95ad654302eff2de80fb7e4013540d85b39c62237db82b8164e2de24460348ae

Analysis

max time kernel
201s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LTSC-Add-MicrosoftStore-master/Add-Store.cmd
Size

5KB
MD5

774d50f20409deb3953e6948b3db446c
SHA1

4308a5fdf2790727017a5440962b97e9952bf87e
SHA256

b62fceb293c6404ed08725abb944ddd824a0bb56f0e468c387875f763a49c188
SHA512

2068d90652eab85f8e30b78e76a8839e4b4296004c22824da7b7e0d7d77b828a4febf4facb523a68aa2d515a6844ca8b838e379fa0ca2b27d5f5f6267d13877e
SSDEEP

96:10TmOmwmZA2E9sNADrokgxz5tK58EJJREMfuy:10T9F4A2E9iOVjXj

Score

7^/10

discovery execution

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2320	dismhost.exe
1520	dismhost.exe
1756	dismhost.exe
856	dismhost.exe

Loads dropped DLL 20 IoCs

pid	Process
2320	dismhost.exe
2320	dismhost.exe
2320	dismhost.exe
2320	dismhost.exe
2320	dismhost.exe
1520	dismhost.exe
1520	dismhost.exe
1520	dismhost.exe
1520	dismhost.exe
1520	dismhost.exe
1756	dismhost.exe
1756	dismhost.exe
1756	dismhost.exe
1756	dismhost.exe
1756	dismhost.exe
856	dismhost.exe
856	dismhost.exe
856	dismhost.exe
856	dismhost.exe
856	dismhost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3976	powershell.exe
4332	powershell.exe
32	powershell.exe
3660	powershell.exe
2644	powershell.exe
5080	powershell.exe
5088	powershell.exe
5048	powershell.exe
3648	powershell.exe
3976	powershell.exe
1504	powershell.exe
2768	powershell.exe
4996	powershell.exe
628	powershell.exe

System Time Discovery 1 TTPs 9 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5056	cmd.exe
4796	cmd.exe
2644	powershell.exe
5080	powershell.exe
3660	powershell.exe
1220	cmd.exe
1188	cmd.exe
5088	powershell.exe
3976	powershell.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	WinStore.App.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	WinStore.App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	WinStore.App.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	WinStore.App.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	WinStore.App.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2644	powershell.exe
2644	powershell.exe
2768	powershell.exe
2768	powershell.exe
3976	powershell.exe
3976	powershell.exe
3648	powershell.exe
3648	powershell.exe
4996	powershell.exe
4996	powershell.exe
4996	powershell.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
628	powershell.exe
628	powershell.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
4332	powershell.exe
4332	powershell.exe
4332	powershell.exe
32	powershell.exe
32	powershell.exe
32	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeBackupPrivilege	2644	powershell.exe
Token: SeRestorePrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeBackupPrivilege	3976	powershell.exe
Token: SeRestorePrivilege	3976	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeBackupPrivilege	32	powershell.exe
Token: SeRestorePrivilege	32	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeBackupPrivilege	3660	powershell.exe
Token: SeRestorePrivilege	3660	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1396	WinStore.App.exe
Token: SeDebugPrivilege	1396	WinStore.App.exe
Token: SeManageVolumePrivilege	2432	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1396	WinStore.App.exe
624	WinStore.App.exe
4836	WinStore.App.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1104	2180	cmd.exe	86
PID 2180 wrote to memory of 1104	2180	cmd.exe	86
PID 2180 wrote to memory of 2424	2180	cmd.exe	87
PID 2180 wrote to memory of 2424	2180	cmd.exe	87
PID 2180 wrote to memory of 1980	2180	cmd.exe	88
PID 2180 wrote to memory of 1980	2180	cmd.exe	88
PID 2180 wrote to memory of 456	2180	cmd.exe	89
PID 2180 wrote to memory of 456	2180	cmd.exe	89
PID 456 wrote to memory of 5060	456	cmd.exe	90
PID 456 wrote to memory of 5060	456	cmd.exe	90
PID 456 wrote to memory of 3708	456	cmd.exe	91
PID 456 wrote to memory of 3708	456	cmd.exe	91
PID 2180 wrote to memory of 4240	2180	cmd.exe	92
PID 2180 wrote to memory of 4240	2180	cmd.exe	92
PID 4240 wrote to memory of 4244	4240	cmd.exe	93
PID 4240 wrote to memory of 4244	4240	cmd.exe	93
PID 4240 wrote to memory of 1332	4240	cmd.exe	94
PID 4240 wrote to memory of 1332	4240	cmd.exe	94
PID 2180 wrote to memory of 5056	2180	cmd.exe	95
PID 2180 wrote to memory of 5056	2180	cmd.exe	95
PID 5056 wrote to memory of 1220	5056	cmd.exe	96
PID 5056 wrote to memory of 1220	5056	cmd.exe	96
PID 5056 wrote to memory of 3232	5056	cmd.exe	97
PID 5056 wrote to memory of 3232	5056	cmd.exe	97
PID 2180 wrote to memory of 4796	2180	cmd.exe	98
PID 2180 wrote to memory of 4796	2180	cmd.exe	98
PID 4796 wrote to memory of 1188	4796	cmd.exe	99
PID 4796 wrote to memory of 1188	4796	cmd.exe	99
PID 4796 wrote to memory of 4780	4796	cmd.exe	100
PID 4796 wrote to memory of 4780	4796	cmd.exe	100
PID 2180 wrote to memory of 4192	2180	cmd.exe	101
PID 2180 wrote to memory of 4192	2180	cmd.exe	101
PID 4192 wrote to memory of 1240	4192	cmd.exe	102
PID 4192 wrote to memory of 1240	4192	cmd.exe	102
PID 4192 wrote to memory of 624	4192	cmd.exe	103
PID 4192 wrote to memory of 624	4192	cmd.exe	103
PID 2180 wrote to memory of 3352	2180	cmd.exe	104
PID 2180 wrote to memory of 3352	2180	cmd.exe	104
PID 3352 wrote to memory of 252	3352	cmd.exe	105
PID 3352 wrote to memory of 252	3352	cmd.exe	105
PID 3352 wrote to memory of 3400	3352	cmd.exe	106
PID 3352 wrote to memory of 3400	3352	cmd.exe	106
PID 2180 wrote to memory of 2432	2180	cmd.exe	107
PID 2180 wrote to memory of 2432	2180	cmd.exe	107
PID 2180 wrote to memory of 1732	2180	cmd.exe	108
PID 2180 wrote to memory of 1732	2180	cmd.exe	108
PID 2180 wrote to memory of 1712	2180	cmd.exe	109
PID 2180 wrote to memory of 1712	2180	cmd.exe	109
PID 2180 wrote to memory of 2644	2180	cmd.exe	110
PID 2180 wrote to memory of 2644	2180	cmd.exe	110
PID 2644 wrote to memory of 2320	2644	powershell.exe	111
PID 2644 wrote to memory of 2320	2644	powershell.exe	111
PID 2180 wrote to memory of 2768	2180	cmd.exe	112
PID 2180 wrote to memory of 2768	2180	cmd.exe	112
PID 2180 wrote to memory of 3976	2180	cmd.exe	115
PID 2180 wrote to memory of 3976	2180	cmd.exe	115
PID 2180 wrote to memory of 3648	2180	cmd.exe	119
PID 2180 wrote to memory of 3648	2180	cmd.exe	119
PID 2180 wrote to memory of 4996	2180	cmd.exe	120
PID 2180 wrote to memory of 4996	2180	cmd.exe	120
PID 2180 wrote to memory of 5080	2180	cmd.exe	122
PID 2180 wrote to memory of 5080	2180	cmd.exe	122
PID 2180 wrote to memory of 5088	2180	cmd.exe	123
PID 2180 wrote to memory of 5088	2180	cmd.exe	123

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LTSC-Add-MicrosoftStore-master\Add-Store.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe query "HKU\S-1-5-19"
  2⤵
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *WindowsStore*.appxbundle 2>nul
  2⤵
  PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *NET.Native.Framework*1.6*.appx 2>nul | find /i "x64"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b *NET.Native.Framework*1.6*.appx 2>nul"
    3⤵
    PID:5060
- - C:\Windows\system32\find.exe
    find /i "x64"
    3⤵
    PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *NET.Native.Framework*1.6*.appx 2>nul | find /i "x86"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b *NET.Native.Framework*1.6*.appx 2>nul"
    3⤵
    PID:4244
- - C:\Windows\system32\find.exe
    find /i "x86"
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *NET.Native.Runtime*1.6*.appx 2>nul | find /i "x64"
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b *NET.Native.Runtime*1.6*.appx 2>nul"
    3⤵
    - System Time Discovery
    PID:1220
- - C:\Windows\system32\find.exe
    find /i "x64"
    3⤵
    PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *NET.Native.Runtime*1.6*.appx 2>nul | find /i "x86"
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b *NET.Native.Runtime*1.6*.appx 2>nul"
    3⤵
    - System Time Discovery
    PID:1188
- - C:\Windows\system32\find.exe
    find /i "x86"
    3⤵
    PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *VCLibs*140*.appx 2>nul | find /i "x64"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b *VCLibs*140*.appx 2>nul"
    3⤵
    PID:1240
- - C:\Windows\system32\find.exe
    find /i "x64"
    3⤵
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *VCLibs*140*.appx 2>nul | find /i "x86"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b *VCLibs*140*.appx 2>nul"
    3⤵
    PID:252
- - C:\Windows\system32\find.exe
    find /i "x86"
    3⤵
    PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *StorePurchaseApp*.appxbundle 2>nul
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *DesktopAppInstaller*.appxbundle 2>nul
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b *XboxIdentityProvider*.appxbundle 2>nul
  2⤵
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxProvisionedPackage -Online -PackagePath Microsoft.WindowsStore_11809.1001.713.0_neutral_~_8wekyb3d8bbwe.AppxBundle -DependencyPackagePath Microsoft.VCLibs.140.00_14.0.26706.0_x64__8wekyb3d8bbwe.Appx,Microsoft.VCLibs.140.00_14.0.26706.0_x86__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Framework.1.6_1.6.24903.0_x64__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Framework.1.6_1.6.24903.0_x86__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Runtime.1.6_1.6.24903.0_x64__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Runtime.1.6_1.6.24903.0_x86__8wekyb3d8bbwe.Appx -LicensePath Microsoft.WindowsStore_8wekyb3d8bbwe.xml
  2⤵
  - Drops file in Windows directory
  - Command and Scripting Interpreter: PowerShell
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\B0594F51-C5F5-45F9-BFC9-54491FCC7B7E\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\B0594F51-C5F5-45F9-BFC9-54491FCC7B7E\dismhost.exe {1CB49BC7-73C7-4088-B0E6-EDA1DADEBD1F}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.VCLibs.140.00_14.0.26706.0_x64__8wekyb3d8bbwe.Appx
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.VCLibs.140.00_14.0.26706.0_x86__8wekyb3d8bbwe.Appx
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.NET.Native.Framework.1.6_1.6.24903.0_x64__8wekyb3d8bbwe.Appx
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.NET.Native.Framework.1.6_1.6.24903.0_x86__8wekyb3d8bbwe.Appx
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.NET.Native.Runtime.1.6_1.6.24903.0_x64__8wekyb3d8bbwe.Appx
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.NET.Native.Runtime.1.6_1.6.24903.0_x86__8wekyb3d8bbwe.Appx
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.WindowsStore_11809.1001.713.0_neutral_~_8wekyb3d8bbwe.AppxBundle
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxProvisionedPackage -Online -PackagePath Microsoft.StorePurchaseApp_11808.1001.413.0_neutral_~_8wekyb3d8bbwe.AppxBundle -DependencyPackagePath Microsoft.VCLibs.140.00_14.0.26706.0_x64__8wekyb3d8bbwe.Appx,Microsoft.VCLibs.140.00_14.0.26706.0_x86__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Framework.1.6_1.6.24903.0_x64__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Framework.1.6_1.6.24903.0_x86__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Runtime.1.6_1.6.24903.0_x64__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Runtime.1.6_1.6.24903.0_x86__8wekyb3d8bbwe.Appx -LicensePath Microsoft.StorePurchaseApp_8wekyb3d8bbwe.xml
  2⤵
  - Drops file in Windows directory
  - Command and Scripting Interpreter: PowerShell
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\DD9CF16D-9A98-47CF-AF95-F244B83C8DC3\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\DD9CF16D-9A98-47CF-AF95-F244B83C8DC3\dismhost.exe {BFF9A6A3-337A-4C2E-8CF0-3CF66C3BCA9E}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.StorePurchaseApp_11808.1001.413.0_neutral_~_8wekyb3d8bbwe.AppxBundle
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxProvisionedPackage -Online -PackagePath Microsoft.DesktopAppInstaller_1.6.29000.1000_neutral_~_8wekyb3d8bbwe.AppxBundle -DependencyPackagePath Microsoft.VCLibs.140.00_14.0.26706.0_x64__8wekyb3d8bbwe.Appx,Microsoft.VCLibs.140.00_14.0.26706.0_x86__8wekyb3d8bbwe.Appx -LicensePath Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.xml
  2⤵
  - Drops file in Windows directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- - C:\Users\Admin\AppData\Local\Temp\E0D1ED69-27BA-483C-AD4F-DE20CD8E557E\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\E0D1ED69-27BA-483C-AD4F-DE20CD8E557E\dismhost.exe {95583298-0CB5-4C37-81F4-3C02CD4BF412}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.DesktopAppInstaller_1.6.29000.1000_neutral_~_8wekyb3d8bbwe.AppxBundle
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxProvisionedPackage -Online -PackagePath Microsoft.XboxIdentityProvider_12.45.6001.0_neutral_~_8wekyb3d8bbwe.AppxBundle -DependencyPackagePath Microsoft.VCLibs.140.00_14.0.26706.0_x64__8wekyb3d8bbwe.Appx,Microsoft.VCLibs.140.00_14.0.26706.0_x86__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Framework.1.6_1.6.24903.0_x64__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Framework.1.6_1.6.24903.0_x86__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Runtime.1.6_1.6.24903.0_x64__8wekyb3d8bbwe.Appx,Microsoft.NET.Native.Runtime.1.6_1.6.24903.0_x86__8wekyb3d8bbwe.Appx -LicensePath Microsoft.XboxIdentityProvider_8wekyb3d8bbwe.xml
  2⤵
  - Drops file in Windows directory
  - Command and Scripting Interpreter: PowerShell
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- - C:\Users\Admin\AppData\Local\Temp\331B8B14-1AF4-46F0-9E88-9D40CF9335D3\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\331B8B14-1AF4-46F0-9E88-9D40CF9335D3\dismhost.exe {0BC8B24B-1A22-40A9-BCB7-B4A35AF72805}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoLogo -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-AppxPackage -Path Microsoft.XboxIdentityProvider_12.45.6001.0_neutral_~_8wekyb3d8bbwe.AppxBundle
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504

C:\Program Files\WindowsApps\Microsoft.WindowsStore_11809.1001.7.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11809.1001.7.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Program Files\WindowsApps\Microsoft.WindowsStore_22407.1401.3.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22407.1401.3.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:624

C:\Program Files\WindowsApps\Microsoft.WindowsStore_22407.1401.3.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22407.1401.3.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e471a97a97a0c151c381196ddbc81e00

SHA1
8b60be122d9034c3a9892a3ce522e7c22ec83e45

SHA256
dee428385c3f21cd16772a4586ef229e8c9c707d176e389ecc06ee8ca6c00fe9

SHA512
ec7a22bb358e37a0d35a88b225f0b0dd3fbd090ff74f6f4369490b7d6a8445ab525da531d5bfd67b749540ede2ffbff9bc4e22b339a3b8c4744a7456f3e15278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
009725221e78c166254d5e8ebad76342

SHA1
cfd01f4c5bfb8895d7e46fc78e7311044471dd28

SHA256
e8142109fb45e7fbafe67a02b5e3267c974ee42658f5c59f8a6e846bbc2a8dbd

SHA512
15b1c18d338e52e0e54aadb084ed6ad447e7aef488853eedc05985f3374814712919d615de8fd42bb2b4d614725c736086a0c52e1f94fa9e43de418c6e7cfb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
615513c64a80d6d32775873dd0701e9f

SHA1
48abef7f09adfc9158f8dc9519cd9c06d0778441

SHA256
3aab3bd21d25b3df4315233186bf6555ae101b095644d92bc256fb0788a4b0db

SHA512
7069d2f88dc2a82af47243b982132b03ccc925b2c5e5a989dab647b59b8a85ece666c1355947ecf414efa6890021f2e3183b2f0c9ce6a0ab1792c3e758b1f764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eed502b90bb0d185394f85f25b79df2d

SHA1
3eb6da8a473510385ae7d1cc9bb29eb8eb3c5e2a

SHA256
8baa99ec431cdd368fe7409981016a095be951e60d47917c0930b234f2fb3e4c

SHA512
2b39a0ebfff3ec1e8ee8aa662796c7e6e7096d636ab7e17213535d5316e8dd3696fb09d5ccbbe63bc4c3cfff337b2c224eec37027925f8005614166539f42b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
afc26610cbb8c8ffaa3dba91f11a0952

SHA1
1799103b455e358ffb6a681a6193da5c48e4603c

SHA256
82d70fa5aab998037be696cdee8d2d51d4e9d0bc120d488dde4c8212d4ffcb2a

SHA512
171d65c8745d6e4aeb6ca6380d83aef0d31d8eacc5e50be09cbb42fe93533da41c0c798abfa765bfc3570740a62907dc31b2494c2cb734caa4d5ac3985d7ab48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
34f8acb87e4f756503f8e946bd4df8eb

SHA1
54366e644481641b06a0a5d984f120c8eeba09e1

SHA256
ac024b2b4e79ca32fecb6d9cb2abfdb838b8a904751ddd6e9a01eef61aff9e7e

SHA512
734c7aad715667650f2659f5ccdaecf6a3308ddfe0b57f4d4a35a336702c9b387f08b0ad5a8ebb0482a48c3136769bcb8df7eb071f9a02c4657abcb3b800b4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e30b839b95ba433699f0cbefd6a1af80

SHA1
39c4afdba1f90aeaa2ab51633c992b083714b973

SHA256
3b3a0cfe041853a7cf2361f27a860dd03212339d8087a4b22655d1136c01f96a

SHA512
b1c988505865202de585cc71adac8b2a1341baf9464823a405a7cf04ecd72d7cda297b4aa770cfdfd3e352d02d241c43b005daf8ca76a989eb4dd975263ceea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
61b09bda6e91ed92b670972c7ffe3be2

SHA1
d198442e26d382d57d1cb933b2b6dd1ef112e8de

SHA256
2be0e14d4c4cbe89d7b0a7e905fbc247a9b6d4b4ceb04fd4bf6d49fd5117512b

SHA512
3539a5266ee3cf377181259db9a691b899bb2eba2e7b2a2b10def936a7ada22bd333708d99a4eb4bb80dc77a3befa30fdffb2a47324a342abbd004834a63f591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72ed389a6cc13185c0398f5611df66bd

SHA1
f9b9413e993a3ac771df411be679cffd4ba0f084

SHA256
7f0c4f652f99fe4335c2b5841584de7b076a388ab1ae7acfad483648b77f5832

SHA512
871c9939224a8aa6dc19d5dce77ab6e43d8879d4195917b71a596e5ab00da3b43cb14918d15fb4370586864a86a5079b32e95078fc0724c88abbf4ff5704435c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e8540c18cbcff7d3d4fb24e796bb9ab

SHA1
069b9240566567fb33512f24d50006c60d7efea2

SHA256
6f74920886a59be86daa6f97fc50e8f3ed8b7ba01253a29948f0dd93620eb777

SHA512
b68c24a576aea3d6f8ee3327aaed45e8cfaab433b8e32b0f577336ea93cb9434acaf92e5992a865285c72e06cf590799de166f89dc090a077a257856737e580b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6c5b06ed1f6dc7594928dd81eb08e28

SHA1
9dca554e3d46064e792eea00c0a80ac30ede9dc7

SHA256
3fbafc9a81ea30d7966fb64c706f15c16d0d646519e865fe6b220b25bf5469bc

SHA512
9fe3b05b3284e2f0f4f8644f1d58267776206b87d2cdeecfc79c3a6caf1859b6ca057ae015510d5a2769f712bc4b4829857879ae6ba91e7ac438a6eed0dc30f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0594F51-C5F5-45F9-BFC9-54491FCC7B7E\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0594F51-C5F5-45F9-BFC9-54491FCC7B7E\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0594F51-C5F5-45F9-BFC9-54491FCC7B7E\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0594F51-C5F5-45F9-BFC9-54491FCC7B7E\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0594F51-C5F5-45F9-BFC9-54491FCC7B7E\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0594F51-C5F5-45F9-BFC9-54491FCC7B7E\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yyvfq3a1.3af.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
303KB

MD5
6c29da814908473d28841f7a3b132b08

SHA1
6d3e35a139eea769483750457f5713e0ba148da2

SHA256
32c8bc968c5e7119052e9d5c05fd6722f89fb610a86d4c3dd9f97ec40d43ecbc

SHA512
4c1091c878e946e817215277da82a3d69e0429f7f2f6ff75e54489d160454832f0918fa94c25cced9b8f2c0006310d975666e2990297f433208a4f678e0cdc2a

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
309KB

MD5
55c9110d6371a21571a373846fba5489

SHA1
15a4e7932b7bd99e3f77a4c0f2b9c66bf1aa4f31

SHA256
08ab2924edf81846df020986da2898a1341caea611c36800b2deae672fc00c8c

SHA512
b8ba70426fa3bc21b8555aa141652e4bfc1aae47300ed9043d68924df23b93b30aa2443de67486a141caa62459fc30ce1cadc89002a79710af8cd82bb456a791

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
320KB

MD5
9f35c3604600e81c7112d76784743049

SHA1
d44ead9eabdf091b19c65a61f317f76fb34bed73

SHA256
a8c94f149a9398a98e7edb8516f8ce4ee0e43c1ba627ca9e5156de3fcc0791f3

SHA512
1e92f80352889500d4f4f7eddf6cd9b338cea46f41e03a6c491748bb2c6b44c51a09e1a8cd9055772dc4b5d2a281ea548319454b6cf5f403aeb1dce6ddd1080a

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
229KB

MD5
4e9c1aa10751707ec429a783bc127175

SHA1
938e47c3aaa62060409f4f3d56abc96f90d0a998

SHA256
ce45832de73984149610772a3fac732420f2a32d04ec5498e39d2a93327476c3

SHA512
45c86efb724333d55e4e475aaa87a5180de97862210ebd1f9c402479b0274bb7ce904afd7c1a79fd499971cec19c0543394369beafb88262003b811eb303eef3

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
245KB

MD5
be1b0acd8ccd5272f8d863c04b48c804

SHA1
bfea510276a38eb47f011541fc129553361dcb81

SHA256
ceaa48cbd1505510d89fc455a122a83a56f75e84e82d4881d48b3aff4c8e0b4e

SHA512
a2dfdb2938dd174bfbf32fcfa4ac8d5b4e8c7b04f5a0c4f6eaf481b8252e0eb6b06ff71d9ede88b4f388eff622a622b5d4c1610ea6fa895aa2ca217c4d2be96d

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
252KB

MD5
feb5bdd25c1f5cf5d5608f958ea9cb5f

SHA1
25d0bd7ec333c13ff6ca85f020c986be004037f6

SHA256
c860a9e7ac58efda88a889095875fa9a0140013d90a3c236ab8e6487066c08d9

SHA512
5c3283c36ac0437c1836b2ea515c6cdd69816da541d66b450ad275b7dd9510f15ccd698915c6ec12e7d9f49c7b05260fc593a935117be778740a935a53eb180b

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
260KB

MD5
0f1385660b460db07bc0705cd53bfcae

SHA1
a0b12ee3a395eda9290ae35cbd6dfbf4917cedf6

SHA256
f4fcd630ffe710f0c5d4ef70fb079e8f03356b69ddb8ac0d2fe25ae8d4108380

SHA512
40207a9e441137efee2f2317a977ecdd2e235c938cded30076fca1b6ed33b0c21288e473cf1320213ee285d27d243e329eb88e7483cc73984ed01d2b0892af4d

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
275KB

MD5
e8f4499bbe0bf5d9831df50ee7c04c70

SHA1
a58eb543cfd56225dc46e4b613abb435b6610eed

SHA256
06da437b854d742907f38d2a4518b120d41c105da40f3d9cac6da8a63b681ee9

SHA512
d9a25bcf26faf18d4f001317f15e6a00d6bcdcaa004b0e7b56c5c0e0d04b58c7c88a8294d9482d95eea9257fed7e9cf53275d9d00c3b91357bdf0d9dde893dc3

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
277KB

MD5
c363705b5abd73750bb488017f9450e8

SHA1
4b99a1d4b7056f53b18d2dfab688af4cf076d7c8

SHA256
a91b7340861f8239a631bab1690856f318cc49189396671e65c8418dca78173b

SHA512
f3959e352173fdaea3a967ef9fcd75a9d7f6bd5628cd06e5d60640037ace2db5016472b22a64f776c7f276c46498eea4c45188fd10fa14b824b87f7283ad087b

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
289KB

MD5
3905f91246a897dd5c39c1789c688e26

SHA1
ed6ec55f68461dcc8f2d4b5e141c763ad7f9d45f

SHA256
dd38c5108435766972c82ddca14fefce726e540c0cf4463cf6cef839bec9a00f

SHA512
7fc1984dfedd0398ae8ae342f6ee1d9975c25598cc8c91911583f658995238d37c36945b8844aae4cd933acb554178d04ec4e6e0ec07861d762497c088b437dc

Download Submit
memory/2432-1554-0x000001FF14F60000-0x000001FF14F70000-memory.dmp

Filesize
64KB

Download
memory/2432-1570-0x000001FF15060000-0x000001FF15070000-memory.dmp

Filesize
64KB

Download
memory/2432-1586-0x000001FF1D3D0000-0x000001FF1D3D1000-memory.dmp

Filesize
4KB

Download
memory/2432-1589-0x000001FF1D400000-0x000001FF1D401000-memory.dmp

Filesize
4KB

Download
memory/2432-1588-0x000001FF1D400000-0x000001FF1D401000-memory.dmp

Filesize
4KB

Download
memory/2432-1590-0x000001FF1D510000-0x000001FF1D511000-memory.dmp

Filesize
4KB

Download
memory/2644-10-0x000002467F8D0000-0x000002467F8F4000-memory.dmp

Filesize
144KB

Download
memory/2644-5-0x000002467F460000-0x000002467F482000-memory.dmp

Filesize
136KB

Download
memory/2768-374-0x000001CA7C960000-0x000001CA7C96A000-memory.dmp

Filesize
40KB

Download
memory/2768-373-0x000001CA7EF30000-0x000001CA7EF46000-memory.dmp

Filesize
88KB

Download