50613

SHA1
a57f72c5f66caaf156f80ab07d84e59fa4544620

SHA256
03c5e8b5cfa84cab0cf1e7c1fc5738e1a51793523ab7695362c421915af3d534

SHA512
26b84f45a0e8bd663eb72e478022e0483fe07175bf34410436a3a2b1e90ccbfa7df6f0b71a47279cf03a69f1d5fa17ae3acde1c444eab481c4977cbcd8ef6843

Download Submit
C:\Windows\Temp\MAS_60117008.cmd

Filesize
438KB

MD5
c277c62d509a0a30def1e058a82c1750

SHA1
4cc3f27be8741e814f0bf46410452f551209eef8

SHA256
907a29e8f500ac023c0d7f8a202c41b24bbd3668cc1c3dafdd7260a910c1577d

SHA512
e1cde6f22ab99333b6eed492ad885907311c81170bfe96d8419e7ce9bda95160b6701f328addbc2b9651978d97a687530f89d7ee3708202cfb8685f0460db3c7

Download Submit
\??\pipe\LOCAL\crashpad_4824_XSIXAOJUQSGAXUGU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1924-1840-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-22207-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-1868-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3552-932-0x0000020C48E90000-0x0000020C48EA0000-memory.dmp

Filesize
64KB

Download
memory/3552-948-0x0000020C48E90000-0x0000020C48EA0000-memory.dmp

Filesize
64KB

Download
memory/3552-933-0x0000020C48E90000-0x0000020C48EA0000-memory.dmp

Filesize
64KB

Download
memory/4172-958-0x0000020889DE0000-0x0000020889DF0000-memory.dmp

Filesize
64KB

Download
memory/4172-961-0x0000020889DE0000-0x0000020889DF0000-memory.dmp

Filesize
64KB

Download
memory/4172-957-0x0000020889DE0000-0x0000020889DF0000-memory.dmp

Filesize
64KB

Download
memory/4376-955-0x000002DB97AC0000-0x000002DB97AD0000-memory.dmp

Filesize
64KB

Download
memory/4376-956-0x000002DB97AC0000-0x000002DB97AD0000-memory.dmp

Filesize
64KB

Download
memory/4376-962-0x000002DB97AC0000-0x000002DB97AD0000-memory.dmp

Filesize
64KB

Download
memory/5320-934-0x00000278A7F00000-0x00000278A7F10000-memory.dmp

Filesize
64KB

Download
memory/5320-935-0x00000278A7F00000-0x00000278A7F10000-memory.dmp

Filesize
64KB

Download
memory/5320-947-0x00000278A7F00000-0x00000278A7F10000-memory.dmp

Filesize
64KB

Download
memory/5524-476-0x000002C26B1D0000-0x000002C26BC91000-memory.dmp

Filesize
10.8MB

Download
memory/5524-982-0x000002C26B1D0000-0x000002C26BC91000-memory.dmp

Filesize
10.8MB

Download
memory/5524-457-0x000002C26C810000-0x000002C26C9D2000-memory.dmp

Filesize
1.8MB

Download
memory/5524-980-0x000002C26B1D0000-0x000002C26BC91000-memory.dmp

Filesize
10.8MB

Download
memory/5524-446-0x000002C26C5C0000-0x000002C26C636000-memory.dmp

Filesize
472KB

Download
memory/5524-445-0x000002C26C4F0000-0x000002C26C534000-memory.dmp

Filesize
272KB

Download
memory/5524-979-0x000002C26B1D0000-0x000002C26BC91000-memory.dmp

Filesize
10.8MB

Download
memory/5524-440-0x000002C26BFB0000-0x000002C26BFD2000-memory.dmp

Filesize
136KB

Download
memory/5524-866-0x000002C26B1D0000-0x000002C26BC91000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads