hxxp://massgrave[.]dev

Analysis

max time kernel
173s
max time network
164s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-08-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://massgrave.dev

Score

7^/10

defense_evasion discovery execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4712	dismhost.exe

Loads dropped DLL 23 IoCs

pid	Process
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe
4712	dismhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
5100	powershell.exe
244	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
51	camo.githubusercontent.com
52	camo.githubusercontent.com
2	bitbucket.org
3	camo.githubusercontent.com
13	bitbucket.org
14	bitbucket.org
49	camo.githubusercontent.com
50	camo.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\SystemTemp\tem57F.tmp	Clipup.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4376	sc.exe
4260	sc.exe
3852	sc.exe
4280	sc.exe
2032	sc.exe
1476	sc.exe
4756	sc.exe
4468	sc.exe
232	sc.exe
608	sc.exe
2320	sc.exe
2000	sc.exe
2588	sc.exe
3360	sc.exe
3024	sc.exe
2900	sc.exe
5084	sc.exe
608	sc.exe
3888	sc.exe
2528	sc.exe
232	sc.exe
832	sc.exe
3492	sc.exe
4348	sc.exe
5084	sc.exe
4084	sc.exe
1048	sc.exe
4492	sc.exe
324	sc.exe
1004	sc.exe
4196	sc.exe
1816	sc.exe
2476	sc.exe
2832	sc.exe
3584	sc.exe
2588	sc.exe
1652	sc.exe
3084	sc.exe
3880	sc.exe
3508	sc.exe
244	sc.exe
1432	sc.exe
908	sc.exe
2320	sc.exe
2376	sc.exe
4356	sc.exe
908	sc.exe
1048	sc.exe
3920	sc.exe
1048	sc.exe
2604	sc.exe
2872	sc.exe
2200	sc.exe
5028	sc.exe
4232	sc.exe
3008	sc.exe
4356	sc.exe
3004	sc.exe
1188	sc.exe
3416	sc.exe
2280	sc.exe
3652	sc.exe
4260	sc.exe
4672	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3340	cmd.exe
4812	PING.EXE
3144	cmd.exe
2376	PING.EXE

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133685309982367005"	chrome.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4172	reg.exe
1364	reg.exe
1428	reg.exe
4344	reg.exe
1748	reg.exe
3668	reg.exe
3976	reg.exe
3584	reg.exe
5100	reg.exe
1404	reg.exe
380	reg.exe
3660	reg.exe
2892	reg.exe
1964	reg.exe
3004	reg.exe
1188	reg.exe
736	reg.exe
3492	reg.exe
1752	reg.exe
3272	reg.exe
2312	reg.exe
1360	reg.exe
3764	reg.exe
4952	reg.exe
4952	reg.exe
4344	reg.exe
740	reg.exe
1184	reg.exe
4464	reg.exe
4084	reg.exe
4608	reg.exe
3892	reg.exe
1628	reg.exe
1344	reg.exe
4964	reg.exe
2988	reg.exe
4024	reg.exe
2344	reg.exe
4364	reg.exe
2104	reg.exe
4700	reg.exe
1920	reg.exe
3104	reg.exe
1484	reg.exe
1752	reg.exe
1964	reg.exe
3316	reg.exe
2524	reg.exe
2088	reg.exe
2256	reg.exe
4192	reg.exe
2188	reg.exe
3388	reg.exe
1816	reg.exe
432	reg.exe
2852	reg.exe
2656	reg.exe
2984	reg.exe
2028	reg.exe
3728	reg.exe
4468	reg.exe
4608	reg.exe
3728	reg.exe
2088	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4812	PING.EXE
2376	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
1488	powershell.exe
1488	powershell.exe
2804	powershell.exe
2804	powershell.exe
4068	powershell.exe
4068	powershell.exe
2800	powershell.exe
2800	powershell.exe
3008	powershell.exe
3008	powershell.exe
3368	powershell.exe
3368	powershell.exe
712	powershell.exe
712	powershell.exe
4556	powershell.exe
4556	powershell.exe
5100	powershell.exe
5100	powershell.exe
3780	powershell.exe
3780	powershell.exe
4176	powershell.exe
4176	powershell.exe
4648	powershell.exe
4648	powershell.exe
4460	powershell.exe
4460	powershell.exe
5000	powershell.exe
5000	powershell.exe
244	powershell.exe
244	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
1088	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1692	5004	chrome.exe	81
PID 5004 wrote to memory of 1692	5004	chrome.exe	81
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 2468	5004	chrome.exe	82
PID 5004 wrote to memory of 236	5004	chrome.exe	83
PID 5004 wrote to memory of 236	5004	chrome.exe	83
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84
PID 5004 wrote to memory of 2844	5004	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://massgrave.dev
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffa70cc40,0x7ffffa70cc4c,0x7ffffa70cc58
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1380,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2992,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2996,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4296,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3304,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4776,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4940,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5112,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3332,i,4793307923596789859,10875484288397141880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:8
  2⤵
  - NTFS ADS
  PID:748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1532

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\" -spe -an -ai#7zMap326:132:7zEvent13972
1⤵
- Suspicious use of FindShellTrayWindow
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_8C3AA7E0.cmd" "
1⤵
PID:876
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  PID:4652
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:1568
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO-CRC32_8C3AA7E0.cmd"
  2⤵
  PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2568
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:2132
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:2520
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_8C3AA7E0.cmd" "
  2⤵
  PID:4336
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:1916
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:2688
- C:\Windows\System32\reg.exe
  reg query HKCU\Console /v QuickEdit
  2⤵
  - Modifies registry key
  PID:2104
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:4588
- C:\Windows\System32\reg.exe
  reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
  2⤵
  PID:748
- C:\Windows\System32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_8C3AA7E0.cmd" -qedit"
  2⤵
  PID:2744
- - C:\Windows\System32\reg.exe
    reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
    3⤵
    - Modifies registry key
    PID:4700
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:2832
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2820
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_AIO-CRC32_8C3AA7E0.cmd"
    3⤵
    PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:360
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4164
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:3148
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:3656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:1944
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_8C3AA7E0.cmd" "
    3⤵
    PID:3668
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2980
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:2044
- - C:\Windows\System32\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    PID:4036
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3340
  - - C:\Windows\System32\PING.EXE
      ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
    3⤵
    PID:2168
- - C:\Windows\System32\find.exe
    find "127.69"
    3⤵
    PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
    3⤵
    PID:2136
- - C:\Windows\System32\find.exe
    find "127.69.2.6"
    3⤵
    PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:2792
- - C:\Windows\System32\find.exe
    find /i "/S"
    3⤵
    PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:3552
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:1428
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:3448
- - C:\Windows\System32\mode.com
    mode 76, 30
    3⤵
    PID:4468
- - C:\Windows\System32\choice.exe
    choice /C:123456780 /N
    3⤵
    PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2256
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:324
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:1076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:1668
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:3128
- - C:\Windows\System32\mode.com
    mode 110, 34
    3⤵
    PID:752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $ExecutionContext.SessionState.LanguageMode
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
- - C:\Windows\System32\find.exe
    find /i "Full"
    3⤵
    PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
    3⤵
    PID:1432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
    3⤵
    PID:1520
- - C:\Windows\System32\find.exe
    find /i "Windows"
    3⤵
    PID:3004
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    PID:1532
- - C:\Windows\System32\find.exe
    find /i "computersystem"
    3⤵
    PID:1188
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:3584
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
    3⤵
    PID:2752
- - C:\Windows\System32\findstr.exe
    findstr /i "Windows"
    3⤵
    PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
    3⤵
    PID:1684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
      4⤵
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
    3⤵
    PID:1832
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
      4⤵
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
    3⤵
    PID:2716
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
      4⤵
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
    3⤵
    PID:3784
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3144
  - - C:\Windows\System32\PING.EXE
      ping -n 1 l.root-servers.net
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2376
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:3156
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4232
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:2344
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4700
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    - Launches sc.exe
    PID:3416
- - C:\Windows\System32\sc.exe
    sc query ClipSVC
    3⤵
    PID:2412
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
    3⤵
    - Modifies registry key
    PID:4608
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
    3⤵
    - Modifies registry key
    PID:1184
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
    3⤵
    - Modifies registry key
    PID:3892
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
    3⤵
    - Modifies registry key
    PID:1752
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
    3⤵
    - Modifies registry key
    PID:736
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
    3⤵
    PID:2736
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
    3⤵
    PID:3668
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
    3⤵
    - Modifies registry key
    PID:1964
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:3920
- - C:\Windows\System32\sc.exe
    sc query wlidsvc
    3⤵
    - Launches sc.exe
    PID:2320
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
    3⤵
    PID:4192
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
    3⤵
    - Modifies registry key
    PID:4464
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:3728
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
    3⤵
    - Modifies registry key
    PID:3764
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
    3⤵
    PID:3976
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
    3⤵
    PID:4364
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
    3⤵
    PID:884
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
    3⤵
    - Modifies registry key
    PID:4952
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:1048
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:4260
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:1428
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
    3⤵
    - Modifies registry key
    PID:1628
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:3388
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
    3⤵
    PID:3316
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:4344
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
    3⤵
    - Modifies registry key
    PID:2088
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
    3⤵
    - Modifies registry key
    PID:2852
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
    3⤵
    - Modifies registry key
    PID:3272
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    - Launches sc.exe
    PID:608
- - C:\Windows\System32\sc.exe
    sc query KeyIso
    3⤵
    - Launches sc.exe
    PID:3024
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
    3⤵
    - Modifies registry key
    PID:1344
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
    3⤵
    - Modifies registry key
    PID:2256
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
    3⤵
    - Modifies registry key
    PID:3660
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
    3⤵
    PID:908
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
    3⤵
    - Modifies registry key
    PID:4084
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
    3⤵
    PID:3176
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
    3⤵
    - Modifies registry key
    PID:2656
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
    3⤵
    PID:3444
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    PID:4368
- - C:\Windows\System32\sc.exe
    sc query LicenseManager
    3⤵
    - Launches sc.exe
    PID:4356
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
    3⤵
    - Modifies registry key
    PID:432
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
    3⤵
    PID:2960
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
    3⤵
    PID:2468
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
    3⤵
    - Modifies registry key
    PID:2984
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
    3⤵
    PID:1652
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
    3⤵
    PID:2628
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
    3⤵
    PID:3180
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
    3⤵
    PID:3120
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    PID:3420
- - C:\Windows\System32\sc.exe
    sc query Winmgmt
    3⤵
    PID:248
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
    3⤵
    PID:2604
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
    3⤵
    - Modifies registry key
    PID:2892
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
    3⤵
    - Modifies registry key
    PID:4964
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
    3⤵
    PID:1508
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
    3⤵
    - Modifies registry key
    PID:2988
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
    3⤵
    PID:1432
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
    3⤵
    PID:1520
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
    3⤵
    - Modifies registry key
    PID:3004
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    - Launches sc.exe
    PID:2280
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    - Launches sc.exe
    PID:3508
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:1188
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
    3⤵
    - Modifies registry key
    PID:3584
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:4172
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
    3⤵
    PID:4208
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:1748
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
    3⤵
    - Modifies registry key
    PID:1920
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
    3⤵
    - Modifies registry key
    PID:5100
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
    3⤵
    PID:2232
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    - Launches sc.exe
    PID:2872
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:244
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:1404
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
    3⤵
    - Modifies registry key
    PID:2028
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
    3⤵
    PID:3096
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
    3⤵
    - Modifies registry key
    PID:4024
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:3104
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
    3⤵
    - Modifies registry key
    PID:1484
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
    3⤵
    PID:3744
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
    3⤵
    - Modifies registry key
    PID:1816
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\System32\sc.exe
    sc query CryptSvc
    3⤵
    - Launches sc.exe
    PID:5028
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:380
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
    3⤵
    - Modifies registry key
    PID:2312
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
    3⤵
    PID:4876
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
    3⤵
    PID:128
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
    3⤵
    PID:4360
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
    3⤵
    PID:5092
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
    3⤵
    PID:876
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
    3⤵
    PID:1028
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:2376
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    - Launches sc.exe
    PID:4232
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
    3⤵
    - Modifies registry key
    PID:2344
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
    3⤵
    - Modifies registry key
    PID:4608
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
    3⤵
    PID:744
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
    3⤵
    - Modifies registry key
    PID:1752
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
    3⤵
    - Modifies registry key
    PID:1360
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
    3⤵
    - Modifies registry key
    PID:3492
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
    3⤵
    - Modifies registry key
    PID:3668
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
    3⤵
    - Modifies registry key
    PID:1964
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:3008
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:2320
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
    3⤵
    - Modifies registry key
    PID:4192
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
    3⤵
    PID:4464
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
    3⤵
    - Modifies registry key
    PID:3728
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
    3⤵
    PID:3764
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
    3⤵
    - Modifies registry key
    PID:3976
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
    3⤵
    - Modifies registry key
    PID:1364
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
    3⤵
    - Modifies registry key
    PID:4364
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
    3⤵
    - Modifies registry key
    PID:4952
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    - Launches sc.exe
    PID:1048
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    - Launches sc.exe
    PID:4260
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
    3⤵
    PID:3336
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
    3⤵
    - Modifies registry key
    PID:4468
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
    3⤵
    PID:3836
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
    3⤵
    - Modifies registry key
    PID:3316
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
    3⤵
    - Modifies registry key
    PID:4344
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
    3⤵
    - Modifies registry key
    PID:2088
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
    3⤵
    - Modifies registry key
    PID:2524
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
    3⤵
    PID:1972
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:608
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2900
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    - Launches sc.exe
    PID:2588
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:324
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:4280
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    - Launches sc.exe
    PID:908
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    - Launches sc.exe
    PID:4084
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    PID:3176
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    PID:2656
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    - Launches sc.exe
    PID:3360
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    - Launches sc.exe
    PID:2528
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:4356
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    PID:432
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    - Launches sc.exe
    PID:2032
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2000
- - C:\Windows\System32\sc.exe
    sc config DoSvc start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:1004
- - C:\Windows\System32\sc.exe
    sc config UsoSvc start= delayed-auto
    3⤵
    PID:3900
- - C:\Windows\System32\sc.exe
    sc config wuauserv start= demand
    3⤵
    - Launches sc.exe
    PID:4492
- - C:\Windows\System32\sc.exe
    sc query ClipSVC
    3⤵
    - Launches sc.exe
    PID:1652
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3332
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    - Launches sc.exe
    PID:232
- - C:\Windows\System32\sc.exe
    sc query wlidsvc
    3⤵
    - Launches sc.exe
    PID:4672
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2056
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:832
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:3652
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2892
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:3084
- - C:\Windows\System32\sc.exe
    sc query KeyIso
    3⤵
    - Launches sc.exe
    PID:3852
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4964
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    - Launches sc.exe
    PID:1432
- - C:\Windows\System32\sc.exe
    sc query LicenseManager
    3⤵
    - Launches sc.exe
    PID:2200
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1512
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    - Launches sc.exe
    PID:3004
- - C:\Windows\System32\sc.exe
    sc query Winmgmt
    3⤵
    - Launches sc.exe
    PID:3880
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3324
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    PID:2292
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    - Launches sc.exe
    PID:3888
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service DoSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4068
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    - Launches sc.exe
    PID:4196
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2396
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    - Launches sc.exe
    PID:1816
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service UsoSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:1476
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3508
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    - Launches sc.exe
    PID:2476
- - C:\Windows\System32\sc.exe
    sc query CryptSvc
    3⤵
    - Launches sc.exe
    PID:4376
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3364
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    - Launches sc.exe
    PID:3492
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    PID:3872
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service BITS
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3008
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    - Launches sc.exe
    PID:1048
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4812
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:4756
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:4468
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service TrustedInstaller
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3368
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:2588
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1120
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    PID:4976
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    - Launches sc.exe
    PID:908
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service wuauserv
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:712
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    - Launches sc.exe
    PID:232
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:248
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    - Launches sc.exe
    PID:2604
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    PID:5076
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service WaaSMedicSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4556
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1188
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3584
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo TrustedInstaller-1058, WaaSMedicSvc-1060 "
    3⤵
    PID:2040
- - C:\Windows\System32\findstr.exe
    findstr /i "ClipSVC-1058 sppsvc-1058"
    3⤵
    PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
    3⤵
    PID:4884
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:2912
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
    3⤵
    PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_8C3AA7E0.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
    3⤵
    PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_8C3AA7E0.cmd') -split ':wpatest\:.*';iex ($f[1]);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "6" "
    3⤵
    PID:2084
- - C:\Windows\System32\find.exe
    find /i "Error Found"
    3⤵
    PID:3428
- - C:\Windows\System32\Dism.exe
    DISM /English /Online /Get-CurrentEdition
    3⤵
    - Drops file in Windows directory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\dismhost.exe {01EF24C9-1DA7-4233-8F2F-76C50B92EA42}
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:4712
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b -2147467259
    3⤵
    PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
    3⤵
    PID:3660
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
      4⤵
      PID:4280
- - C:\Windows\System32\cscript.exe
    cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
    3⤵
    PID:1668
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 0
    3⤵
    PID:432
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    PID:2108
- - C:\Windows\System32\find.exe
    find /i "computersystem"
    3⤵
    PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
    3⤵
    PID:980
- - C:\Windows\System32\findstr.exe
    findstr /i "0x800410 0x800440"
    3⤵
    PID:2656
- - C:\Windows\System32\reg.exe
    reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
    3⤵
    PID:4512
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
    3⤵
    PID:1488
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
      4⤵
      PID:3592
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
    3⤵
    PID:2592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
    3⤵
    PID:2892
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
      4⤵
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
    3⤵
    PID:2200
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
      4⤵
      PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4648
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
    3⤵
    PID:1440
- - C:\Windows\System32\find.exe
    find /i "windowsupdate"
    3⤵
    PID:5100
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
    3⤵
    - Modifies registry key
    PID:740
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
    3⤵
    - Modifies registry key
    PID:2188
- - C:\Windows\System32\findstr.exe
    findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
    3⤵
    PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo: TrustedInstaller-1058, WaaSMedicSvc-1060 "
    3⤵
    PID:4608
- - C:\Windows\System32\find.exe
    find /i "wuauserv"
    3⤵
    PID:3892
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
    3⤵
    PID:1752
- - C:\Windows\System32\find.exe
    find /i "0x1"
    3⤵
    PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
    3⤵
    PID:3364
- - C:\Windows\System32\find.exe
    find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
    3⤵
    PID:2044
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
    3⤵
    PID:3872
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 0
    3⤵
    PID:4464
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
    3⤵
    PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
    3⤵
    PID:2208
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Control Panel\International\Geo" /v Name
      4⤵
      PID:132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
    3⤵
    PID:200
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Control Panel\International\Geo" /v Nation
      4⤵
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
    3⤵
    PID:1628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
    3⤵
    PID:2512
- - C:\Windows\System32\find.exe
    find "AAAA"
    3⤵
    PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Restart-Service ClipSVC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5000
- - C:\Windows\System32\ClipUp.exe
    clipup -v -o
    3⤵
    PID:2404
  - - C:\Windows\System32\clipup.exe
      clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem66A.tmp
      4⤵
      Checks SCSI registry key(s)
      PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
    3⤵
    PID:2444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
    3⤵
    PID:4216
- - C:\Windows\System32\find.exe
    find /i "Windows"
    3⤵
    PID:1484
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
    3⤵
    PID:748
- - C:\Windows\System32\cscript.exe
    cscript //nologo C:\Windows\system32\slmgr.vbs /ato
    3⤵
    PID:4668
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 0
    3⤵
    PID:3668
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
    3⤵
    PID:2136
- - C:\Windows\System32\findstr.exe
    findstr /i "Windows"
    3⤵
    PID:3756
- - C:\Windows\System32\mode.com
    mode 76, 30
    3⤵
    PID:2388
- - C:\Windows\System32\choice.exe
    choice /C:123456780 /N
    3⤵
    PID:1336

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:3140
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem57F.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
17da487caadca59569ee320aa5face7c

SHA1
487bd35e183b54c1a37068d8e1c62b45fa28de91

SHA256
8d1e53bdab0f0039616c5c69f8b2ae16069d4720294e84ab0a3053a3d924fcb5

SHA512
71547793c50ae71af78d994b80d0b6c6f294c8188d2041036a0fdfb07b8d0226688acb05168ae20def8e189b52c849e0f5f472334ac128a5d40b1d697962af4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e866fd688c2f42dec3c6b1d59d4088c3

SHA1
9b419da16e58a8ec99687c11430f57147aeeeb4b

SHA256
d3df40339b35a0c394dd125ca1b31e8221107c89d8d849c3ae3dd4ae6f3f0408

SHA512
dda397d44d163530f31aa5768b52f14a11bcb4db053be0b4ffbe7b2dec57a3fddd75793681b7f0a7171ea2b828a90c4e2e43db92de2cc40ef404e645e0a2b9e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
3bb2fad6f8553bc47a578893a4695981

SHA1
bc82f88fe37e67da39e48a9f006dda04d5dcd4b2

SHA256
05a2155aac74bdfd725fade3cd9ca6e634d407d445e60b301baf00cb6f7c0d9e

SHA512
0cfe03d66ce17d9af67555deec65d1b640e350393b9e3928a0fea661b7f7964707d77001d5b8237b7d78940b960866388a43fe387ae361ad5af9148a48d721aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
bbbcaf05252d087f015ac95380660842

SHA1
a280ca0918af8aa214672d9423f8465f58365b79

SHA256
2a9ef7897838e261b65b3b5eb97f3801b252290b9aa22c53ef4eb46ffd800034

SHA512
a4bbb062421123b54dc66cef705e39ea7556f4c8bf49901b90c0546a2614b44752b26b67d3b96756592099ddcac5a8f5b80455611101ad9e58d7456a895e8619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
06e75b7ce228b4fb5ed527b1ac09f5fb

SHA1
7d7dc35e2f0db37677a7b76c5c25d074d1cec27c

SHA256
8b9fb6cd5d87979cf46e6be3a05b0f13f39cc4fa2a74dba5971a092857c84fb4

SHA512
2271ad06cb557a7d0a82419719588e5e01025720fcee113ceec07a809f4c2d433249707fb2f8da95cd8afe4282fabdae3a5a9f79fe1af344bd74fb1c2dc9e7e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2066aaea9c00fbf795e79fa1c4b70af7

SHA1
0adf0bdc9cc48c34977d57647821e91c5dd9ffba

SHA256
62b93d2a77ecf6bfea79246a41ba0e7ed44bb6193d6f87a10440804addd953ff

SHA512
a6dfc30a39064b235a3701153f9b49e7d1172b5055dc8742a330c8bd3a2632451d61aac9000d48e80a0b111fa549e786ba8bd465f3fb4040494c98bc88ea0dd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
349ead61195b4049693e5ca5ad1413a2

SHA1
9feb2f0febe482e66c954ef34f8cc6c4ebe7b46c

SHA256
f7188a17a6bd0b5dd5d997bcde16149f437003fcaf9970cc3deb3791b4173c31

SHA512
66a5a64b9671e69eb4a9f274e5d9b4ea6d4e26ef1efa96b7e45f276b86dcc830d3d6c8cb7fa8b074bca766b45ff1fc24a0d6206fba23ed840244497c2cee98b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2fc270799768f81e979e855a9b0c6282

SHA1
0cad06c0831a016628fc451d3d21a68972609fcb

SHA256
29dc5089ba95531c6ad5e009da3029c4242efc7e95b316fca5acfbc4cefd289b

SHA512
4992a2a676df3caaefc7651a9ef71bcd82d274fd53d1d9ca05f14c99824b0b6882e0411d5703fb0d5a5e8b8f29abcb01369a498b27794b07a38a49f4b2009e2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
42e17c3f2a957c0a8f46f69eeee7a5d9

SHA1
70bb3fe5c98e46a05159f348ca58b323d21b3139

SHA256
b56bf0003757d3ee74dee70806ac05f95cece674ecd4bc5be91169dcf140e64e

SHA512
7cbde15ea30cb560d07dff8e498bcaef7813871a782e0a34544f60acf3376410e3c1c4a638dffd077f9fcc353de719b2e4040853183a3059d106a8277a40832b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
56aa3b96b584aac215097badb68fc40d

SHA1
3f2d09979a2de6f085d9ed0d54d8e6316db07df3

SHA256
9dfc5ce7ba1b14899f5862dad24e170104fc30dcb9dc5bfb295e2dd5118f935d

SHA512
31bf3201fc3ec6d5e6d91979e77366c8ef9e72618368a6dbbcd47d951df4e45f90ee7ab5f1865fe9cf32a45ae38073d97f9da199cf4ed0dfec532d279f45193d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
03b545c0b537ae17abb821039e243373

SHA1
5769ecf8aca04003eda0dda1465f2e222657a901

SHA256
cb8f664a74421e9859ce04fe6dcc72acbaec1967c06c4f7063c8e0e898f11aa9

SHA512
9cc553dcd3713dc1b15f9cd3ad4a42acc843bfb051f35a7884f595e7b6a3c368d37cbe3a2e216db836eaa43bd0ea5528b678f89428a893bc73b47afb19e059f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
a151ba7c8d9d82c7bfb2ca87096bdd78

SHA1
1f2e0937c90400a2cdbeb7730da285788f37917d

SHA256
d4e7630031dc5137beb5867c9f561aca17c9dc9c78aa22835ed0fac49e432121

SHA512
4b98edc6ae12b48509f66863f07a1f794d45552aeadc4ac78f1669bbd388c887af2e77b5786bedd110111d9dcac9d47ec1196133c0dedc503858b002e3653640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d50d825f5b9255fff468c8067fc56580

SHA1
d813f9be5c07a0d6b4d49a43a53034f5af2c34b5

SHA256
8abb2c533aad6f314ec97acd4a4c56bc6b010f114bb0dc58f033251ccbd1cdf1

SHA512
dac3e22ed3f0924bd371fb7234452b5563f34109a0892d66c2bcd820b6e1f1c892738fedc8543ee84b251d270346cf55a03d90f1c07a5eab7aae9069763f0993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd244a5b02b699e4a053e7125885e3d8

SHA1
b6b2cae34cefc8f342e77af5b5299cf89de47120

SHA256
a7a3c08b11c89b0f8931b8975bbf120ff001b95645241a49e1aa4bead957b899

SHA512
79d1fbd9e7a0165663b613d01c963ee9359c220f7b6d25f4190ae72b44f1c95fedfffbbc625a972f53c9ec18d3bfe13a51589113bf728a21bcbed3ce7fb534ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ba1ff43744aa2aac0241294c377148e2

SHA1
8f6a4b258fbd6e8cef9e539546ce414ce18cda40

SHA256
024f30c2c6bf728583259c7303c18ffa094826ca2d573bcb4ec20e5250a98dd3

SHA512
8cb57916571ef4660d7634a3906003b19a102df7ab4d48911bd2130802fd4b46fad1b4eca2c2bdab6be2f4a309c15321905509db7e3f1c6222a2f0ab36d99eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
08ea91343ef75e360c674628acf201c8

SHA1
207add9e35c110c616cd453c1922485c713a92c2

SHA256
b704f465f563a5bbf73e17646e0a6d0860152f14ceb86483497e3bc6a2adf01c

SHA512
c4d09c3fa4763913ae11184ecb96f774c206fbd9480c231cc7f4036c20ed34eab1f7b3c3a183abf68dc3f0c16fa0034d5ce7e6dd87f0aad6e76fd9d704927871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7061f0e4fefc9c41287c9d166c1179c7

SHA1
79689444ea56cbfcbf01d759e86564e791142301

SHA256
193621e7d7574aa7d531406f5062a2845b2407857115006a6af18297b4180437

SHA512
325913300d75b343ed490ca9ade8637ee272c61305931103d4221099e1c75bbd2b5d78c4d7154d38dc18dc9bc9237f4bb8ce0a8986f30935bfb7e76b71275428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a549d1eb81489016e4dce98c7f1585c4

SHA1
afaeaf92e996e815cbd372a6ab047d1ee557665d

SHA256
f780780a50b2d52d0de2c86ca3599d758b8522787a5ee7685a0cbf1ecccee8cf

SHA512
263e8a92e11ab4f7d22671050ac3e1456d72d0909eb9f59fa8924c5c886cd9aa66b48a1b902a832f7d9f652c839a02eff617bcae714c273a727592f1a5116c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2a954de4f6d120ef7da74cb578fac751

SHA1
7c4336c10c8b0e05b6d12ba4354a17da01a03c6c

SHA256
b39e0e128fd307a2074814c7f28ea700c2e5a7e2c9e53087f708aee59b683f60

SHA512
faab192b036d8fb8eb334a98bb5328fcef0af26357203c0d7b88230aff57d4ded92c644954b209876cfd3fa5dbc33ae8b8f80a5cfc5a8e3b26952c214ed88576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
06515f048362abd105762b40318a1a15

SHA1
307d1fbe6f9129c0af4ab640b41c76c142a2b3fe

SHA256
78f9fc1e3fca4801a28c7e865ee6c656925a86c0e40c5161fd52a8d5ec11983e

SHA512
4051e35378141fa814c248a58690f0b0a2ce2e0d4f629cd957847158cb1c0ee178e2917484ad693c943ed419cff6bfbe2d148ea3eecd734b7fb69801147f4b7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
3f0586204dfbd423940b1e8051121d81

SHA1
304c0f81158b98a2d476c990ecde791a761fae46

SHA256
467f3a0eae26cc3c93fe277c257b2b3c98fc7c8eeccc1735fc4c497f1ed12175

SHA512
ec5004d9bb6883a85d36e734a72da41a57c366f67703c12a9ade1ea807a011c929a18a9125bd82fd1e21a94b54efbc4867a986b452ac2cee00d8c28c59992310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
321966103db5fda0ae40614997992cf1

SHA1
431b01ab60fb0627be65002e373e982f41ea1941

SHA256
8c33f9b55ccb082e55c4867147555501246abb18e13c8e42f225f7512a5ab3b1

SHA512
9b9af0239a660edc48d665a36b4475d541d38cf1df8954646db59b39dd4f80a3dbe4fef893b174a84bbb907422c75862d3671eb303a89fa5121ce4a3e541889c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
5045f95d52b83e017e09f7502d6cea46

SHA1
df3742dc971ee987557cccd76823e43217820013

SHA256
30f66c60a685dbdb64dc94e6fc3266acb012298644d4cb4f42343674acbf95ed

SHA512
f0f339f52fe830e0e91a80d4b1a30d9a3d0fc162ef68e74353e3b36b27642b9f01a1473ca061fe0a7bc6fd3062cf95b15a7db81ab5f234c81bec9f11527c3bae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
6ad42e214db23da61659afb975f5982f

SHA1
f84ec79e534d727cce69548ae08ad03e6657da60

SHA256
fc460a05fb8e977425e711ea060b46a530bc053badf0c9940046eff595178c03

SHA512
e7e93d37240fb236197c143ed05f6de956f64cf66e19b172f1e8e029810747cb287cdb554b9e14311a75eb572396991c70f96728f87df769ca951709f920d9d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
37fe20accca24feec878abdaabeb7914

SHA1
1de3ed86d0338799632af89af96ebabdda82b2f4

SHA256
bdfd3e2437e0228525c213e75f7eee4e402369610a4d0af6e87eeaba6d8e7c8c

SHA512
5e4d8c194f8ee11340bd7fedae8db01d30735492a8b93bd70acaebdf24e52c7bb8d0d632ac0ef2cd1f7bf849bd7b9a4362afd769ae23e65959eba860b1f176ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
110KB

MD5
98e26d7555609a239314517a3f087b7e

SHA1
778c96edd54ef90b16e287d940b6b399e6d06eab

SHA256
1221eaca145a7cdfc139cfca146ff684baa3be24304c3a261745bb181a2cf58f

SHA512
362d98b9d28f7adf101c63dc1690cd2036db4e4db5facefd1f8bebd0f40777ab9fe1e1bb4ea2ed98b1f42b1ded872a7eb68cb80431c36ced6595219994a1ac9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
57be0ff5052f4adc0e596d8bd96cd4a1

SHA1
18b7b7f8fe1c8f4abacbb1e6af074b08f0e846b6

SHA256
6dabfaf1f5335a7edc2fdbc78981007da18c49aad8583aa36a0f6995c6e15e49

SHA512
c004c9f547956d6ece2abc3fc49b6f5c5eb5afc52c0cdc3b443f2173a24dccec2a22fd4afd0cda7c12adc898c956959c21002f66af7e67d4791ed0a4fe8d8dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
143d750b7bf31d49640fc16659cd79f9

SHA1
d894233fd16595c7c35a5661217390e03953c6b2

SHA256
4df6d479846355c48923acd17f8e89e657a47987bcd38f5dda841990e58c1467

SHA512
52e7dad999def86835665cc77f247c723262d76e8677ee9a6af1f35a0b75d37dbc879e90efe9cc7e18471745d6a59d59a7b5f10736ca68aedf9a6724accf6b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
db18c0475701d1f830ceff75dda1d324

SHA1
5229b775567ca24e9bd6dfdf2255d5e9332e7c7e

SHA256
1ec9d83ac27e2b0a73b74d5ffaa863cd0b55f1ebfe424e14b90564906c45b03f

SHA512
7ea243652cbc70bbe4b500e759a6e42c64bf08a6b587ee8acd080537a7926b19f0725e088b58daf0f69eee090abd42b22f56afd4295e221c16fbfa60c78e304e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7ff9440dc25523a288d278b38add13a1

SHA1
d67faf5afe85cacd9d816349f17ded3686ecf1a7

SHA256
ac518124d3bd39440bfba66739f8fab57ff82ea778f707ea2c902b29efde0ee0

SHA512
7116fcf6760a69efebfbffeba5abcfef903cc8647e142117023e022bb34c5fe6d1a35c727faab1e6d6505b2bd69689cf52f8ecef5253ca12d99d425021799911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
deace1f3e3f4fff66c9e1ab8fdd10b75

SHA1
a6a793f8e6628020a852b817f4941fa5fe85c326

SHA256
1773e2aa319ae388e654acd214635d9c2334f0922471d7b79f5360a355a9a27f

SHA512
1c74bff974f4b248f6b5fd79dc6ea6a50518cd57e91e4415497c36371b36c4a310069fc5ae6a6435c2eed21c991fe9ed33427bcfd46d3fe71fbfd28a233f31b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8f54fa33681e616449ef172a4d44d268

SHA1
863df4019864e2bec9681f12f0159451e17292df

SHA256
bf051980baf5c287b7dfc84f59e6462e0d55bfce96eeac643b1d2bbaa076564a

SHA512
02d1d03f186480b4a154d268af6c638cb91ad31f507f8cf529828a71c57431a698a605464522646c4d0a258a4db1d90895d53a6988f6d65b6020018609ff17f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\AssocProvider.dll

Filesize
136KB

MD5
702f9c8fb68fd19514c106e749ec357d

SHA1
7c141106e4ae8f3a0e5f75d8277ec830fc79eccc

SHA256
21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358

SHA512
2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\EdgeProvider.dll

Filesize
200KB

MD5
c22cc16103ee51ba59b765c6b449bddb

SHA1
b0683f837e1e44c46c9a050e0a3753893ece24ad

SHA256
eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b

SHA512
2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\Ffuprovider.dll

Filesize
680KB

MD5
a41b0e08419de4d9874893b813dccb5c

SHA1
2390e00f2c2bc9779e99a669193666688064ea77

SHA256
57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3

SHA512
bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\IBSProvider.dll

Filesize
84KB

MD5
f6b7301c18f651567a5f816c2eb7384d

SHA1
40cd6efc28aa7efe86b265af208b0e49bec09ae4

SHA256
8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61

SHA512
4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\ImagingProvider.dll

Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\IntlProvider.dll

Filesize
312KB

MD5
34035aed2021763bec1a7112d53732f1

SHA1
7132595f73755c3ae20a01b6863ac9518f7b75a4

SHA256
aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731

SHA512
ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\MsiProvider.dll

Filesize
208KB

MD5
eb171b7a41a7dd48940f7521da61feb0

SHA1
9f2a5ddac7b78615f5a7af753d835aaa41e788fc

SHA256
56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55

SHA512
5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\OfflineSetupProvider.dll

Filesize
213KB

MD5
3437087e6819614a8d54c9bc59a23139

SHA1
ae84efe44b02bacdb9da876e18715100a18362be

SHA256
8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74

SHA512
018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\ProvProvider.dll

Filesize
800KB

MD5
2ef388f7769205ca319630dd328dcef1

SHA1
6dc9ed84e72af4d3e7793c07cfb244626470f3b6

SHA256
4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf

SHA512
b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\SmiProvider.dll

Filesize
272KB

MD5
46e3e59dbf300ae56292dea398197837

SHA1
78636b25fdb32c8fcdf5fe73cac611213f13a8be

SHA256
5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339

SHA512
e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\SysprepProvider.dll

Filesize
820KB

MD5
4dfa1eeec0822bfcfb95e4fa8ec6c143

SHA1
54251e697e289020a72e1fd412e34713f2e292cf

SHA256
901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494

SHA512
5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\UnattendProvider.dll

Filesize
256KB

MD5
7c61284580a6bc4a4c9c92a39bd9ea08

SHA1
4579294e3f3b6c03b03b15c249b9cac66e730d2a

SHA256
3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8

SHA512
b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\Vhdprovider.dll

Filesize
596KB

MD5
8a655555544b2915b5d8676cbf3d77ab

SHA1
5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2

SHA256
d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27

SHA512
c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\WimProvider.dll

Filesize
672KB

MD5
bcf8735528bb89555fc687b1ed358844

SHA1
5ef5b24631d2f447c58b0973f61cb02118ae4adc

SHA256
78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c

SHA512
8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECC74D16-15C1-4D4B-B65A-F2D65DACB5CB\dismprov.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfkjepw5.05w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip.crdownload

Filesize
275KB

MD5
de09ba441a8b0405274e954caa22b9a0

SHA1
8ff98bf0a0c783b3e64049c09da21900f94cf43b

SHA256
1c99f1daadba3308396326e39021363322b881612a5123d36db1ee2b33bd25a9

SHA512
bbe96b500e0a3004a7a25281f6779eac25febdd5c6e2f405f3aba6728a6600b741747b7fde86ccd6bb0acadd9fc1adac95fbcff4854c07778728506771556dc3

Download Submit
C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier

Filesize
216B

MD5
1606c1656b51571458580ccd2409a0a2

SHA1
a387abb2571c0e6526f97a8bd100c287bb1bfb7b

SHA256
58fee316402e7251d00d7add5571237828a3d214d9ad290f4b9a66a6784213bd

SHA512
9f73f9f885e0069bf72ae03bda7c61d33153a7f7462eaff6cd400f2eef7c140b2477d15519c15e636f23231233768a529ba7f8665fc6cf22a2e28815f3477b6a

Download Submit
C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_8C3AA7E0.cmd

Filesize
438KB

MD5
92cc8f1f67a875563d1299e7dd7b5723

SHA1
bee4adfe87603f91067b9f868f7f42b34b2fbdeb

SHA256
d666a4c7810b9d3fe9749f2d4e15c5a65d4ac0d7f0b14a144d6631ce61cc5df3

SHA512
958aa162d4599340e98fc1e01488d3c3aad47169dd71af1cba05fbd82e6385855484c788438227f5acb0ff2622e5dafe984e689b7019de14db100fe12104dca7

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
16KB

MD5
15af0be8f6711cefebe141a20a5b421d

SHA1
b881f08adddba5e778634ebae045fc00a3324210

SHA256
59b663f4baab6f2fe838b2d412812a9381a782a4e0cd8b2db23bff2f479ffbb2

SHA512
97b18989e5511ca55b0d0a9bf208a8796174ad2364a37d4458554a1d2fe5e2bf7902f3ec27559a598b1001a2f6a9fb4cd88be7d092ca8edd4f58f96f8bbcf141

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
23KB

MD5
28b80cd1961efc724eee27bc6eac1f1a

SHA1
2ee526ff1d23f213621011e40ea9e482b4f2007a

SHA256
180f88f1a8ec3858800137f8658a76ba9c21b28f38116c9ac1b3f173163123d7

SHA512
18018f340103da302ced69e687cff252e3bd3fcb8aeb38a10c9e4411b40dbf837eeef0dab8dfe6aeda83b2158d38d4d21abf9c8d7d628cd76cddd4101571e9b5

Download Submit
memory/1488-707-0x000001D27E470000-0x000001D27E492000-memory.dmp

Filesize
136KB

Download
memory/2404-966-0x000001AB92220000-0x000001AB92230000-memory.dmp

Filesize
64KB

Download
memory/2404-967-0x000001AB92220000-0x000001AB92230000-memory.dmp

Filesize
64KB

Download
memory/2404-973-0x000001AB92220000-0x000001AB92230000-memory.dmp

Filesize
64KB

Download
memory/3084-969-0x0000013D2DE80000-0x0000013D2DE90000-memory.dmp

Filesize
64KB

Download
memory/3084-968-0x0000013D2DE80000-0x0000013D2DE90000-memory.dmp

Filesize
64KB

Download
memory/3084-972-0x0000013D2DE80000-0x0000013D2DE90000-memory.dmp

Filesize
64KB

Download
memory/3140-952-0x000002D151970000-0x000002D151980000-memory.dmp

Filesize
64KB

Download
memory/3140-959-0x000002D151970000-0x000002D151980000-memory.dmp

Filesize
64KB

Download
memory/3140-953-0x000002D151970000-0x000002D151980000-memory.dmp

Filesize
64KB

Download
memory/4724-954-0x0000016C9AC70000-0x0000016C9AC80000-memory.dmp

Filesize
64KB

Download
memory/4724-955-0x0000016C9AC70000-0x0000016C9AC80000-memory.dmp

Filesize
64KB

Download
memory/4724-958-0x0000016C9AC70000-0x0000016C9AC80000-memory.dmp

Filesize
64KB

Download