hxxps://cdn[.]discordapp[.]com/attachments/1273785140216336394/1286153809126752258/MAS_AIO[.]zip?ex=66ecdf93&is=66eb8e13&hm=24c709222ff175dd2ea48d0624ef3b542d67ad5e51c9f91b9ae92d08c18f665b&

Analysis

max time kernel
1800s
max time network
1684s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1273785140216336394/1286153809126752258/MAS_AIO.zip?ex=66ecdf93&is=66eb8e13&hm=24c709222ff175dd2ea48d0624ef3b542d67ad5e51c9f91b9ae92d08c18f665b&

Score

6^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5924	powershell.exe
6040	powershell.exe
3916	powershell.exe
5588	powershell.exe
5856	powershell.exe
5996	powershell.exe
5180	powershell.exe
5892	powershell.exe
4848	powershell.exe
1388	powershell.exe
4816	powershell.exe
3452	powershell.exe
2316	powershell.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Launches sc.exe 37 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6088	sc.exe
5276	sc.exe
4516	sc.exe
1148	sc.exe
3164	sc.exe
5944	sc.exe
1732	sc.exe
5304	sc.exe
4656	sc.exe
5272	sc.exe
5580	sc.exe
5980	sc.exe
5708	sc.exe
5620	sc.exe
4900	sc.exe
1360	sc.exe
5592	sc.exe
5636	sc.exe
5828	sc.exe
5972	sc.exe
4624	sc.exe
4820	sc.exe
5836	sc.exe
6052	sc.exe
5532	sc.exe
5844	sc.exe
4828	sc.exe
6040	sc.exe
5640	sc.exe
5832	sc.exe
5544	sc.exe
4900	sc.exe
5960	sc.exe
5920	sc.exe
5180	sc.exe
5228	sc.exe
1896	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5976	cmd.exe
1940	PING.EXE
1404	cmd.exe
4704	PING.EXE

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5260	reg.exe
1160	reg.exe
2824	reg.exe
828	reg.exe
5528	reg.exe
6048	reg.exe
3052	reg.exe
1292	reg.exe
3172	reg.exe
3100	reg.exe
3320	reg.exe
6032	reg.exe
5592	reg.exe
5764	reg.exe
6004	reg.exe
4392	reg.exe
2444	reg.exe
2732	reg.exe
4076	reg.exe
5576	reg.exe
5160	reg.exe
632	reg.exe
4808	reg.exe
5868	reg.exe
5888	reg.exe
2040	reg.exe
432	reg.exe
4944	reg.exe
736	reg.exe
2760	reg.exe
5880	reg.exe
4724	reg.exe
2732	reg.exe
5540	reg.exe
5728	reg.exe
6020	reg.exe
3172	reg.exe
2912	reg.exe
5964	reg.exe
5956	reg.exe
4168	reg.exe
3464	reg.exe
6012	reg.exe
4848	reg.exe
5236	reg.exe
4716	reg.exe
5248	reg.exe
6132	reg.exe
5732	reg.exe
5528	reg.exe
1604	reg.exe
1312	reg.exe
5688	reg.exe
1312	reg.exe
2876	reg.exe
2408	reg.exe
5912	reg.exe
3620	reg.exe
2376	reg.exe
6080	reg.exe
3236	reg.exe
4604	reg.exe
116	reg.exe
5628	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1940	PING.EXE
4704	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
4336	msedge.exe
4336	msedge.exe
1176	identity_helper.exe
1176	identity_helper.exe
4936	msedge.exe
4936	msedge.exe
6040	powershell.exe
6040	powershell.exe
6040	powershell.exe
5180	powershell.exe
5180	powershell.exe
5180	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
5588	powershell.exe
5588	powershell.exe
5588	powershell.exe
5856	powershell.exe
5856	powershell.exe
5856	powershell.exe
5620	powershell.exe
5620	powershell.exe
5620	powershell.exe
5892	powershell.exe
5892	powershell.exe
5892	powershell.exe
5996	powershell.exe
5996	powershell.exe
5996	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
5924	powershell.exe
5924	powershell.exe
5924	powershell.exe
6084	powershell.exe
6084	powershell.exe
6084	powershell.exe
5084	powershell.exe
5084	powershell.exe
5084	powershell.exe
1360	powershell.exe
1360	powershell.exe
1360	powershell.exe
5644	powershell.exe
5644	powershell.exe
5644	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
5724	powershell.exe
5724	powershell.exe
5724	powershell.exe
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
4912	powershell.exe
4912	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeDebugPrivilege	5180	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	5588	powershell.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeIncreaseQuotaPrivilege	1604	WMIC.exe
Token: SeSecurityPrivilege	1604	WMIC.exe
Token: SeTakeOwnershipPrivilege	1604	WMIC.exe
Token: SeLoadDriverPrivilege	1604	WMIC.exe
Token: SeSystemProfilePrivilege	1604	WMIC.exe
Token: SeSystemtimePrivilege	1604	WMIC.exe
Token: SeProfSingleProcessPrivilege	1604	WMIC.exe
Token: SeIncBasePriorityPrivilege	1604	WMIC.exe
Token: SeCreatePagefilePrivilege	1604	WMIC.exe
Token: SeBackupPrivilege	1604	WMIC.exe
Token: SeRestorePrivilege	1604	WMIC.exe
Token: SeShutdownPrivilege	1604	WMIC.exe
Token: SeDebugPrivilege	1604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1604	WMIC.exe
Token: SeRemoteShutdownPrivilege	1604	WMIC.exe
Token: SeUndockPrivilege	1604	WMIC.exe
Token: SeManageVolumePrivilege	1604	WMIC.exe
Token: 33	1604	WMIC.exe
Token: 34	1604	WMIC.exe
Token: 35	1604	WMIC.exe
Token: 36	1604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1604	WMIC.exe
Token: SeSecurityPrivilege	1604	WMIC.exe
Token: SeTakeOwnershipPrivilege	1604	WMIC.exe
Token: SeLoadDriverPrivilege	1604	WMIC.exe
Token: SeSystemProfilePrivilege	1604	WMIC.exe
Token: SeSystemtimePrivilege	1604	WMIC.exe
Token: SeProfSingleProcessPrivilege	1604	WMIC.exe
Token: SeIncBasePriorityPrivilege	1604	WMIC.exe
Token: SeCreatePagefilePrivilege	1604	WMIC.exe
Token: SeBackupPrivilege	1604	WMIC.exe
Token: SeRestorePrivilege	1604	WMIC.exe
Token: SeShutdownPrivilege	1604	WMIC.exe
Token: SeDebugPrivilege	1604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1604	WMIC.exe
Token: SeRemoteShutdownPrivilege	1604	WMIC.exe
Token: SeUndockPrivilege	1604	WMIC.exe
Token: SeManageVolumePrivilege	1604	WMIC.exe
Token: 33	1604	WMIC.exe
Token: 34	1604	WMIC.exe
Token: 35	1604	WMIC.exe
Token: 36	1604	WMIC.exe
Token: SeDebugPrivilege	5620	powershell.exe
Token: SeIncreaseQuotaPrivilege	4820	WMIC.exe
Token: SeSecurityPrivilege	4820	WMIC.exe
Token: SeTakeOwnershipPrivilege	4820	WMIC.exe
Token: SeLoadDriverPrivilege	4820	WMIC.exe
Token: SeSystemProfilePrivilege	4820	WMIC.exe
Token: SeSystemtimePrivilege	4820	WMIC.exe
Token: SeProfSingleProcessPrivilege	4820	WMIC.exe
Token: SeIncBasePriorityPrivilege	4820	WMIC.exe
Token: SeCreatePagefilePrivilege	4820	WMIC.exe
Token: SeBackupPrivilege	4820	WMIC.exe
Token: SeRestorePrivilege	4820	WMIC.exe
Token: SeShutdownPrivilege	4820	WMIC.exe
Token: SeDebugPrivilege	4820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4820	WMIC.exe
Token: SeRemoteShutdownPrivilege	4820	WMIC.exe
Token: SeUndockPrivilege	4820	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 4504	4336	msedge.exe	82
PID 4336 wrote to memory of 4504	4336	msedge.exe	82
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 4620	4336	msedge.exe	83
PID 4336 wrote to memory of 3836	4336	msedge.exe	84
PID 4336 wrote to memory of 3836	4336	msedge.exe	84
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85
PID 4336 wrote to memory of 1856	4336	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1273785140216336394/1286153809126752258/MAS_AIO.zip?ex=66ecdf93&is=66eb8e13&hm=24c709222ff175dd2ea48d0624ef3b542d67ad5e51c9f91b9ae92d08c18f665b&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd472946f8,0x7ffd47294708,0x7ffd47294718
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9878738595494750510,6338536839289591324,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5512 /prefetch:2
  2⤵
  PID:5872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_MAS_AIO.zip\MAS_AIO.cmd" "
1⤵
PID:732
- C:\Windows\system32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:1732
- C:\Windows\system32\find.exe
  find /i "RUNNING"
  2⤵
  PID:5124
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:5168
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:5184
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:5200
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:5208
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:5232
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:5248
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:5256
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\Temp1_MAS_AIO.zip\MAS_AIO.cmd" "
  2⤵
  PID:5280
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:5288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd"
1⤵
PID:5772
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:5828
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:5836
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:5860
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:5880
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:5896
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:5904
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:5928
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:5944
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:5952
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd" "
  2⤵
  PID:5976
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:5984
- C:\Windows\System32\cmd.exe
  cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
  2⤵
  PID:6008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6040
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:6016
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:5164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5180
- C:\Windows\System32\find.exe
  find /i "True"
  2⤵
  PID:5172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd""" -el -qedit'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd" -el -qedit"
    3⤵
    PID:1500
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:4828
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5492
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_AIO.cmd"
      4⤵
      PID:4940
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:440
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:4704
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:5496
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:5520
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:5524
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:1360
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:1740
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:3892
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd" "
      4⤵
      PID:1508
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:3688
  - - C:\Windows\System32\cmd.exe
      cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
      4⤵
      PID:5576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5588
  - - C:\Windows\System32\find.exe
      find /i "FullLanguage"
      4⤵
      PID:5604
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:5844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5856
  - - C:\Windows\System32\find.exe
      find /i "True"
      4⤵
      PID:5836
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5976
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
      4⤵
      PID:6136
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:2168
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
      4⤵
      PID:6056
  - - C:\Windows\System32\find.exe
      find "127.69.2.7"
      4⤵
      PID:6068
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:6084
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:5144
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:6024
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:6012
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:5160
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:5260
  - - C:\Windows\System32\mode.com
      mode 76, 33
      4⤵
      PID:5244
  - - C:\Windows\System32\choice.exe
      choice /C:123456789H0 /N
      4⤵
      PID:5296
  - - C:\Windows\System32\mode.com
      mode 110, 34
      4⤵
      PID:5212
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5252
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:4944
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5192
  - - C:\Windows\System32\find.exe
      find /i "R@1n"
      4⤵
      PID:5304
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:3804
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5484
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:3012
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:1584
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      Modifies registry key
      PID:3172
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:2876
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:2732
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      Modifies registry key
      PID:4604
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      Modifies registry key
      PID:1312
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      Modifies registry key
      PID:5528
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:4168
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      Modifies registry key
      PID:2408
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4900
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:3892
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:1360
  - - C:\Windows\System32\cmd.exe
      cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
      4⤵
      PID:5556
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:5540
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:5848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5620
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:5876
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:5944
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:2432
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5892
  - - C:\Windows\System32\find.exe
      find /i "Subscription_is_activated"
      4⤵
      PID:5888
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:6124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5996
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:5156
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:3628
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:6040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:5288
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:5252
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:3240
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:5080
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:4940
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1404
    - - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4704
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:4528
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:5520
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:732
  - - C:\Windows\System32\find.exe
      find /i "R@1n"
      4⤵
      PID:4784
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4872
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:5532
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:1360
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:3220
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      Modifies registry key
      PID:4808
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:4076
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:5540
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      Modifies registry key
      PID:5592
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      Modifies registry key
      PID:5576
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      Modifies registry key
      PID:1604
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:5688
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      Modifies registry key
      PID:5628
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5708
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:5616
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:5832
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:5620
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:5972
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:5960
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
      4⤵
      Modifies registry key
      PID:5964
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
      4⤵
      Modifies registry key
      PID:5880
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
      4⤵
      Modifies registry key
      PID:4848
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
      4⤵
      Modifies registry key
      PID:5956
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
      4⤵
      Modifies registry key
      PID:3464
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
      4⤵
      Modifies registry key
      PID:5728
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
      4⤵
      Modifies registry key
      PID:5764
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
      4⤵
      Modifies registry key
      PID:5868
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:5920
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:5836
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:5732
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
      4⤵
      Modifies registry key
      PID:5912
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:5888
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:116
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:3620
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:2376
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
      4⤵
      Modifies registry key
      PID:6048
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
      4⤵
      Modifies registry key
      PID:6080
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:6052
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:6088
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:6004
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      Modifies registry key
      PID:6132
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:6020
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:6032
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:6012
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:3052
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      Modifies registry key
      PID:5236
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      Modifies registry key
      PID:2040
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:5276
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:5272
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
      4⤵
      Modifies registry key
      PID:3100
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
      4⤵
      Modifies registry key
      PID:1292
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
      4⤵
      Modifies registry key
      PID:4724
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
      4⤵
      Modifies registry key
      PID:4392
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
      4⤵
      Modifies registry key
      PID:432
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
      4⤵
      Modifies registry key
      PID:2444
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
      4⤵
      Modifies registry key
      PID:4944
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
      4⤵
      Modifies registry key
      PID:5260
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:5180
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:5228
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
      4⤵
      Modifies registry key
      PID:5160
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
      4⤵
      Modifies registry key
      PID:1160
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
      4⤵
      Modifies registry key
      PID:4716
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
      4⤵
      Modifies registry key
      PID:736
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
      4⤵
      Modifies registry key
      PID:5248
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
      4⤵
      Modifies registry key
      PID:2824
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
      4⤵
      Modifies registry key
      PID:3320
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
      4⤵
      Modifies registry key
      PID:632
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:5304
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:4656
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      Modifies registry key
      PID:3172
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      Modifies registry key
      PID:828
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      Modifies registry key
      PID:2912
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      Modifies registry key
      PID:3236
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      Modifies registry key
      PID:1312
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      Modifies registry key
      PID:2760
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      Modifies registry key
      PID:2732
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      Modifies registry key
      PID:5528
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:4624
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:4516
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4900
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:1896
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:5544
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:5532
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:1360
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1132
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:1148
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:3164
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4808
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:5592
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:5580
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:2532
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5640
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:5636
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5784
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:5844
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:5832
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5848
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:5944
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:5980
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5964
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:4820
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:2432
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:5748
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:5824
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
      4⤵
      PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5924
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "6" "
      4⤵
      PID:6028
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:2168
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
      4⤵
      PID:6136
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        5⤵
        
        PID:5140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6084
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:5200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:5220
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:5272
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:1008
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440"
      4⤵
      PID:4724
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:5164
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:5280
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:5196
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
      4⤵
      PID:748
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
      4⤵
      PID:3900
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
      4⤵
      PID:5128
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:5268
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:3896
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:4948
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:5172
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:1272
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:2824
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        5⤵
        
        PID:1920
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
      4⤵
      PID:3980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5084
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "
      4⤵
      PID:4900
  - - C:\Windows\System32\find.exe
      find /i "Ready"
      4⤵
      PID:4000
  - - C:\Windows\System32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
      4⤵
      PID:3804
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
      4⤵
      PID:404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4848
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:5952
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
      4⤵
      PID:1388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5724
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:5264
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:6016
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
      4⤵
      PID:2040
  - - C:\Windows\System32\find.exe
      find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
      4⤵
      PID:5144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
      4⤵
      PID:6024
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:5236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:5216
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
      4⤵
      PID:2364
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        5⤵
        
        PID:5272
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
      4⤵
      PID:3504
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        5⤵
        
        PID:4724
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      PID:5536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5116
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
      4⤵
      PID:5480
  - - C:\Windows\System32\find.exe
      find "AAAA"
      4⤵
      PID:2080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3452
  - - C:\Windows\System32\ClipUp.exe
      clipup -v -o
      4⤵
      PID:5824
    - - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem490A.tmp
        5⤵
        Checks SCSI registry key(s)
        
        PID:5732
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:5952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1388
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:5724
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:5256
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
      4⤵
      PID:1940
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:3456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:5244
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:6124
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
      4⤵
      PID:5276
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
      4⤵
      PID:1004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 10 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
      4⤵
      PID:3100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2316
  - - C:\Windows\System32\mode.com
      mode 76, 33
      4⤵
      PID:5588
  - - C:\Windows\System32\choice.exe
      choice /C:123456789H0 /N
      4⤵
      PID:5620

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:3688
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem4810.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta70f714eh7c95h4a15h9a8fh4b422005509a
1⤵
PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd472946f8,0x7ffd47294708,0x7ffd47294718
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2698048247538987126,2998338553108006167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,2698048247538987126,2998338553108006167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2186298377c109202a764740d8ae7504

SHA1
b032b2dd2609f55b90039d517bd59d37f402855f

SHA256
107581a09d7c4427192c54ab8fdc19f947e7f3963973526d36f8a825b6425e0b

SHA512
2740d235679bee4bd73b55463f1b99ec15c2d58cbc17b901b355eef9c159191fe9fee5ae24b2f86ec6f135e1ba27f3481ac94738fd1b1b7d921a7d9e813fc9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
859cf9cd77c9a6bd5b0af56f08fb5128

SHA1
d62387a78e8a1643ba3117187479da14bce1b65c

SHA256
d16c0bd72e9deb73d2e3a40eb21ac668477363c33e58765884b1663324a4eb05

SHA512
e60f5d7000507794a20316c7110fbee3f1d9b02efdba877bec150d5d63939eff3aa9fbba758709a8094c65a083b158840563a8e8399b64e16a077d12a1cb8fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
13137ce1e8d8479b115b2b55c9d85eec

SHA1
46a21e170214eadbd2af0222e21060f56d826a14

SHA256
0136ec6efa743d051bc8cfea840ade44d1fc4a4e6d217ee439ebabd33ef250e1

SHA512
d79bdd7cf4835ee27230c4ee56b76a2f3f3637e355561407506c7bd3467e74bd4cc118eef5b0e439ac66ed4cedfbb1be65d9cd437beb198a4f886382731c8ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fccfccb8335738935b49fe693df00777

SHA1
f68220dcd151698eaf8179f43a029336f952f553

SHA256
463f8dda73441a8be08785232cc0267b76960e0d957fdf6547a6ad6cf61d8e3f

SHA512
2e38bc3a77597a5a7f26452d25898cd78706c0e487298a089a22989d3751a72062645f7db94ee8788194c15db570f3d69f49737dbdac78b386661a6daff2959a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7f7da7dfe2ac3636a54c823f63d23633

SHA1
f711dbce45f045a4150d59c74b086dae465eae8a

SHA256
34499b9e211a80ddba386205abab8d540e2bd8ac1c54a2dee07e7fb1ad01aef9

SHA512
3eefa05c7fbcdf62c77bf8fcf65c806646c9db726f3240b0348d7d380d93463c8f66a51c91ceb1ddd77edf86c312101dbf27b4e72e1a0fdb6f1e7553269f016e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c9e8958e4fc9c0ea9256af91ac9ed099

SHA1
7af49c3b556be487712de23580fabc19d3dce84b

SHA256
edd01293a5c4108d840efa94445e1c92c5320f4d9ae4652b92d423af0d96eb45

SHA512
0a0455b2b7aa1383185a4039ce1586b94d64350c17a1f321d03d06866a47d6e3299d09d96a40971b5e8d8fad373d7d04656452ad61390df608d47caeefe9f28f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a3c0483548af053a1ef69f06f0c4049d

SHA1
5acde377d393e713d50b8d739b3b9459c36133dc

SHA256
847459a0059662656ec304089a89c2fe356c0b3b422f4d2b2cce74316c22a158

SHA512
430ecad4bdd3613886609ab6b2fb91bff2469983eb98548812d38b49ba0f978d781d38f8a088b497f7ec84d1e7bc5fd06b610897f4b127498d39e69fc3b7fb79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df4d87b6845d3fddf6e659396aea0757

SHA1
a636715074a17bb786eca83543fb685219f23f57

SHA256
0ea4203b826c4795e76f169fb364d512d3b03426c1e82719c6ec3b3446187f70

SHA512
df4d70ef157b2dafce200cea052f0509d821d14f5cbcf7704149275a3e863ed7bfcda8d7f91b5539aa899c902a5743d13bc01f07797f4b0b564cefff5c36b7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58b97594c4d764d5d99a459fbee0fd33

SHA1
4d1f8f4f5bbf87a6ea3ae7b7be623542377365da

SHA256
8001b17515105615ae767a048f98b1c1d211130f7c8c7e9bb585cf063b0c6db2

SHA512
874c700052930cfc7bc99e3e0353bf3a3891e45854df7982f73a2fa4d8a60546d683fae0163104e047991955d7d6b8950447be83a93d99ae9d9931a1e13e3cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e89c193840c8fb53fc3de104b1c4b092

SHA1
8b41b6a392780e48cc33e673cf4412080c42981e

SHA256
920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

SHA512
865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1f0f8c49b22409ca78499f5df1ce9456

SHA1
5300f7ed636959c8c8366418e891dbe49a3edba9

SHA256
429128efcec165baf50a81021e610933e1020f5298d865f7b30daf370fb22014

SHA512
ca976a7ab0ef4782c3003433e8d99d34d8060cb3a8790e787b56db1e207902b9dd15ecb6e76fecbd00f5e83a8add34329b25f86b90c62055f0d0d1de5607d2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6a597e8737d320d364521986803cb2c

SHA1
6b542167fa6674b4f69a1bdd58c6f2fee4c57d49

SHA256
17107fc01623db2c028aa7e666e462b5dbbcaf7245329c3089080560607ea368

SHA512
c4bca8516a5272a15ae118bfbcb11db6d0666c6f48cd035b545c3df0e6436ffe20a1417e82ffc77ec430bc62157123bd9497ab9f621c82a6e2d32772ba7b7c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e936ffde1732f536cc835ed3e6c83842

SHA1
05a7c09e599c32003ea21329932a032ace4f592c

SHA256
da9997a3db22d4c3b7900392af3d4a88d09de0df6c4a75d89ea1b271edbb2552

SHA512
35d49450a82c671843080c2ff2ff0d33aa5640234958b7e417a9c2f9e20e24b752a4793a99662253e7ad892dcd70904f6524d5e71c0d80333d7d01741c115870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9f2e31474c963ee8bc306f500ff3d86a

SHA1
3aed1f97178d94ddecc782f838071e09460f325b

SHA256
4db5f39a39dbd1cfafab2cb5322fe3222009d6b433ff91013d09fe719939350d

SHA512
de9b4f6483c53cc47d8114be256ff5d4817862229d848e3b4519f9cfc19950e954c265fc4f6dd39faffb154cfb1d186a501224c95e744ec1474c6e6b36ee9f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ab90e26f718006666c796e2a61aa1bd3

SHA1
fa442089c98e7f98385847cffb7be5734d2aaccc

SHA256
013bc7fff3a9aee164d1176ce9e60c27fa5b2d5d7f8d84f3d60fd03a4b0b1516

SHA512
d602de9be0d442dd94ed6435b1acae08a26b7fdf3769169f669a4c5ef69c8cfd8395e56c50f7046111c901e9f86c73cf08ba8c942146e9ae58ef98e1760c1f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2ad33642f863ae14ee53bc6853ee330e

SHA1
ca81cc7d8c33a46ebe97bc1d3db55e41a813029e

SHA256
17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19

SHA512
52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
30949790a1e9aa57925c085a082fede6

SHA1
40b16abc81a48cbf3823de0a895e8eb065ae9528

SHA256
1e259ee2cd0886d661e544760a7e34f002743ec7c8dc9069e72984711f3c1139

SHA512
77854b3ad54ae7bf0c8af73b281bfe9c3050272d879595cc9c4608e07f40d6489e98b3563d733244659553b6355903757f74a7a5454acdfa245b73584454ab03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c993400ab000e142c04bfa763d1330d1

SHA1
d92094d0b03a7f860a0dd881f4b17bebecac6d9a

SHA256
f25cfec5dc8e5ddfb78760aefe9ae0f820c8a1f7070425553bd4e7b60c47c32e

SHA512
fb35a017fbd4601bc001a37618d0386dfd0a404b42405e7152e372f75bb7175755ff2bf29d2cab37f8d7da2e8a9ce0168e0df5743935a0fb9b559694daf1f60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b610494cba200f3157d244b80405cf76

SHA1
feedb38f76e3870c6debf4b14cc1831e0e6214ce

SHA256
28fe44db2e33232d4ee4c743dd772a01f79413eeef83ef39b85dd95d3b9f4f1e

SHA512
8c1faf4704a7afe41261b8ef50d8c1ce2a67bfd00ad51a4caf7034e04e54f138294245a1ae47616e12a2005ce28a01d4ca89af6c2500425483c29fdee48207bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be2edea7a940b8e00032e7ed78d41d83

SHA1
4bb65f0396c6a471a5125b250c794522d40cf249

SHA256
7ac68879d3e2781636f42db74c1d2c5e5f47d9c0bceb1aacfd074727019fe48a

SHA512
d04f785e7bd6e586db3ca9e894ca572d0521639961ffec65ee301969f47648ed3ed71083f4afa8e5f7fa9e7e00fe1ef5835b3a3c337a2de2af3d1d805860d6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3e9f658d83a9a7d776eacccd657b0fe8

SHA1
5b87a8de83a4e1f3fe54e5683d445dcc5f06bebc

SHA256
54557246652dd7e29eb5cabb759cfca76ca23380afd61b77aabab7dbadd1460f

SHA512
3b1b2f4d3ddb1d49b047fbe438d4710a3695647aca622d63caab944080cace2d914f24202c18aae97c41985e8b0e0a89b48fdbf017cd18c7ab26b55d119fefc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
718624e547131afcd415899014b543cc

SHA1
71a4d62034771d9bcbbacec65bc3b529452343f0

SHA256
b906b141b5393fe88dc4c45e80786ca5095cfa93defd8b3c90e0f9ead881d701

SHA512
d79c2ae94325b20102f27d930193ff986c8b94b9c601fe51833a4009a044a8f7b7f0570c15bf9959062af4e33f88b2a19c55149a3a54647fa62b0aeb8a791ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b4592495c2bbbac47e64292cc78b6b45

SHA1
4a8dfb8f2d3fbfb14bd67035d7dd22039601f186

SHA256
44d41ba84ea23885698016185c472cb1f1650c2bfb98fee085fb6dd033d0f517

SHA512
2c241c7793cdfd4c2a329ff0a373c2d505f9cd46e3a74617cc0e0a82b43be1e0428bf649a4ff8454851a43643c1ea419985a5f7f3be19137c011d7b16c518578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1542328a8546914b4e2f1aef9cb42bea

SHA1
7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

SHA256
7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

SHA512
b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpkjeqd3.0d2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem490A.tmp

Filesize
582B

MD5
b02d98888d8a7bb3959f4be94c381844

SHA1
3b59e0aacbefc413ca8547fa218e6303a40f38d0

SHA256
32177b2b5018471100086de3c307e5445c32184ae182b2a7ef39d5895ebeb59a

SHA512
4834dd8b7385ccc6c5f307655367b44e638563aee56d0b7583f4e587f756af27c1dfc85215aaada9dc3c4f00fb35d1f6cd100692a9d51d1ea6b50736419b4643

Download Submit
C:\Users\Admin\Downloads\MAS_AIO.zip

Filesize
121KB

MD5
f8fb6580f105b9473df26a51bc37aaf0

SHA1
bae955a628d0c57d4cb8cffe8324f467cfce185b

SHA256
d04a9be3eb29f762cbcdde3e574f66712fc2d73572f7af2d310a909ca4957ec3

SHA512
ce41aa461cc3a5cc0d427a5a8e36219bd50cd63505484a42628c2b219b4e9ae9b7d520fa06de9c3b23d8c81fa81a2419363fa00f10f878195eb29d03d5bcd077

Download Submit
C:\Windows\TEMP\tem4810.tmp

Filesize
206B

MD5
b13af738aa8be55154b2752979d76827

SHA1
64a5f927720af02a367c105c65c1f5da639b7a93

SHA256
663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b

SHA512
cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

Download Submit
memory/3688-331-0x00000242E3020000-0x00000242E3030000-memory.dmp

Filesize
64KB

Download
memory/3688-330-0x00000242E3020000-0x00000242E3030000-memory.dmp

Filesize
64KB

Download
memory/3688-339-0x00000242E3020000-0x00000242E3030000-memory.dmp

Filesize
64KB

Download
memory/5180-118-0x0000024E19BD0000-0x0000024E19BEE000-memory.dmp

Filesize
120KB

Download
memory/5180-117-0x0000024E19B00000-0x0000024E19B19000-memory.dmp

Filesize
100KB

Download
memory/5248-196-0x0000027FF4980000-0x0000027FF4B8A000-memory.dmp

Filesize
2.0MB

Download
memory/5248-195-0x0000027FF45F0000-0x0000027FF4766000-memory.dmp

Filesize
1.5MB

Download
memory/5676-332-0x0000024898D40000-0x0000024898D50000-memory.dmp

Filesize
64KB

Download
memory/5676-337-0x0000024898D40000-0x0000024898D50000-memory.dmp

Filesize
64KB

Download
memory/5676-333-0x0000024898D40000-0x0000024898D50000-memory.dmp

Filesize
64KB

Download
memory/5732-349-0x0000015BCB5D0000-0x0000015BCB5E0000-memory.dmp

Filesize
64KB

Download
memory/5732-348-0x0000015BCB5D0000-0x0000015BCB5E0000-memory.dmp

Filesize
64KB

Download
memory/5732-353-0x0000015BCB5D0000-0x0000015BCB5E0000-memory.dmp

Filesize
64KB

Download
memory/5824-346-0x0000026C97D30000-0x0000026C97D40000-memory.dmp

Filesize
64KB

Download
memory/5824-355-0x0000026C97D30000-0x0000026C97D40000-memory.dmp

Filesize
64KB

Download
memory/5824-347-0x0000026C97D30000-0x0000026C97D40000-memory.dmp

Filesize
64KB

Download
memory/6040-104-0x00000262E1470000-0x00000262E148E000-memory.dmp

Filesize
120KB

Download
memory/6040-103-0x00000262E13E0000-0x00000262E13F9000-memory.dmp

Filesize
100KB

Download
memory/6040-93-0x00000262E1410000-0x00000262E1432000-memory.dmp

Filesize
136KB

Download