Analysis
-
max time kernel
350s -
max time network
351s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 00:06
Static task
static1
Behavioral task
behavioral1
Sample
EFI_[unknowncheats.me]_.zip
Resource
win10v2004-20240709-en
Errors
General
-
Target
EFI_[unknowncheats.me]_.zip
-
Size
22B
-
MD5
76cdb2bad9582d23c1f6f4d868218d6c
-
SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
-
SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
-
SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (522) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 120 5524 powershell.exe 123 5524 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CoronaVirus.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation CoronaVirus.exe -
Deletes itself 1 IoCs
Processes:
CoronaVirus.exepid process 1924 CoronaVirus.exe -
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe -
Executes dropped EXE 2 IoCs
Processes:
dismhost.exeCoronaVirus.exepid process 3028 dismhost.exe 1924 CoronaVirus.exe -
Loads dropped DLL 19 IoCs
Processes:
dismhost.exepid process 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe 3028 dismhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 116 camo.githubusercontent.com 122 raw.githubusercontent.com 123 raw.githubusercontent.com 205 raw.githubusercontent.com 206 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\Info.hta CoronaVirus.exe File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail.png.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\af_get.svg.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-256.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\ui-strings.js.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\ui-strings.js.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavutil.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui CoronaVirus.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\desktop.js.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jdwp.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\selector.js.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FirstTimeUse.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\BuildInfo.xml CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\SmallLogoBeta.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fil_get.svg.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\hprof.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-250.png CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.id-AC844449.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INF.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt.id-AC844449.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-24_altform-unplated_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-black.png CoronaVirus.exe -
Drops file in Windows directory 2 IoCs
Processes:
Dism.exedismhost.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3228 sc.exe 5380 sc.exe 3272 sc.exe 1120 sc.exe 5256 sc.exe 5900 sc.exe 5796 sc.exe 5544 sc.exe 5288 sc.exe 2120 sc.exe 5896 sc.exe 2136 sc.exe 2496 sc.exe 4664 sc.exe 5916 sc.exe 5036 sc.exe 2632 sc.exe 1864 sc.exe 5760 sc.exe 5948 sc.exe 728 sc.exe 5640 sc.exe 4820 sc.exe 2608 sc.exe 4564 sc.exe 5684 sc.exe 3028 sc.exe 5132 sc.exe 1932 sc.exe 5836 sc.exe 384 sc.exe 5864 sc.exe 728 sc.exe 5924 sc.exe 5792 sc.exe 1088 sc.exe 5392 sc.exe 5152 sc.exe 4348 sc.exe 1192 sc.exe 1876 sc.exe 3092 sc.exe 5328 sc.exe 5804 sc.exe 5948 sc.exe 4596 sc.exe 1396 sc.exe 4780 sc.exe 5920 sc.exe 4172 sc.exe 748 sc.exe 380 sc.exe 528 sc.exe 5908 sc.exe 5964 sc.exe 2632 sc.exe 5064 sc.exe 5480 sc.exe 5052 sc.exe 5900 sc.exe 5668 sc.exe 2024 sc.exe 1396 sc.exe 5272 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
clipup.exeClipup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs Clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs Clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs clipup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 20712 vssadmin.exe 23084 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "155" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-47134698-4092160662-1261813102-1000\{2353BAAE-BB2A-403B-A0D6-501B69BD53F7} msedge.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 5848 reg.exe 3464 reg.exe 2660 reg.exe 3900 reg.exe 3700 reg.exe 5640 reg.exe 5268 reg.exe 1200 reg.exe 544 reg.exe 5504 reg.exe 6124 reg.exe 4208 reg.exe 2716 reg.exe 5548 reg.exe 5688 reg.exe 5436 reg.exe 528 reg.exe 6100 reg.exe 1604 reg.exe 5628 reg.exe 5644 reg.exe 5944 reg.exe 2552 reg.exe 3436 reg.exe 2192 reg.exe 5260 reg.exe 5412 reg.exe 5688 reg.exe 5916 reg.exe 6100 reg.exe 5924 reg.exe 5932 reg.exe 1896 reg.exe 3228 reg.exe 5908 reg.exe 4236 reg.exe 5424 reg.exe 5368 reg.exe 5888 reg.exe 2876 reg.exe 1176 reg.exe 5408 reg.exe 5428 reg.exe 5876 reg.exe 1492 reg.exe 5656 reg.exe 3188 reg.exe 4548 reg.exe 1192 reg.exe 5388 reg.exe 5656 reg.exe 5272 reg.exe 5256 reg.exe 4564 reg.exe 5644 reg.exe 5352 reg.exe 5236 reg.exe 1864 reg.exe 4512 reg.exe 1028 reg.exe 2840 reg.exe 5344 reg.exe 6128 reg.exe 4068 reg.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 329039.crdownload:SmartScreen msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeCoronaVirus.exepid process 4468 msedge.exe 4468 msedge.exe 4824 msedge.exe 4824 msedge.exe 1400 identity_helper.exe 1400 identity_helper.exe 3640 msedge.exe 3640 msedge.exe 5524 powershell.exe 5524 powershell.exe 5524 powershell.exe 4596 powershell.exe 4596 powershell.exe 4596 powershell.exe 5920 powershell.exe 5920 powershell.exe 5920 powershell.exe 2608 powershell.exe 2608 powershell.exe 2608 powershell.exe 1916 powershell.exe 1916 powershell.exe 1916 powershell.exe 5876 powershell.exe 5876 powershell.exe 5876 powershell.exe 2804 powershell.exe 2804 powershell.exe 2804 powershell.exe 5224 powershell.exe 5224 powershell.exe 5224 powershell.exe 3516 powershell.exe 3516 powershell.exe 3516 powershell.exe 380 powershell.exe 380 powershell.exe 380 powershell.exe 976 powershell.exe 976 powershell.exe 976 powershell.exe 3468 powershell.exe 3468 powershell.exe 3468 powershell.exe 5416 msedge.exe 5416 msedge.exe 5416 msedge.exe 5416 msedge.exe 2524 msedge.exe 2524 msedge.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe 1924 CoronaVirus.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 648 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
Processes:
msedge.exepid process 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 5524 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeDebugPrivilege 5920 powershell.exe Token: SeIncreaseQuotaPrivilege 5416 WMIC.exe Token: SeSecurityPrivilege 5416 WMIC.exe Token: SeTakeOwnershipPrivilege 5416 WMIC.exe Token: SeLoadDriverPrivilege 5416 WMIC.exe Token: SeSystemProfilePrivilege 5416 WMIC.exe Token: SeSystemtimePrivilege 5416 WMIC.exe Token: SeProfSingleProcessPrivilege 5416 WMIC.exe Token: SeIncBasePriorityPrivilege 5416 WMIC.exe Token: SeCreatePagefilePrivilege 5416 WMIC.exe Token: SeBackupPrivilege 5416 WMIC.exe Token: SeRestorePrivilege 5416 WMIC.exe Token: SeShutdownPrivilege 5416 WMIC.exe Token: SeDebugPrivilege 5416 WMIC.exe Token: SeSystemEnvironmentPrivilege 5416 WMIC.exe Token: SeRemoteShutdownPrivilege 5416 WMIC.exe Token: SeUndockPrivilege 5416 WMIC.exe Token: SeManageVolumePrivilege 5416 WMIC.exe Token: 33 5416 WMIC.exe Token: 34 5416 WMIC.exe Token: 35 5416 WMIC.exe Token: 36 5416 WMIC.exe Token: SeIncreaseQuotaPrivilege 5416 WMIC.exe Token: SeSecurityPrivilege 5416 WMIC.exe Token: SeTakeOwnershipPrivilege 5416 WMIC.exe Token: SeLoadDriverPrivilege 5416 WMIC.exe Token: SeSystemProfilePrivilege 5416 WMIC.exe Token: SeSystemtimePrivilege 5416 WMIC.exe Token: SeProfSingleProcessPrivilege 5416 WMIC.exe Token: SeIncBasePriorityPrivilege 5416 WMIC.exe Token: SeCreatePagefilePrivilege 5416 WMIC.exe Token: SeBackupPrivilege 5416 WMIC.exe Token: SeRestorePrivilege 5416 WMIC.exe Token: SeShutdownPrivilege 5416 WMIC.exe Token: SeDebugPrivilege 5416 WMIC.exe Token: SeSystemEnvironmentPrivilege 5416 WMIC.exe Token: SeRemoteShutdownPrivilege 5416 WMIC.exe Token: SeUndockPrivilege 5416 WMIC.exe Token: SeManageVolumePrivilege 5416 WMIC.exe Token: 33 5416 WMIC.exe Token: 34 5416 WMIC.exe Token: 35 5416 WMIC.exe Token: 36 5416 WMIC.exe Token: SeIncreaseQuotaPrivilege 5544 WMIC.exe Token: SeSecurityPrivilege 5544 WMIC.exe Token: SeTakeOwnershipPrivilege 5544 WMIC.exe Token: SeLoadDriverPrivilege 5544 WMIC.exe Token: SeSystemProfilePrivilege 5544 WMIC.exe Token: SeSystemtimePrivilege 5544 WMIC.exe Token: SeProfSingleProcessPrivilege 5544 WMIC.exe Token: SeIncBasePriorityPrivilege 5544 WMIC.exe Token: SeCreatePagefilePrivilege 5544 WMIC.exe Token: SeBackupPrivilege 5544 WMIC.exe Token: SeRestorePrivilege 5544 WMIC.exe Token: SeShutdownPrivilege 5544 WMIC.exe Token: SeDebugPrivilege 5544 WMIC.exe Token: SeSystemEnvironmentPrivilege 5544 WMIC.exe Token: SeRemoteShutdownPrivilege 5544 WMIC.exe Token: SeUndockPrivilege 5544 WMIC.exe Token: SeManageVolumePrivilege 5544 WMIC.exe Token: 33 5544 WMIC.exe Token: 34 5544 WMIC.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 23776 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4824 wrote to memory of 400 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 400 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 872 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 4468 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 4468 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 5100 4824 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\EFI_[unknowncheats.me]_.zip1⤵PID:1844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc0e8146f8,0x7ffc0e814708,0x7ffc0e8147182⤵PID:400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵PID:872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:5100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:5060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:12⤵PID:3052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵PID:4760
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:82⤵PID:2140
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:2372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:4228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:4532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:3176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:1056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5576 /prefetch:82⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3464 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:4576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:12⤵PID:2316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:4568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:12⤵PID:1716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1348 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5416 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:1212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵PID:1812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6336 /prefetch:82⤵PID:2360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵PID:5952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6804 /prefetch:82⤵PID:1168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵PID:1356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,6555886188417747932,132104156833431418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1468
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3272
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_60117008.cmd" "2⤵PID:5880
-
C:\Windows\System32\sc.exesc query Null3⤵
- Launches sc.exe
PID:5948 -
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:5956
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_60117008.cmd"3⤵PID:4640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:1460
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:3208
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:2364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd3⤵PID:3700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:1120
-
C:\Windows\System32\cmd.execmd4⤵PID:1012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_60117008.cmd" "3⤵PID:5124
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵PID:6124
-
C:\Windows\System32\fltMC.exefltmc3⤵PID:1992
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit3⤵
- Modifies registry key
PID:6100 -
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:4780
-
C:\Windows\System32\reg.exereg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f3⤵PID:2040
-
C:\Windows\System32\cmd.execmd.exe /c ""C:\Windows\Temp\MAS_60117008.cmd" -qedit"3⤵PID:1708
-
C:\Windows\System32\reg.exereg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f4⤵
- Modifies registry key
PID:3436 -
C:\Windows\System32\sc.exesc query Null4⤵PID:5288
-
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:5220
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_60117008.cmd"4⤵PID:5332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "4⤵PID:5308
-
C:\Windows\System32\find.exefind /i "/"4⤵PID:5296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver4⤵PID:5384
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV24⤵PID:5404
-
C:\Windows\System32\find.exefind /i "0x0"4⤵PID:5408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd4⤵PID:5436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "5⤵PID:4848
-
C:\Windows\System32\cmd.execmd5⤵PID:5132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_60117008.cmd" "4⤵PID:5140
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"4⤵PID:6140
-
C:\Windows\System32\fltMC.exefltmc4⤵PID:5596
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit4⤵
- Modifies registry key
PID:2716 -
C:\Windows\System32\find.exefind /i "0x0"4⤵PID:2660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev4⤵PID:4172
-
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck.massgrave.dev5⤵
- Runs ping.exe
PID:5268 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "4⤵PID:4132
-
C:\Windows\System32\find.exefind "127.69"4⤵PID:3660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "4⤵PID:5652
-
C:\Windows\System32\find.exefind "127.69.2.6"4⤵PID:384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "4⤵PID:1604
-
C:\Windows\System32\find.exefind /i "/S"4⤵PID:2752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "4⤵PID:5788
-
C:\Windows\System32\find.exefind /i "/"4⤵PID:5672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵PID:5684
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop5⤵PID:4416
-
C:\Windows\System32\mode.commode 76, 304⤵PID:4672
-
C:\Windows\System32\choice.exechoice /C:123456780 /N4⤵PID:5836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver4⤵PID:5868
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV24⤵PID:628
-
C:\Windows\System32\find.exefind /i "0x0"4⤵PID:4568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd4⤵PID:4688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "5⤵PID:976
-
C:\Windows\System32\cmd.execmd5⤵PID:5036
-
C:\Windows\System32\mode.commode 110, 344⤵PID:728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $ExecutionContext.SessionState.LanguageMode4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\System32\find.exefind /i "Full"4⤵PID:4192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"4⤵PID:1876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "4⤵PID:5320
-
C:\Windows\System32\find.exefind /i "Windows"4⤵PID:5300
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5416 -
C:\Windows\System32\find.exefind /i "computersystem"4⤵PID:5428
-
C:\Windows\System32\sc.exesc start sppsvc4⤵
- Launches sc.exe
PID:5132 -
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5544 -
C:\Windows\System32\findstr.exefindstr /i "Windows"4⤵PID:5148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"4⤵PID:5400
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul4⤵PID:5668
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn5⤵PID:4532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul4⤵PID:5804
-
C:\Windows\System32\wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST5⤵PID:5912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE4⤵PID:5456
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE5⤵PID:5888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver4⤵PID:5152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net4⤵PID:5792
-
C:\Windows\System32\PING.EXEping -n 1 l.root-servers.net5⤵
- Runs ping.exe
PID:5740 -
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled4⤵PID:2552
-
C:\Windows\System32\find.exefind /i "0x0"4⤵PID:4664
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled4⤵PID:1088
-
C:\Windows\System32\find.exefind /i "0x0"4⤵PID:2136
-
C:\Windows\System32\sc.exesc start ClipSVC4⤵
- Launches sc.exe
PID:5864 -
C:\Windows\System32\sc.exesc query ClipSVC4⤵
- Launches sc.exe
PID:3228 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService4⤵
- Modifies registry key
PID:528 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description4⤵PID:5088
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName4⤵
- Modifies registry key
PID:3900 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl4⤵
- Modifies registry key
PID:5848 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath4⤵
- Modifies registry key
PID:5876 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName4⤵
- Modifies registry key
PID:4564 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start4⤵
- Modifies registry key
PID:5916 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type4⤵PID:2472
-
C:\Windows\System32\sc.exesc start wlidsvc4⤵
- Launches sc.exe
PID:2496 -
C:\Windows\System32\sc.exesc query wlidsvc4⤵
- Launches sc.exe
PID:2632 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService4⤵PID:4252
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description4⤵
- Modifies registry key
PID:6124 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName4⤵PID:1608
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl4⤵PID:4780
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath4⤵PID:948
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName4⤵PID:2564
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start4⤵
- Modifies registry key
PID:6128 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type4⤵
- Modifies registry key
PID:6100 -
C:\Windows\System32\sc.exesc start sppsvc4⤵
- Launches sc.exe
PID:4820 -
C:\Windows\System32\sc.exesc query sppsvc4⤵
- Launches sc.exe
PID:5328 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService4⤵
- Modifies registry key
PID:5260 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description4⤵
- Modifies registry key
PID:5368 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName4⤵
- Modifies registry key
PID:5236 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl4⤵
- Modifies registry key
PID:5924 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath4⤵
- Modifies registry key
PID:5272 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName4⤵PID:5332
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start4⤵
- Modifies registry key
PID:5932 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type4⤵PID:1876
-
C:\Windows\System32\sc.exesc start KeyIso4⤵
- Launches sc.exe
PID:5380 -
C:\Windows\System32\sc.exesc query KeyIso4⤵
- Launches sc.exe
PID:5392 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService4⤵PID:5128
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description4⤵
- Modifies registry key
PID:5412 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName4⤵PID:5420
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl4⤵
- Modifies registry key
PID:5436 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath4⤵
- Modifies registry key
PID:1176 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName4⤵PID:2188
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start4⤵PID:3548
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type4⤵PID:3988
-
C:\Windows\System32\sc.exesc start LicenseManager4⤵
- Launches sc.exe
PID:5052 -
C:\Windows\System32\sc.exesc query LicenseManager4⤵
- Launches sc.exe
PID:5544 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService4⤵
- Modifies registry key
PID:1604 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description4⤵PID:2064
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName4⤵
- Modifies registry key
PID:5628 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl4⤵PID:1548
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath4⤵PID:4108
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName4⤵
- Modifies registry key
PID:5656 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start4⤵
- Modifies registry key
PID:2840 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type4⤵
- Modifies registry key
PID:5644 -
C:\Windows\System32\sc.exesc start Winmgmt4⤵
- Launches sc.exe
PID:2024 -
C:\Windows\System32\sc.exesc query Winmgmt4⤵
- Launches sc.exe
PID:2608 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService4⤵
- Modifies registry key
PID:5688 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description4⤵PID:2688
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName4⤵PID:4416
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl4⤵
- Modifies registry key
PID:4208 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath4⤵
- Modifies registry key
PID:5504 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName4⤵PID:5904
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start4⤵
- Modifies registry key
PID:1896 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type4⤵PID:4512
-
C:\Windows\System32\sc.exesc start DoSvc4⤵
- Launches sc.exe
PID:380 -
C:\Windows\System32\sc.exesc query DoSvc4⤵
- Launches sc.exe
PID:5152 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService4⤵
- Modifies registry key
PID:3188 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description4⤵PID:3092
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName4⤵PID:2132
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl4⤵
- Modifies registry key
PID:1028 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath4⤵
- Modifies registry key
PID:1864 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName4⤵PID:216
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start4⤵
- Modifies registry key
PID:4548 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type4⤵
- Modifies registry key
PID:3228 -
C:\Windows\System32\sc.exesc start UsoSvc4⤵
- Launches sc.exe
PID:528 -
C:\Windows\System32\sc.exesc query UsoSvc4⤵
- Launches sc.exe
PID:1396 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService4⤵
- Modifies registry key
PID:5908 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description4⤵
- Modifies registry key
PID:5944 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName4⤵PID:5868
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl4⤵
- Modifies registry key
PID:2552 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath4⤵PID:4564
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName4⤵PID:5916
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start4⤵PID:2472
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type4⤵PID:2496
-
C:\Windows\System32\sc.exesc start CryptSvc4⤵PID:2632
-
C:\Windows\System32\sc.exesc query CryptSvc4⤵
- Launches sc.exe
PID:728 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService4⤵PID:4284
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description4⤵PID:5064
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName4⤵
- Modifies registry key
PID:3700 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl4⤵
- Modifies registry key
PID:4068 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath4⤵
- Modifies registry key
PID:1192 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName4⤵
- Modifies registry key
PID:3464 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start4⤵
- Modifies registry key
PID:2192 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type4⤵
- Modifies registry key
PID:5256 -
C:\Windows\System32\sc.exesc start BITS4⤵
- Launches sc.exe
PID:5288 -
C:\Windows\System32\sc.exesc query BITS4⤵
- Launches sc.exe
PID:4596 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService4⤵PID:5872
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description4⤵PID:5224
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName4⤵
- Modifies registry key
PID:4236 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl4⤵
- Modifies registry key
PID:5388 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath4⤵PID:5300
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName4⤵
- Modifies registry key
PID:5424 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start4⤵
- Modifies registry key
PID:5408 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type4⤵
- Modifies registry key
PID:5428 -
C:\Windows\System32\sc.exesc start TrustedInstaller4⤵PID:5416
-
C:\Windows\System32\sc.exesc query TrustedInstaller4⤵
- Launches sc.exe
PID:2120 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService4⤵PID:2292
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description4⤵PID:5600
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName4⤵PID:3516
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl4⤵
- Modifies registry key
PID:5548 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath4⤵PID:5148
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName4⤵PID:4456
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start4⤵
- Modifies registry key
PID:1492 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type4⤵
- Modifies registry key
PID:2660 -
C:\Windows\System32\sc.exesc start wuauserv4⤵
- Launches sc.exe
PID:4348 -
C:\Windows\System32\sc.exesc query wuauserv4⤵
- Launches sc.exe
PID:5760 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService4⤵PID:4108
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description4⤵
- Modifies registry key
PID:5656 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName4⤵PID:2840
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl4⤵
- Modifies registry key
PID:5644 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath4⤵
- Modifies registry key
PID:2876 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName4⤵PID:5824
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start4⤵
- Modifies registry key
PID:5640 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type4⤵
- Modifies registry key
PID:5268 -
C:\Windows\System32\sc.exesc start WaaSMedicSvc4⤵
- Launches sc.exe
PID:5900 -
C:\Windows\System32\sc.exesc query WaaSMedicSvc4⤵
- Launches sc.exe
PID:5896 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService4⤵PID:5912
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description4⤵PID:4276
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName4⤵
- Modifies registry key
PID:5888 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl4⤵
- Modifies registry key
PID:4512 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath4⤵
- Modifies registry key
PID:5352 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName4⤵
- Modifies registry key
PID:5344 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start4⤵
- Modifies registry key
PID:1200 -
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type4⤵PID:2392
-
C:\Windows\System32\sc.exesc start ClipSVC4⤵
- Launches sc.exe
PID:4664 -
C:\Windows\System32\sc.exesc start wlidsvc4⤵
- Launches sc.exe
PID:1864 -
C:\Windows\System32\sc.exesc start sppsvc4⤵
- Launches sc.exe
PID:2136 -
C:\Windows\System32\sc.exesc start KeyIso4⤵
- Launches sc.exe
PID:1932 -
C:\Windows\System32\sc.exesc start LicenseManager4⤵PID:2068
-
C:\Windows\System32\sc.exesc start Winmgmt4⤵PID:2268
-
C:\Windows\System32\sc.exesc start DoSvc4⤵
- Launches sc.exe
PID:1396 -
C:\Windows\System32\sc.exesc start UsoSvc4⤵
- Launches sc.exe
PID:5908 -
C:\Windows\System32\sc.exesc start CryptSvc4⤵
- Launches sc.exe
PID:5836 -
C:\Windows\System32\sc.exesc start BITS4⤵
- Launches sc.exe
PID:5948 -
C:\Windows\System32\sc.exesc start TrustedInstaller4⤵
- Launches sc.exe
PID:5964 -
C:\Windows\System32\sc.exesc start wuauserv4⤵
- Launches sc.exe
PID:3272 -
C:\Windows\System32\sc.exesc start WaaSMedicSvc4⤵
- Launches sc.exe
PID:4564 -
C:\Windows\System32\sc.exesc config DoSvc start= delayed-auto4⤵
- Launches sc.exe
PID:5916 -
C:\Windows\System32\sc.exesc query ClipSVC4⤵
- Launches sc.exe
PID:5036 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:3208
-
C:\Windows\System32\sc.exesc start ClipSVC4⤵
- Launches sc.exe
PID:2632 -
C:\Windows\System32\sc.exesc query wlidsvc4⤵
- Launches sc.exe
PID:728 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:4516
-
C:\Windows\System32\sc.exesc start wlidsvc4⤵
- Launches sc.exe
PID:5064 -
C:\Windows\System32\sc.exesc query sppsvc4⤵
- Launches sc.exe
PID:4780 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:5152
-
C:\Windows\System32\sc.exesc start sppsvc4⤵
- Launches sc.exe
PID:1120 -
C:\Windows\System32\sc.exesc query KeyIso4⤵
- Launches sc.exe
PID:1192 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:6104
-
C:\Windows\System32\sc.exesc start KeyIso4⤵PID:4192
-
C:\Windows\System32\sc.exesc query LicenseManager4⤵
- Launches sc.exe
PID:5256 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:5328
-
C:\Windows\System32\sc.exesc start LicenseManager4⤵
- Launches sc.exe
PID:5924 -
C:\Windows\System32\sc.exesc query Winmgmt4⤵
- Launches sc.exe
PID:5272 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:388
-
C:\Windows\System32\sc.exesc start Winmgmt4⤵
- Launches sc.exe
PID:1876 -
C:\Windows\System32\sc.exesc query DoSvc4⤵
- Launches sc.exe
PID:5920 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:5392
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Service DoSvc4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916 -
C:\Windows\System32\sc.exesc query DoSvc4⤵
- Launches sc.exe
PID:384 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:5672
-
C:\Windows\System32\sc.exesc start DoSvc4⤵
- Launches sc.exe
PID:4172 -
C:\Windows\System32\sc.exesc query UsoSvc4⤵
- Launches sc.exe
PID:5684 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:2876
-
C:\Windows\System32\sc.exesc start UsoSvc4⤵
- Launches sc.exe
PID:5668 -
C:\Windows\System32\sc.exesc query CryptSvc4⤵
- Launches sc.exe
PID:5640 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:6076
-
C:\Windows\System32\sc.exesc start CryptSvc4⤵
- Launches sc.exe
PID:5900 -
C:\Windows\System32\sc.exesc query BITS4⤵
- Launches sc.exe
PID:5804 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:4672
-
C:\Windows\System32\sc.exesc start BITS4⤵
- Launches sc.exe
PID:5480 -
C:\Windows\System32\sc.exesc query TrustedInstaller4⤵
- Launches sc.exe
PID:5796 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:5196
-
C:\Windows\System32\sc.exesc start TrustedInstaller4⤵
- Launches sc.exe
PID:5792 -
C:\Windows\System32\sc.exesc query wuauserv4⤵
- Launches sc.exe
PID:3092 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:3544
-
C:\Windows\System32\sc.exesc start wuauserv4⤵
- Launches sc.exe
PID:1088 -
C:\Windows\System32\sc.exesc query WaaSMedicSvc4⤵
- Launches sc.exe
PID:748 -
C:\Windows\System32\find.exefind /i "RUNNING"4⤵PID:1264
-
C:\Windows\System32\sc.exesc start WaaSMedicSvc4⤵
- Launches sc.exe
PID:3028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState4⤵PID:1932
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState5⤵PID:2068
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot4⤵PID:2268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_60117008.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul4⤵PID:1396
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_60117008.cmd') -split ':wpatest\:.*';iex ($f[1]);"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "7" "4⤵PID:2632
-
C:\Windows\System32\find.exefind /i "Error Found"4⤵PID:4284
-
C:\Windows\System32\Dism.exeDISM /English /Online /Get-CurrentEdition4⤵
- Drops file in Windows directory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\dismhost.exeC:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\dismhost.exe {0AA46966-3206-4BBC-A0B8-B11B24E764BD}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3028 -
C:\Windows\System32\cmd.execmd /c exit /b 04⤵PID:1168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul4⤵PID:5912
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID5⤵PID:4364
-
C:\Windows\System32\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs /dlv4⤵PID:380
-
C:\Windows\System32\cmd.execmd /c exit /b 04⤵PID:2392
-
C:\Windows\System32\wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value4⤵PID:1360
-
C:\Windows\System32\find.exefind /i "computersystem"4⤵PID:1088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "0" "4⤵PID:528
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440"4⤵PID:5804
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"4⤵PID:460
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"4⤵PID:2472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul4⤵PID:628
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"5⤵PID:5868
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d4⤵PID:5956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul4⤵PID:2496
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore5⤵PID:2816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul4⤵PID:2552
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE5⤵PID:2632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516 -
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility4⤵
- Modifies registry key
PID:544 -
C:\Windows\System32\find.exefind /i "windowsupdate"4⤵PID:1384
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress4⤵PID:5648
-
C:\Windows\System32\reg.exereg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s4⤵
- Modifies registry key
PID:5688 -
C:\Windows\System32\findstr.exefindstr /i "NoAutoUpdate DisableWindowsUpdateAccess"4⤵PID:2688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo: "4⤵PID:5268
-
C:\Windows\System32\find.exefind /i "wuauserv"4⤵PID:4208
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps4⤵PID:3700
-
C:\Windows\System32\find.exefind /i "0x1"4⤵PID:2236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "4⤵PID:8
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"4⤵PID:3952
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"4⤵PID:5456
-
C:\Windows\System32\cmd.execmd /c exit /b 04⤵PID:6140
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus4⤵PID:5740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul4⤵PID:4056
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Name5⤵PID:5084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul4⤵PID:1360
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Nation5⤵PID:3900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))4⤵PID:528
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))5⤵
- Suspicious behavior: EnumeratesProcesses
PID:380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "4⤵PID:1476
-
C:\Windows\System32\find.exefind "AAAA"4⤵PID:3780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Restart-Service ClipSVC4⤵
- Suspicious behavior: EnumeratesProcesses
PID:976 -
C:\Windows\System32\ClipUp.execlipup -v -o4⤵PID:4376
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temC1B5.tmp5⤵
- Checks SCSI registry key(s)
PID:4172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"4⤵PID:4208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "4⤵PID:4364
-
C:\Windows\System32\find.exefind /i "Windows"4⤵PID:5352
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate4⤵PID:2292
-
C:\Windows\System32\cmd.execmd /c exit /b 04⤵PID:5916
-
C:\Windows\System32\wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value4⤵PID:6124
-
C:\Windows\System32\findstr.exefindstr /i "Windows"4⤵PID:4568
-
C:\Windows\System32\mode.commode 76, 304⤵PID:1004
-
C:\Windows\System32\choice.exechoice /C:123456780 /N4⤵PID:6108
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵PID:3552
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temC0CA.tmp2⤵
- Checks SCSI registry key(s)
PID:5320
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5256
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Checks computer location settings
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1924 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:5332
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:840
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:20712 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:25988
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:23272
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:23084 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:23520
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:23404
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:8060
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa381a855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:23776
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-AC844449.[[email protected]].ncov
Filesize3.2MB
MD57fdde8e62c140029ffbbee74f5c510ba
SHA1974fdb4a01892be54f4501602de86657d89b8645
SHA2560ebc6207f88cdd88b5b1772e654dfe9bf13ef7fbb0f4e581573391ace92f4bf1
SHA512d91173504e8cbc1e8884452ba1c637e27cb7cf822e4acfcfe8569aa8cd278e3bb180795c43e0fdaa87fefb1044256f9b6534035a2ad920fd75bd7340ba7cda2e
-
Filesize
1KB
MD567a8abe602fd21c5683962fa75f8c9fd
SHA1e296942da1d2b56452e05ae7f753cd176d488ea8
SHA2561d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA51270b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD527f3335bf37563e4537db3624ee378da
SHA157543abc3d97c2a2b251b446820894f4b0111aeb
SHA256494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a
SHA5122bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5db85f3d-363f-49fe-af39-c1539cf2b278.tmp
Filesize1KB
MD5c5233533761c534bf352d13b46fd6e5e
SHA1d2fe20138e09aec79f837d4ea95b91f306aee72b
SHA256347a5f850d6da84f5a5b57828a144a392752758f77647813501fadc9ccb9b615
SHA512b737fec80dbc79a4e2927ff581eccdf4db6531e9bfc0619170a590c97754001a91c45a20242b6874bd754cc7cb181f8891a8313fa0fcc47aad734b1ac5a4137c
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD5d34f421295c1e75d8931c3e7fea11b25
SHA1e83ccd11a1d57ff0cb2bd56b8acdf8525f1721b7
SHA2568faf393bd11c5916f3828716d5886d770b291e6ea4847d54d242943dbe8d722c
SHA512f92d6366d337513c5d077d220f1d3bd1129c2e91a171e39c3980aca1031bbca9c48a16683d88caa9241f5150a9369c9964414b607d7a1cadaf3e51956d4bdf7b
-
Filesize
41KB
MD59d3881d3c9400536a0b3d78c867ab8be
SHA18544210a4e0bb56e91b98a7615e0144432fa4a06
SHA256147e0558bde7300e6fadc9284009077a4cd6794ef77d909e502510b23e69f7bc
SHA5122c5a1665e3c3c459b9917944009b1c9027912e7876618cf584eaf9e72040494cc547aa232c925032e7d9a461e95590d1c2cce9f8b1560fcfb714bd69f731b5c9
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5931d16be2adb03f2d5df4d249405d6e6
SHA17b7076fb55367b6c0b34667b54540aa722e2f55f
SHA256b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3
SHA51241d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad
-
Filesize
43KB
MD5209af4da7e0c3b2a6471a968ba1fc992
SHA12240c2da3eba4f30b0c3ef2205ce7848ecff9e3f
SHA256ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403
SHA51209201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35
-
Filesize
74KB
MD5b07f576446fc2d6b9923828d656cadff
SHA135b2a39b66c3de60e7ec273bdf5e71a7c1f4b103
SHA256d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496
SHA5127358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df
-
Filesize
37KB
MD5f9a90d58144602c12373f3a51ae11c3e
SHA150930fadc719a0cf689f480f053fe55eaab64817
SHA256477adbd55274ba5f7057f114fd4c4908fe46d7f486c7cd6dfe452a80ff0b7c82
SHA5120f06561a943bdafdc0f6355ce4a5dd2a3daa348d621ac8c0d95632d5bf0458b4068803af0f3e9819496ed750299a63e6eea88c53bd2816c757a0e4c721d7e4f7
-
Filesize
37KB
MD5f379276efec34127fed6f06101a024d3
SHA1279e8e9dc86c622343e5bba17043d893c9224086
SHA2561f92cc266344c34ab3ba73fd7107c0b7d53de896e47f3683c9e7ea4b1e74b8cf
SHA512a87e994179341eedf39393fd4b7a57e8ac341f43bcd846c3bc16da9632921c08566be9ccb1b3afc0a1b9a9152c6a1339bff584401aaeb7f1cff7a36af66db5a5
-
Filesize
20KB
MD56686ec56c4536362ed40e1a3471e4a1e
SHA1a0f9d0126bddcb40743d717cc9322c6b91d35b2c
SHA256823063b7a7f06616d10539be8eee67b351e66a7e7cdaf928679ce88c9bde42ca
SHA512067ed2eb82ae2d10a5d7a05cf2bf8dc82f8fea0eea1722d93ed95caba12583f8382245348634365ff92fffa547a55f579957ade966226a674875c43a6f18191e
-
Filesize
18KB
MD54e3c3d1baf2cd51127ec83266c8903d0
SHA14768007b563449e66a04ce8ba8fdb0a8445ba689
SHA256d28aca638adb186dbaa143e62e7b0ccf0d6785ac5408ce8cf0b035f897fea5d8
SHA512c187badfffbc662eb5483c3fa5435332dcf94dfb849c5cfdd7a9ba1bb5e6df76f06cfd624024be062902e0590be1a454b1511336dada9c9c571e65e7f520776b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5b85f421fc8bcb1cc07f3f244eb4ba442
SHA1d3c383bf9bd0dc6b6abfd1ce7539f03b1b74f5b5
SHA256969c6534b6b92332270362c898ea08f7ba6075aad4a04b057766bb7b09356367
SHA5128f6c3745746bea462c957c66819ce6bb80ce3dcc381a84f0119eb3b9d447eee87645f7c72d4b0a212093339232157db47c78ea0f6c971bea06190480545fcb87
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5268757486d90bf7ca689249487561b68
SHA1a609ed43c12e9ea4c6c1f5fd2f1a96bd8107b4e4
SHA25624b5385d4c8050e3d76e7657324198d7dab6fa7e2d9b5b91ef062f4dc5c3824c
SHA5124b16e33dba3355e91b15afee71face92b32fbc74101708f75888a16bf1853e38ca020cea033e45e62321e3600ea241ffd73c4ff76e32da874306d640f9ee2cd8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5bbd3b3f2ca4f5ac715c55ceecb0d800f
SHA1f81330d5ec74d18d2e200d3e27696dffa76c332f
SHA256fb119ce22706daa1b8ecc7d34d59fcb33b29935c4818d2ea1ca0f25e0ee2050f
SHA51284e7b56e011b6f11d2fdd8fd214be0d4218788e2311841dab1abe770d7b4be7d1fb393e648a40b3b4869e2047a5574a0bb25f79a895d197bfe3a4fd68e6e8629
-
Filesize
1KB
MD536a57325e9119e7d2271e031b2090550
SHA1bb98b4c5f4626c46ef614119369c5a2af3636cee
SHA256c0cf114d580003e660c59feb30d5bb9c6d6df8675288db58543891136278f272
SHA51274b60be130f53cb7552a6dd2badd7cee18660b4b0d01d52f64515ecf07846b5660a23869d5bf34cee07f7755be45e78ddae196814f4984e8fced5bc2d38c4274
-
Filesize
1KB
MD5d52c97bda342498d91556b1ef8ecd6e3
SHA1878255ba353e194a2531a920f364edcd168358e4
SHA256f36e9a196b314331eab37062bb86b3433f23578339f22fe5ccacd728394916d5
SHA512475f42501dd0c8dcc460c6604b148c2d4b0f89cf48d4fbaf6f714deaa6419df2663bd8cab65297c33073c9e6eca4babbc0dfd4f9c9e7d5c84b3e7a24306737f1
-
Filesize
6KB
MD59a1e48c21448093848c4b2f3e5451c09
SHA13203d817c9c46410b7d6794641a45a32cd90268d
SHA256dca440c9c300d68a1d8cbce9698d7779fb9bc5a98ea97843417aec57dbe9aecc
SHA51279eb3a51da4c19a96321a4d209aa1f2a648aa5a8990534520412f57d879b1ffa5b6fcabd3c64bc15c46393aaebba547e6b9ea7a597a66304d0dd6bbf3da7f62a
-
Filesize
9KB
MD5d4cebbe12eeab7462299275195dc8ec2
SHA10954b53997b0d0f0fc7424b95b43ebec39c8d522
SHA256fd741e5fdac991ba1c9bd58c076741b74130ae7e48d5dfc8fe0af6ae838e0c3c
SHA512dc2c969a2a00a17bceaaa7af7f6b740a0c28f0c85b9ee5ad79366e0dccdc2771d4ad0983d9140d03c58f3c9b19f4c9d2c2cd7ba1f0ea185d0abf76dac6b1971d
-
Filesize
9KB
MD5b976c5ee2a01258ddb5b3c8857e629dd
SHA1362a773621c9daebd38522fd6f0ca929f9558c76
SHA2568ce6a05e9fbbe56cdffc97cf08fbd028c7c795eec865b3716f30d5d1ed12400c
SHA512642adb6f40130eb64b04ac1e88ccd179d378507cab47a02d8290c62f074de97f8a29b7a7c736d9a9466504c73125336d972a0160ea04b1fb515162fc3bf46b76
-
Filesize
5KB
MD518e23e8de2530e5f4dd36988b205efc7
SHA1ff06c747b097d2b5156b70eb3b72833a361aca93
SHA2565fd5b0b69518698f013c5fb3ba1f2215e54f82a7aacb5b46d3810e8027acd98f
SHA51275b6880e52d16763036c2e74f11b5cb2d599e2f89dda4e309cf65573bac0537475e1dc00aa1cd309871157b0ef7153d8db02251427586787be77ab3b40f6d87b
-
Filesize
6KB
MD558afdf136b0cce1ba9b28534047129c7
SHA132d19bf0cb4f7b40aed61cbf9882c1340ee7f8af
SHA256482ec41758ccca8af5a94b0a729a7260d01bc8b4c5c53d7ffe99cecf1e7df5a9
SHA512adf24699d13154477924794f534abce93e5a31519cc203a110effe351849971c2d3c5454c5720dd9b4ec7f306fab5148cf00eb5e6e8a121760b5f15526e79fea
-
Filesize
9KB
MD5e87d07d07eb943cc7741355e162bc89e
SHA15a9d2c54be3f74bdcf7800d97f2eae31a8a205c4
SHA256dd998c62b7d6822c8bff2b731fbaf10276f9959d68bbb590025659caf708c680
SHA512f0b005333d1a76939adba1482838c0c52e98f1f63524618f1fec589088610719c4e64b8c6a7992e10eb40ad782b539b01478389d2e7e3cd1ec6c4d4f55272701
-
Filesize
7KB
MD576e2d848ba91652b45a76b43a691efd4
SHA1e43a86bf9060a997788832cb4791db48fc745ee4
SHA2563c6e92b16ade4f33cfc04794482f25224fda274d3348f6cd132b0e67eec6aeda
SHA512012005e6f7e7ee938e4a278dddd6e257ceb29161b884b2e609380e2eeb669b6514b619d113e37918dd68cc4f1145d848ed1b62a67b29680fc40760c1f387a6c2
-
Filesize
9KB
MD5d8437e5b4371392eff2fbf0b14b97d55
SHA18cf3a73ee00db2dd94be084c9404dd0f1143ca1c
SHA2569b70f8e72b3d48f39943c1e1b628342b29bb74ce81d8398407a0cff74c78c36c
SHA512633d2af812dbb4c992c41ef35acc5b5a73e912a6f288b6f0025ea92f75b7796cdafeb4cb5a3d0c7ee7453ba0eba6a426eb02ab1bab312c3fc614c1184ceda061
-
Filesize
9KB
MD56520d697e65b17ed1f4af730444e2cdf
SHA139dfd0cf0ab25884f0df89f48dfa6629879a876f
SHA256af0eee94f529591f9ffb11c20fdb4b1f08e2dd348e0040aa5ef76cfc027c525d
SHA512f64b44f5fab6976b9ebd006094f01e415e3847673f4a6145b04e281735b9a8a728de5cad3d3b34f404031ba53948e7481abed744060b2dd900374f98205ca224
-
Filesize
9KB
MD5531784c167cc7114c4049527fc3cd2f3
SHA1509893fa8803317833fb9f0e2147a4bcb0da2141
SHA2561741839423dc6580515bfa971b9d45eb9ad6d4cee192a8ce7b4d641d2883d0f2
SHA512593a0cdff3f7ec5eb6fa012ffb6411aafe01152e452fab24dd6f61daa2a64e74296192b29dd5da420311ba82a979a9f6087b1bcf265f32294c398fb098ab67bf
-
Filesize
9KB
MD5f8cebed1c42076b61f6a6de6fdcdca48
SHA1274f57d8d17b70ca3f793250b26d036a34c958d1
SHA2569c844ad81eb6590605f319119b64b7d97061a8d94480f5cab7c3d084b1eaef5e
SHA5126d71f9027838877809a35aaa4f69d1898230aef563feff31bc79a157e66080a2e5f75fca5e37aaea2a386c6df23b5eecd3078198433bad6bf7bd1bcb9050bb99
-
Filesize
1KB
MD56064f7f8ca7dee3a3211a6ce15fd3502
SHA104d042bbb0d2eaf74fcb0613773fe673ce0b63d3
SHA256c0d5bdec44a65ab4d200846e9d04a06566992e1a596c7ca6b0ef58af67575976
SHA51293e1f46fb039ce963e763587603a8ba6a0ac7f1da5dcd806f89de8eac4e7ee4aab1ec77880111bdff4ee75354cdeba1f1aa9c280cdf8d7d1712d545a20d4e081
-
Filesize
1KB
MD5c4ae1bf88d6d2144bd5642914a2e5804
SHA12c239f3a9d08b2513e0967df00f9ae59c3efc757
SHA2566ca8a8494c3c6c56e326d1ae050c7ec0a701bf2d57ceae57f9a4b76ee9d8191a
SHA51226fa01b3f09da17ac74ed3fa9485ded20930d7204a56544005e515d592e2282016a6df9cf2f37e2ae98248279b5aa6f49d38ebb7c8bc6ea7a3b98302440d01b5
-
Filesize
1KB
MD5be7e89e42bf23991a76883797d2b44e5
SHA11e5f9a4e587292732b9ccd1e47a2ced2671bf46e
SHA256aad5bb1afe8323fc19bfd32bbf6d5e59f2f693cd5376adabbb499cab67fea0df
SHA5126bb27edb702581e359346a1b772fc4cbdf06bae869430517662c702881d0e4621038cf5d725ff97b5b514336ff26c4b47e5ce0fcbebcb17c234c5536e60b3a1b
-
Filesize
1KB
MD5b47dfd83aba10cc5cee38d2926179cc9
SHA14b93a5d50f0047f09671fcc116f8358ba8a3eb3e
SHA2567d85b0881c26434e4010ad5d9a993bc3f0d6800942c91d28e0b88d504ecd7932
SHA512fb65d7eb3e48fac963da4c487e637ca3ee17700f585693a3139d28339cb7c69855f6d789aa655a8007a388c03b05a90569eec79f00d1314358912d7276e7b279
-
Filesize
1KB
MD5c74c66f234b4578ba4ccf01ddb5335f3
SHA15d76f561dde0ecf244bd8ddab76b2f706a29d338
SHA2568be39b4006122950ba8de081d828940bf9e2eac2833565a58dfee9fa37ad9ae4
SHA5125baeb8eed1936d944e632b3bb6b6581dfa0ec8fb6e81d13b348a1feab113f105eed029fa453c3039ca0e29eae5f2ae1465f5e4a739db00edbc899a4d7b6781fa
-
Filesize
1KB
MD594ed65c97a5be82c62f413d84fd4f33d
SHA1b18fdc5dc7438a29ec9fff3f5b854abc096930ee
SHA256d3cf04378e4b4459c3e91146367a2cc761af394a416dc8c8889ee4b6f47af718
SHA51246125cdf31fa0c058ce9b83311d364766c0f14f50073a8dc8eaf3c1941373e7dcb79035e13825bf1937201626484d2ab65d4c735407a8241cb14043c138df7c3
-
Filesize
1KB
MD5c9e1ffe933dfe20a27dbeb6d8801ff8c
SHA12278aa42f79a829d24831066e6eeabe158cfca4f
SHA25693849ac29db8bc175f842665089b77c0f2abf1c7333ae5b747047a2581ac4b33
SHA512cb15ab544cc6bb1fce63e0b634ae09f29155a394302d04a7a601bc50ce219cdb799a06315b92d8c64df447393363b78e2fe4fd35607740cd7c5811e3a0968938
-
Filesize
1KB
MD53c3a21c7eb1e2777892b9a9186faf966
SHA147bf53cf522dff86bb0a93e8a6a53bac469c9473
SHA2567ac8875368f98cc2b30846de4866d0bc3f33214b08705cd668a23567b6812e4a
SHA512185f9f1824fff352bffebabb376b967b9f5cd4047694c674aa47c90b7a277c4db5c91b79602100ed44be99a9df5fd76abc1d1306e3f582a8f6c1a166cda72367
-
Filesize
1KB
MD5f0dc6b9f1f0e03fad2e6f9a38bd9db5d
SHA19af09e07f0c8ecff9ce1a9505d5bd97fec3ddc6d
SHA25680ca3db830265b6c1e12525614b76e64d68b8f8d4377bbbf6f5f32e9188658f0
SHA512c60448798e07d0ec5eb05a706749509acb5c1a81f45539d4008f02e7dfaeb8861f2ac41dc3663976ede1065a147bd43bd58682ad0a8c92a72a462c707cdd6dd1
-
Filesize
1KB
MD5974de2b76bc9606ed886c5c1da060d08
SHA13cc70ea6d2133316a5dcfa95e634dea0a9e25cbe
SHA2566f48837337259596db380e1a3b82bb84c0232aa6a64f168d960c3d090af18cf7
SHA5128da75ce2528af11d8f34d7291c5f5332332f368a281453db200cbd9a7225477730057d3b66ee7345151a414d486aaceb673df62761925d2a5dd5daa9ba269412
-
Filesize
538B
MD5bccc6aeb1c8250aa4d737dc961c8a103
SHA145f10eed98159d592218dc85bd393219454a82b5
SHA256e485771da1189ea8362cf9b5ea095aab4365f614f852f0bbf04fbb61aebd4d6f
SHA512b52da7baea15061012f7ffb8bbac7ef2302dccb4cc492aece810a5b6c4c9b33627d6720816f2b39bfc1c5c57d70c9e8d9c91fdb9e07d7f0e2cb526f2692df2de
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD5414ea9ad75d43f47060d5b1963a77329
SHA1782f33826842977969930cd62e963cb0ba4cddbd
SHA256ea4d33ee74350b60f16e953c1a2965dcc8bc5f603e524134a192714c2ee35f4c
SHA5121a9c642905dde90bacf76ab1f42d886262234892dc221f7eae4144ca4c095e9145bb07a64a1fcd7535c1b524413c908ade3f5002f4c55e55d5b7a0a5a76c27cd
-
Filesize
12KB
MD56b3a887883c9809b22335aa29c0d30ca
SHA14395c53d14eee2f4151508c6c81386da6916f212
SHA256defafad1c539d871493907fbf0313e5f43004fda87a486aca4bd621706efb4e3
SHA512385bff3b7f98bebb00f6f3df0d86e791ed9849afda97857e5560ed1fe2539aa6006aee9a8fb143354b96fee66488539c51126d17a663229ddc7a84db713bb65d
-
Filesize
11KB
MD54b7edcf8b326809ee7811d9953f0c234
SHA15501119dd5649ba78d667566ea86adc007506192
SHA256888b8a5f5a982ad48c7666645c59f3b918106835f7c01f7e4481d9742a651cb1
SHA51282cf5b59a98d832d8fd779ebf4b288e75ab9140c414cddb1c189215247ee16f233184ea1639cf0b352b79cfa6ed03d58b1546d1a8ac5f75af386ee20270c4f1e
-
Filesize
11KB
MD534c22f7746a16b896186f43e08e2f413
SHA1ed175cf051e3e9230ecdeb8c4a69f90bf9ebbae1
SHA256d66283c4702d50464484dd38d36af2d9e570757c7fb1c57abd0344bfcf63e0c0
SHA512340530064ec737d405ff23486c7347e35f1af1070c5262e777ef80254ad1b18106378ff0c097a2c2ce36d9becd65cb20b6a0a5e7efd7f635d5f69e88aea64270
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
944B
MD58857491a4a65a9a1d560c4705786a312
SHA14f3caf2ad5d66a2410c9cca0381d26a46e832cb4
SHA256b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360
SHA512d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660
-
Filesize
944B
MD51542328a8546914b4e2f1aef9cb42bea
SHA17a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA2567584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
Filesize
112KB
MD594dc379aa020d365ea5a32c4fab7f6a3
SHA17270573fd7df3f3c996a772f85915e5982ad30a1
SHA256dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907
SHA512998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca
-
Filesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
Filesize
402KB
MD5b1f793773dc727b4af1648d6d61f5602
SHA1be7ed4e121c39989f2fb343558171ef8b5f7af68
SHA256af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e
SHA51266a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed
-
Filesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
Filesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
Filesize
415KB
MD5ea8488990b95ce4ef6b4e210e0d963b2
SHA1cd8bf723aa9690b8ca9a0215321e8148626a27d1
SHA25604f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98
SHA51256562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b
-
Filesize
619KB
MD5df785c5e4aacaee3bd16642d91492815
SHA1286330d2ab07512e1f636b90613afcd6529ada1e
SHA25656cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271
SHA5123566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745
-
Filesize
59KB
MD54f3250ecb7a170a5eb18295aa768702d
SHA170eb14976ddab023f85bc778621ade1d4b5f4d9d
SHA256a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461
SHA512e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569
-
Filesize
149KB
MD5ef7e2760c0a24453fc78359aea3d7869
SHA10ea67f1fd29df2615da43e023e86046e8e46e2e1
SHA256d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a
SHA512be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f
-
Filesize
59KB
MD5120f0a2022f423fc9aadb630250f52c4
SHA1826df2b752c4f1bba60a77e2b2cf908dd01d3cf7
SHA2565425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0
SHA51223e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764
-
Filesize
218KB
MD535e989a1df828378baa340f4e0b2dfcb
SHA159ecc73a0b3f55e43dace3b05ff339f24ec2c406
SHA256874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d
SHA512c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a
-
Filesize
296KB
MD5510e132215cef8d09be40402f355879b
SHA1cae8659f2d3fd54eb321a8f690267ba93d56c6f1
SHA2561bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52
SHA5122f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0
-
Filesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
Filesize
207KB
MD59a760ddc9fdca758501faf7e6d9ec368
SHA15d395ad119ceb41b776690f9085f508eaaddb263
SHA2567ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f
SHA51259d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139
-
Filesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
Filesize
182KB
MD59cd7292cca75d278387d2bdfb940003c
SHA1bab579889ed3ac9cb0f124842c3e495cb2ec92ac
SHA256b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f
SHA512ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d
-
Filesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
Filesize
22KB
MD5bd0dd9c5a602cb0ad7eabc16b3c1abfc
SHA1cede6e6a55d972c22da4bc9e0389759690e6b37f
SHA2568af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3
SHA51286351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c
-
Filesize
8KB
MD58833761572f0964bdc1bea6e1667f458
SHA1166260a12c3399a9aa298932862569756b4ecc45
SHA256b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5
SHA5122a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8
-
Filesize
53KB
MD56c51a3187d2464c48cc8550b141e25c5
SHA1a42e5ae0a3090b5ab4376058e506b111405d5508
SHA256d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199
SHA51287a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba
-
Filesize
7KB
MD57a15f6e845f0679de593c5896fe171f9
SHA10c923dfaffb56b56cba0c28a4eacb66b1b91a1f4
SHA256f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419
SHA5125a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca
-
Filesize
17KB
MD5b7252234aa43b7295bb62336adc1b85c
SHA1b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f
SHA25673709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c
SHA51288241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358
-
Filesize
9KB
MD5dc826a9cb121e2142b670d0b10022e22
SHA1b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9
SHA256ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a
SHA512038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b
-
Filesize
2KB
MD522b4a3a1ec3b6d7aa3bc61d0812dc85f
SHA197ae3504a29eb555632d124022d8406fc5b6f662
SHA256c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105
SHA5129329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c
-
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\GenericProvider.dll.mui
Filesize5KB
MD5d6b02daf9583f640269b4d8b8496a5dd
SHA1e3bc2acd8e6a73b6530bc201902ab714e34b3182
SHA2569102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0
SHA512189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50
-
Filesize
2KB
MD5d4b67a347900e29392613b5d86fe4ac2
SHA1fb84756d11bfd638c4b49268b96d0007b26ba2fb
SHA2564ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5
SHA512af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662
-
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\ImagingProvider.dll.mui
Filesize18KB
MD5f2e2ba029f26341158420f3c4db9a68f
SHA11dee9d3dddb41460995ad8913ad701546be1e59d
SHA25632d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3
SHA5123d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e
-
Filesize
27KB
MD52eb303db5753eb7a6bb3ab773eeabdcb
SHA144c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4
SHA256aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f
SHA512df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427
-
Filesize
6KB
MD58933c8d708e5acf5a458824b19fd97da
SHA1de55756ddbeebc5ad9d3ce950acba5d2fb312331
SHA2566e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6
SHA512ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f
-
Filesize
15KB
MD5c5e60ee2d8534f57fddb81ffce297763
SHA178e6b0e03c8bf5802b3ef429b105d7ae3092a8f2
SHA2561ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145
SHA512ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc
-
Filesize
3KB
MD50633e0fccd477d9b22de4dd5a84abe53
SHA1e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9
SHA256b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706
SHA512e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3
-
C:\Users\Admin\AppData\Local\Temp\E02AAE2B-8E91-40E1-BAB4-F3A9C062DC2C\en-US\OfflineSetupProvider.dll.mui
Filesize2KB
MD5015271d46ab128a854a4e9d214ab8a43
SHA12569deff96fb5ad6db924cee2e08a998ddc80b2a
SHA256692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec
SHA5126ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438
-
Filesize
2KB
MD57d06108999cc83eb3a23eadcebb547a5
SHA1200866d87a490d17f6f8b17b26225afeb6d39446
SHA256cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311
SHA5129f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
220KB
MD522875034a0e97052632484273e8fa22d
SHA1a32c68bc28ad00a51712707c270f325c12a134a4
SHA256c2e3e7e65b9c23164957608b4b1e951b7a74568a7a3980eb1bb1371dbb312238
SHA512098fc750d20392f8ae9e050a0f503c68b36266f0726283b4c3cd3184fcf8663a6abacf716db69913d888029d028e477f7ebb010e5bacaa0ed2d4561bca3bf0b9
-
Filesize
243KB
MD543a4135b34a7cb98144e41f4afa50613
SHA1a57f72c5f66caaf156f80ab07d84e59fa4544620
SHA25603c5e8b5cfa84cab0cf1e7c1fc5738e1a51793523ab7695362c421915af3d534
SHA51226b84f45a0e8bd663eb72e478022e0483fe07175bf34410436a3a2b1e90ccbfa7df6f0b71a47279cf03a69f1d5fa17ae3acde1c444eab481c4977cbcd8ef6843
-
Filesize
438KB
MD5c277c62d509a0a30def1e058a82c1750
SHA14cc3f27be8741e814f0bf46410452f551209eef8
SHA256907a29e8f500ac023c0d7f8a202c41b24bbd3668cc1c3dafdd7260a910c1577d
SHA512e1cde6f22ab99333b6eed492ad885907311c81170bfe96d8419e7ce9bda95160b6701f328addbc2b9651978d97a687530f89d7ee3708202cfb8685f0460db3c7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e