Malware Analysis Report

2024-11-30 19:25

Sample ID 240925-3ahwmstcjj
Target Sliver5.zip
SHA256 10638b1b21e30b12ddf9e7c14e3276481281e7ba6faae6191f475f96e58eea78
Tags
agilenet defense_evasion discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

10638b1b21e30b12ddf9e7c14e3276481281e7ba6faae6191f475f96e58eea78

Threat Level: Likely malicious

The file Sliver5.zip was found to be: Likely malicious.

Malicious Activity Summary

agilenet defense_evasion discovery execution

Blocklisted process makes network request

Obfuscated with Agile.Net obfuscator

Obfuscated Files or Information: Command Obfuscation

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Gathers network information

Modifies registry class

Modifies registry key

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-25 23:18

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

132s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicescreenshot.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicescreenshot.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicescreenshot.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:27015 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240611-en

Max time kernel

54s

Max time network

63s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\LIBEAY32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\LIBEAY32.dll,#1

Network

Country Destination Domain Proto
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceactivation.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\ideviceactivation.exe

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceactivation.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240611-en

Max time kernel

82s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicedebugserverproxy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicedebugserverproxy.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicedebugserverproxy.exe"

Network

Country Destination Domain Proto
US 199.232.210.172:80 tcp
US 199.232.214.172:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

134s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Renci.SshNet.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Renci.SshNet.dll,#1

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

79s

Max time network

84s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\imobiledevice-net-lighthouse.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\imobiledevice-net-lighthouse.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 15.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\imobiledevice.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\imobiledevice.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 24.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\clipup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\System32\ipconfig.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Store\LicenseManager C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\ValidDeviceId = "02xkfdhpyutzutmo" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};" C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL C:\Windows\System32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\ValidDeviceId C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo\DeviceId = "<Data><User username=\"02XKFDHPYUTZUTMO\"/></Data>\r\n" C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\ExtendedProperties C:\Windows\System32\reg.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nspqinmyxbpnib\Request Wednesday, September 25, 2024 23:20:42 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAXRnlolYMgUy8tDu1+1ToVQAAAAACAAAAAAAQZgAAAAEAACAAAABYiEF81r1mEA+9Q+eH21uC0CW4OiId6kPaJyUc75pS0AAAAAAOgAAAAAIAACAAAABrV0dhO6QbFl+D12r7BYeaayVchLLV0cZtLAn3KXPe80ASAADSy6cOHYFs+P8Y7oNOPO7r/G8kCJGpyUiialiVmK7bAY7ao+U7MS0ZR+T9PPuKkXQE9w257jbe93s6oyaRu5qgHY3Fk8Ikh1j/c6ctL9E9kdjZnXH1U8/wJP2a8MPGJuJjSJGMyvQdhHjKKIgbZaAZUWQpd5E0pRBP1fZvMamidCqWYX2Gc5myLF2f/UGZylk6jh/JzTssYEWdmNu2y8JXDw231KSwARHk1zg+5974sLAFPi6Yfo7RKWYxdqplLV06TUpnOpkgXcfqUQhPllFHmsvQgHNLvDzVZ2tFF2UJqH6oCMkUQP+GwESRxsMVH3ZiogSzrMQ7yIPwcn6j0SerhX/gBR31o3JyR85EJnHwcCEUHIM7wvoja1pV6Lk25Mz2wbraCitbhONuAnNFR4Pxvq3tQeJ4cbAWsXYGS9DoEqVLyRhqqb7Q2PL7cjoK2cBPf/ChUSkodq2Z6l+CC87N0QnPvXYcTwN7OP/8zhzWQp2r68pZv1DSna2EA046dFwEp1jyh4cOEOfvdThVwNkKZgXI6ZTGbJjcP+m0PH5tmXnkedZQKZ2SatkcWw0Au9ge7KOq6t7j+mbHLKx2trdfrihbKYX1gWmo5GZHYAty9VqLCBLBqslERZNccHdXIFKyVzLDHR+e6AHYDN1pHvMBxpFv4PwAUIrGIqIsF86FW9Uff4w74vr671VtopdGqyIz+rgKuev3TA5uF5gzNDeSQ/IzyZT4uOd5nTB2Nbh4uy3eVaeym7LUkejqcg+RCz81aCLsz6Coj19fV8GNJKRqvuDcac4+CHj3rwzQsv14uujCOFZWiHiCr47okMJWQxm4CD8Du+rPPgpW37KQBrNdJK2GXaQ23CEITN2FNy4IneVqRkLoFVT7/Oe8PqhT0m8aape8XSWL2NkQhAPcTPBt/OblTiE3uGswDCLIQt5uLnOsCgOFPr/whWNMSuyHSQhQpB7do3lh/9tpQ+7BCYZRrCAxIVUvo8MlZDEKWjfIcr8qSoO/0Sg/5oC35wikTwJZXFTcRV5JmpM9YZ2tWRvGW+0/a3kxmQwzvqvOgD4rAxHr6jF01t3DKku0IZOrbflDlBZ2pvb+Nc9QmEXr4ULoCenqG09qhfZQqheiaHA/ofvh3YPb4SkEwSTOOYwmKLkw4IJORjSYrjAiZA7UB9GhjtBkFzxhvRAgBV2r1fZzPW6ObPiehJyl4JUsZok45hox4PssdxFetVV9HQyXyw5iSfgfcW1nWL67klIg1y22WE1Ba1/YXQuVpFH2c+qirAqAtAmKoruKhkMp51iXbR4++dNEEFZBsHmDyWacEEFf/y8paQT4uAWZWnIxC2kbild7xtbnHtU0mdxJDdMzJkxnDteifOwIKsJn9SkNftddlP7MCZtCGSWITGALt/l63qU9nloBVaG0DD8xoDKu4qMyP8iLOYVU1A+xA7VBAgoOH5pzP2DpJPYPGFFzwDzHfyx594nnAk//U1J4+IkzeP27cme8311k7ZpL3655TThL7QzOgaxn18omBzdwDfjpepaP9kjhIBWvjbv1aNMbukoxL4ruSJcLMIEVoxGI4fNkEWSjj+d3j1sUW2XEy/Z42zVt5uP20LH148fTpXaqk+SBpXEppGiViXJAoeuuBXnu/60NjWuwmA0LCXwUEwYPiFQt+3bZOAEjXWT15xz08BRdL7dVpd4C3t1aChB4tNQUplecjdapV3HezeHZ1Gca8PUK5THKTCQhiW/9NWhMjz7yttEKT0Mod1bw6J3YSv1lCc3yX03J9FF+buCIy/rQPLmtY/7LG/O9qHnC25ekX6PuoL+hxrfBVxNx9pVWT/ZiMfWYhWS59OOgY5GEFTnGrUgL33G4zUYSjPZX6Y9FZQg1x8bLeOeqKKt+izVtdSqcofD3bTNJRYoL6yZ+c4z2z6MYEdwJnp4bLkFCLtEz5qItj74ZpoBnyS/upKBTwXz+tJF3GCmfS9cceB1c5h27a3FHO9oXeFFblo31fytEjyHmdW1kXVM+DUWHXnfikG/iDqgnE5MSnGFG0BdsDnVwGX+ODbIKFlKjgykan5Ap/CAbeR0jhp5KTuM0vwCi5iMu8PUHne5ySNgq3qDmRm48MlMbC48Rjhwa43IqSDRH085v9iCoHl9irUM9Ij9Gk7K4unc3fDQRlsDNoun6whj+KE1uXGT5bIZUz6frwDyQ/X3v+x6R4VFHmgpieTpt47DLuJlqfVpAQ92iTzQXUrNx1Kv4UM+MzDk1Wose6ARbDwwLSN3L2XQ1kGjtoi2+KotvYkjM+/henEbg9BCgHuvW8VZgQBdGS/xvIT1tvYQu7pNW04ShMWC+jHuEDibv5STriUubALaglK3qOQrimFGI6PpHJRQ27aSBkBxhMonUAoDNNMeU5xu3RXN+gpblxhKYziXSD3H7sWb6neulPeyJNC9+TNuhdYNdozIWTXHlqVp5HB/frvwCbJPRVXSC2h0d7LFSOIkQfum1Jml/lOEU8zXgF49soxxSGS0IkROA5xN+IS11YQovNh3jEHMYFu+kKXuvD0ii5O37VRPxDcvK5UaRT9/FP4YBYOKLYHLLlDnzbrGJ86ODUpvebJGvZspuqRGIBOo7GuBSx4zOgUwepKaXhaqgoaaaZYyFSwjSMSBEUvhCE2XVgFWpYqSBo0Y3Z2VObxG7sBXb6fZQuoEmm/Fqfvntt1q+WbGdWYHoIl4TtojF6mG2OKbtB0Pw6HKAb/aCVLVBvSLV9+ccHz5glNNcKJCXP4zzd5H4qNXHFhYSlZWu4ZkA+Oxjm302tlSSoWJLxVvX6/D4Np/B99BwXRXFo45EANfReA4/4LYTJwYRBQ9O7Sbsv5OUGqlPXEiPocMnaNDAPOAHKty+wZjLnPVgxNZ7l3JTv7gybZcCmRFFtZ6SCANSHrE8ROsA7023I3C5Ta4DauVKQkOSJssuUYK9u2tjgQ2Bd6t+GgS5UMZVNOYy3X50XTsK2K8C33v1gabNxYEq5uq1m4PFhg+uWHXuvhCuwClCIjFkI5ySgDEaE2ptuo2EYlGjSexqRZ3R5otMKs/Ls/n0G4EENI7+fs8qNHQSifwSClrUAv59tgkahoABEUsvHw/vQ+ept4oR9b4Bsqytfd41L7H+6C0u+11yRMTMd7RnhcAVW6BKWKMZU86KZisNOzQqFCagkmS9ZPNZBLGbD0KiT1PylptFioPoRebEKFGLK8oALypqxqLMxQbG8uKl7oFtuLu4+I7eSP4cIKKyibp1eFLSH1vvzIJexGraoteFI0jYw390xz6isV5nwb3S+60UdEch0OeMRsrIPkzkg7ak8insvjzQEvMCfKlxpd+pBm/GZ4QdLY9cA9K91aCtRdsk3tJ4xvVZiCkCzaPserqAqFMAoulSp3f2TDGZoSMRkg/HNd5NXxTA29qpmyfqZqwkgEYC5xY4I9NyvwbxrKBEMVY1MDxLRmG2PTV5mNKpX79ICni/6YZio86+ls5RTT6V1AR/+ToIYM/GAzCBt2llRn4fYi94lnqexWqWGoMnu//9vb2Ymz2kmqrdLs1vdYqa2D7+KhgiB8WkLwi7k7Cc2dHUMYZpkDVMm5+SJMW1HG+BpAdVgY5ub24JQAbi252sfLTOddRjNg3zNKkqqzJ91E+wIwq5UizstAmuFzEU5uCMkSgQSKK9fSTWV63ZDJOB54/Xshyz/4Ir3KbxdivDmv/8Tpw8d2BZGtz9uizMPwC7lEqLP8mbeTUywiKDezZvIaZCVi+gRrK8pETVb30s+0NY85FDvZwXPzPXrZHDKXTk/1qDVU6WQH3TJuPu7VgNqHv0zGabBeEoiaA43qBkttfjmIz3w7rj8GodVLHptg+OHh96susLjl4SXGAjGiH8c+z1M3e2MkBZysDlxfH5G5KWwhgC29p92UhXBK6UWXyBl7lKgppPFQQN7gxeXSDHpAffZ00kjs+XTyYNHo6MGrfzJXaVtTXT5ZInVj6SCYtPMBSU1QPiGaWUMGt1hAsaP+Cz1VU5Gg851DVgci7Wg06wQsIdgez764IBJD14Y6xvUhHwNyyshDkUjboNJ5jKMHL0uLhAYyF3jk5tHBH1uNFBqai95DgMtUkeZCsLJrZek919cZvOmOq1dvZwn9FMQAu9xGsZbFKT4Beo9XoGLxLlXbfxZUChL8tWiCJIj0NeLIaZUp6AGiEiTnGVL5niB2m9UiDWZKmuCgH9CRsPpJzCc7T4I3n/P98tZptTAmvocae2OsKJS70ILIxzEqesgmgELuIdR4MmcyarxoCC/g2jiF7CWynaI2/hFQZQsGbdnXDn/WWvKFffIylnbrOkdKsxdbL4dnJRKCVbUSVS7oemjWTBfiYvsaixo1qn6DTEsQegVbbYRgFHtSDF3RTUTJNzRhLgMKpVP1ydrJrxSaZurGqPwMQwCJnW+rw++BRYJEP501tE3n/ntSETNC9EZZiztm/h3c0o++WmhUN4sr/ZIwLT0lm8L2cIgtOOYevf8nmozMdUCqLsRIZzbZKmJIGIh6RH79N/45ZudBWQmZGngKMnCEpnqL5beiszxUM4o7vPidzJQoesACMVIyjqXBU9Ho2QXfNnmsyZw+xDjXc+nQl2kD7fuo5HboUJ+X9s5KbBotOIL75pn8+kbrKyZajcPVJ7l5QVTT7ClzECNBv0lX7eyPDMStCkqsq6SQe8JeJ7qdOXKeIFwuvBKp07zdp9fLFk6RGWZ6K87dLCXSWW2qCW7I0D5fHGCvHcCy6e9Cm7WOX6hvNR3CY3jmIBBu8RQktB4Ba7QvOBS0DU7ntX0imsDMxvvdwoETf+J/V/FjzxonUlukIGIbZSY/ISWd5PkAzeWN2mjBwrEAyyduOvCPR8aMZOvcZjINRwaJK0v1Xr5llcfo7U1KfakmIF0wJFg8XSiDuewII4SmpwPibn+9Um1vWRPyVfPAmAauHUpvIApWCk5YlXXIcDPo+dydo945K7LiQPYiypH6rbAcS8u2DzcrZ7lkpceHQTSVuuTFUaid1/u169klKc2tU0rX+B1qXBJKf7wtZMrvHziPi20MSsOX62Iyk3RcblYI5erbumVN3lEB4GAV0xq6Bdc5GNCc7w0o0YsHpCoCbAg1dDenPuMu+/nkUmYNCfOvBUGywdJBgDlKjqC6GL1ZlfU5gMy+jJiBCn/Gvmm+UtgFhe5nVwp/+4giLt5wfbVQBEkP9TQT8Wt1K91MmdwVNXZp0rG6bpeYocRwqus8qCTQc2CwCfMXxV9BDs8xhN0L6hQOgFdi3Vr+kko3GaMTh0URkSetQ+A97b/ua2sPXcyFMrZTXnRCRviiSvabk9Uvy34aJP4q4UHE1Ft5mCn76onJGipbXAlpRQ/YggpvQvexb1NL8NofzqmGAOQzFxwzR2EMlGsT7rGW5zZXJhkuJ5gpTpa+c7xac5rfZ/Ft32xjx0cz0P63BoVr/WZDnDP0TzebJCVI/1iHxc4HAoUFpcxgzktHxPhamvYiY4yO8OwraNB070edYiPbuBZBKgmGtCP3YkOyMf8AkIaIEjV7icC08DYWZs+C7xrghjwonD96hvwtnYIZ4otCqX4vL9FiahVmCdpRMqs+Uz4+fdgOik61roKrGSgZG7kFMc1rJybf0hqTckB5dII1Ss7zulYzFWYrxYWcNCmU8oWJcsj0S5RXnDtMeLEtlFykoMy6b7uDA7PhAVuFir85khQM7BWkDBUc3UrFyJN9i7Cn28xFuR8tzWAqdPbmkxiA+trRu5vC2ChQZRU6GobKIW1SrCybRHMZe7pLujaV8n9QcePm/kaa9RNiF7K3MaTOqTSVThbhSmsBfblvZIX1Oju9fCUBgk6n62YNLJFKFw1Cu/9JyXHTgdIoU1ZnKcNPpjPkDBDWHCA1sHxGW9PZYvcmg/L2fwqj3UolXtq8+iCIoI6d0bmmbt27qe4mBnaD9BXjagiq6xPZMCZyeSmi6Y2wfkkd5xTZ4YaAvkkk4thOMV50JqMjj5m1fKEe2uXwzGU9Wr/1pIABYLpaQk/Y2Mk1bq0gdArVguwiKSdB+lBJPFzkCngWEhTcYtyfE2eBOrTtpZo8BEK/+zj70jXLuHbrbNih3X5DfOvDnSffwz+y6dpceYPlfxcy9xYbYQQgptXhd6eEwpA7kyrURfmT67E6ImZeXe64F3QmNf6Eo2UF/GxA0P2Ku0VB+dyoXJd90MbyEkt5+trZSDtUNEfUJQ3yDBAsMCwx/wxuhjQAAAAKj/ElZ0t+sFbvMixDVdSm39DAc4rGW12z7SInA6UyD4t6zeZiAE2JTObTJlXi213RxXibU3F8MWb1HF2j7W8vw=" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production C:\Windows\System32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02nspqinmyxbpnib\AppIdList C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nspqinmyxbpnib C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nspqinmyxbpnib\Response Wednesday, September 25, 2024 23:20:42 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAXRnlolYMgUy8tDu1+1ToVQAAAAACAAAAAAAQZgAAAAEAACAAAABy/r1mXbv/ai08ciKWVlRYiW8wNOXsf54v2mL6fbrJWwAAAAAOgAAAAAIAACAAAAAML5qdDNt28wtXT4ETOtWnXEy81s5Cz+zBOeDdzWlksnAHAABHRoivdm7jSGVIJf/O3fmiXimUlfcUSKSEQhg0sUT0eWsC2S1n/rTFXJ5IHglbDB93E80/bHOoMnDjQqerJL4Q7MJosKI1/K8R57+AGinlD8dG+oV2a8rrmJv9VQw1WWcflS3caS+jTblvPE76MWo2xRLvHiFDotOpXKcyFD16niQghLCObibXrm209O2XUQ7DnYL2Rb/nqWrkmWx6WPJVBEFarorlrd0sW8iH4bjEHCJt6g+rsUxWvCUkGuONS+9ZqIrizdVfs4M22XRJ8Cj5Nw2RR+37uzTlANWhfKNKeQ5obxjKKTKtcT8q42CDfNpsqeXabbtt1kmB2mPgj4hUSa+luqiCCSYlB0AvDoAp6elRaQe2B+gJSx6f4x7v8CJyIYhzLGO4WIEzX2+f86fepjrY1zTDaWNq4tC4I8COtvLyfS47C5aWed6ouiEaqdMhcdhZwncczCZwdjz2nRJwVqdXSx/+EFOdcPyxQLG1xyelq6WOceJpJaBTScCGXQ+TOHfGZUzSLQApoAzeo0Y/sKUSLHcSbYy7+vaUR4lirHv73t9MPvgcuiyiVP7S/dJS6n649bBnc0kAk+rMjcjL0SvgD7wJ3bOsxaF5CSqyO0/FK2oF6sHBGTbjFG207LXSpzXvBeNvUANL1wjpg/Fq+cpJ661/3q8WhsTvGHOW51QIisDaHEbQ0FJbLSo2jnWHvWb4EMHhnjp7US6QU5fwc+Q2g0wBWgteRSc1XG/L/H3ASY00LhutBs+cgKoPCGY9EOPIICkUFnnNlG4a/L0JvR/5wAZ196+D6Z0YLfKm7MP3pV0hNJYIVBifeVsAcwyhMprCPX/yQuo/Uer8xrxIHm3zP75ZTgsjNeoUOvEbc2ydZrPWIIaRZOw8pJPty5l7PDtzk83LYV8QjwpUtG7RoOfstQA3isdu/j56fry3jm55enRQ2dNYIdygo4vaOf3PieQls2ZHRe3N6onkEu6Z8LDuyUI4J3u5LXucbDJy5r0MF35EkyhuGTipNI1HHJU6J/K6btUshIE/ZM1PYyejq09X7n/7UqQsSIJ3BP5DQc3cmOiD8fsmF81fd0UUXEgYEQQ59vvn4RMCLvComai7He4q38pDDCxUI8NePKxPHtJt9PXGk5QraeJRdcIFh9vgIiq827OPgmi0r8KWmtMtJ9lfLoS3COlNlRr/9G3qMVyTg3/f5hp+myj3Imx6pVctLqKxK9Bpkwmywp9niSvDzs5N5N1YpVuyK0HVgaLejANBhNf83zM/+QIJBSJXKsLkebWzsR+1iDdwn+ECD8nBxMiRWBeTa0oJcP3Pp8T+WNeIbscC06GDKmu7Rtijvg+OT4JvnDWUNfubUJ4cfMuKH2/CqYC48Bti5BKGMH6KB4tvxO/15yipKIpecqTqJZFviWIucsvVXd8D+DnoyZQkUwbiw9rBAjgBufDI2vJhZhTOdEafDW/sqQ2Cy7vzeWxJ17m0BDL93e3rOikso1VKT4HVSHs4CpiQhkmLrhgtb0GaDynD8Q5Xfv3vP9j60hrNagVeQ0khPka1YiSunRO+KiPeKPdhwgRy6iadso8l/NT8CLLwNuTQvoZojiS/1WaFKBObCw+2LRKlgsNfjwo5Jfn1eO6MHTl5cTjjaABGCEY19lJWlHTYGyw/t4L/yLMpmwF+sFgYejbzAauxK6pG6XavYqsLGpfn5IJ2ArbQkxjrH2FPs23B4ur38jK+pR8fvm3gEHKcxsaL6VaX8xPGDYSphmLg8LAgL08TQXMr7KwVt32MNjvP1rxFbuNfHQSpGVeNjXUuXXpkds7j2+0t7UxtBSCdG9uAeVPHWHVK/vbrkn/Y9tEh3jWIQ4n+7RpOyyhKNaXNzOduvHqWE1GY/NdDva+fOPH/UuV1Txf0HDwgdW454pBE+mN9o3TvMA1yoVVFBpakuHnvdcZrJq0AVKLP+IJMANS5fq8w8zisc1RI3mlUDMGSTJSQSlj/2eLQ5W3l8QnNRUqT5P54uNdSau3ZbXx6C542iG4kCZHVptCnvbbQG8S+FShPTalmUfgVwN0rVR+vbpe5+DFHQFbvltDmdeMo6sDy73e1QvDtzqicQldn7GHC3ta4fGNiF9ulLn9UXmAcwdLhvhwdvQPjnK/O2OVD7C6ugjETUFIl/HSIMJEtMBA6NDckxLMaRU7KGcNcL5sAvBvyFPue+NSsarkdAJYb8HKx5+qQGZPQjG4zaEoa+7y+zQuhVlzoR14Yb6UsdULySAgnFn4lSYHWwAhPaircl6JaAzTqZcvUdZPqNyMHvAFvNGEzv2T7XnOIw+7jV2S18iRpuj2A8ZFytDtPUCHIaV7mLhMs0NFvKsC/L+hb24ExG0+rks8cMH482mZVgWYrgiwz/z6cKM92GfSxoGmDgCv6rmLHwf81xso5P7T2NntAa0nGmOnkc5l1/s8WnGRawClQYZKareeGDUTK6a37vfsjgzGbqsYXs/gz8So0EAdK4m3RHznkWEsnEWwNQeX8mF8UMIqC4e052/MZytvcoq5wxN9s1ID8dUAAAAC848zXaeULd/81Nr+Q287tZJj9YWhS+t8X4SXrRQTMMzVSuibegj99j+GNjXfTD1PxX4GJJXUGQcB0S8qr3FGf" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02nspqinmyxbpnib\Reason = "2147780641" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo\DeviceId = "<Data><User username=\"02XKFDHPYUTZUTMO\"><HardwareInfo BoundTime=\"1727306444\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\"/></User></Data>\r\n" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo\DeviceId = "<Data><User username=\"02XKFDHPYUTZUTMO\"><HardwareInfo BoundTime=\"1727306443\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\"/></User></Data>\r\n" C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive C:\Windows\System32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe
PID 1716 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe
PID 1716 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe
PID 1716 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 588 wrote to memory of 96 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 3864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 3864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 96 wrote to memory of 1524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe

"C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe"

C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe" -l

C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe" -l

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.0.1975208909\367719197" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdc835d5-26ce-41d2-b0e4-fc759370729f} 96 "\\.\pipe\gecko-crash-server-pipe.96" 1796 10ff10d5458 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.1.1644361913\2133725011" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eac37c17-41c8-481d-8764-60095e075407} 96 "\\.\pipe\gecko-crash-server-pipe.96" 2152 10fded72558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.2.1658708370\912227210" -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 3024 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8f04446-10e3-42f8-85ec-4a1c1a8485d9} 96 "\\.\pipe\gecko-crash-server-pipe.96" 2820 10ff1059458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.3.1094442883\563898317" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbb3847d-64ca-47c5-a03f-5832b486f316} 96 "\\.\pipe\gecko-crash-server-pipe.96" 3508 10fded5b258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.4.661897959\685127865" -childID 3 -isForBrowser -prefsHandle 4284 -prefMapHandle 4280 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cb38251-9332-41b9-b58c-dfb9237d615a} 96 "\\.\pipe\gecko-crash-server-pipe.96" 4204 10ff69e6858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.5.513375050\21568666" -childID 4 -isForBrowser -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {322ebba9-04e4-471e-ba75-87ca7503013c} 96 "\\.\pipe\gecko-crash-server-pipe.96" 4908 10ff524cf58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.6.1162447971\124473440" -childID 5 -isForBrowser -prefsHandle 5048 -prefMapHandle 5052 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd3a2929-2a0a-4ebc-b7c7-1e3963bbd25e} 96 "\\.\pipe\gecko-crash-server-pipe.96" 5040 10ff524b458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.7.633172750\929389782" -childID 6 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffd62923-6497-4f89-8efd-737953965b69} 96 "\\.\pipe\gecko-crash-server-pipe.96" 5228 10ff524db58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.8.1282322734\763338099" -childID 7 -isForBrowser -prefsHandle 5632 -prefMapHandle 2592 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1061182-1052-487b-b957-8389f5bbbb5a} 96 "\\.\pipe\gecko-crash-server-pipe.96" 5544 10ff214ec58 tab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd" "

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd""" -el -qedit'"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd" -el -qedit"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\PING.EXE

ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "

C:\Windows\System32\find.exe

find "127.69"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "

C:\Windows\System32\find.exe

find "127.69.2.7"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/S"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\mode.com

mode 76, 33

C:\Windows\System32\choice.exe

choice /C:123456789H0 /N

C:\Windows\System32\mode.com

mode 110, 34

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "R@1n"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\cmd.exe

cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':winsubstatus\:.*';iex ($f[1])"

C:\Windows\System32\find.exe

find /i "Subscription_is_activated"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net

C:\Windows\System32\PING.EXE

ping -n 1 l.root-servers.net

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "R@1n"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type

C:\Windows\System32\sc.exe

sc start LicenseManager

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s LicenseManager

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':wpatest\:.*';iex ($f[1])"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "7" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "

C:\Windows\System32\find.exe

find /i "Ready"

C:\Windows\System32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 221a02da-e2a1-4b75-864c-0a4410a33fdf 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 8b351c9c-f398-4515-9900-09df49427262 b0773a15-df3a-4312-9ad2-83d69648e356 bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 e7a950a2-e548-4f10-bf16-02ec848e0643 ef51e000-2659-4f25-8345-3de70a9cf4c4 fe74f55b-0338-41d6-b267-4a201abe7285 " "

C:\Windows\System32\find.exe

find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Name

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Nation

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Set-WinHomeLocation -GeoId 244"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "

C:\Windows\System32\find.exe

find "AAAA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem5B3A.tmp

C:\Windows\System32\ClipUp.exe

clipup -v -o

C:\Windows\System32\clipup.exe

clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem62FB.tmp

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b -2147023838

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\reg.exe

reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 10 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 10 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -s LicenseManager

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 10 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b -2147023838

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\ipconfig.exe

ipconfig /flushdns

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"

C:\Windows\System32\findstr.exe

findstr /i "PurchaseFD DeviceAddResponse"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"

C:\Windows\System32\findstr.exe

findstr /i "PurchaseFD DeviceAddResponse"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"

C:\Windows\System32\find.exe

find /i "traceId"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 10 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\sc.exe

sc query wuauserv

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Set-WinHomeLocation -GeoId 244"

C:\Windows\System32\choice.exe

choice /C:10 /N

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd" "

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd""" -el -qedit'"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd" -el -qedit"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\PING.EXE

ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "

C:\Windows\System32\find.exe

find "127.69"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "

C:\Windows\System32\find.exe

find "127.69.2.7"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/S"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\mode.com

mode 76, 33

C:\Windows\System32\choice.exe

choice /C:123456789H0 /N

C:\Windows\System32\mode.com

mode 100, 32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[IO.File]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':sppmgr\:.*';iex ($f[1])"

C:\Windows\System32\mode.com

mode 76, 33

C:\Windows\System32\choice.exe

choice /C:123456789H0 /N

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\mode.com

mode 76, 25

C:\Windows\System32\choice.exe

choice /C:120 /N

Network

Country Destination Domain Proto
N/A 127.0.0.1:27015 tcp
N/A 127.0.0.1:27015 tcp
N/A 127.0.0.1:49779 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 86.161.69.54.in-addr.arpa udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
N/A 127.0.0.1:49785 tcp
US 8.8.8.8:53 massgrave.dev udp
US 172.67.201.171:80 massgrave.dev tcp
US 172.67.201.171:80 massgrave.dev tcp
US 8.8.8.8:53 massgrave.dev udp
US 8.8.8.8:53 massgrave.dev udp
US 172.67.201.171:443 massgrave.dev tcp
US 8.8.8.8:53 171.201.67.172.in-addr.arpa udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 172.67.201.171:443 massgrave.dev udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cloudflareinsights.com udp
US 104.16.79.73:443 cloudflareinsights.com tcp
US 104.16.79.73:443 cloudflareinsights.com tcp
US 8.8.8.8:53 cloudflareinsights.com udp
US 8.8.8.8:53 cloudflareinsights.com udp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
US 8.8.8.8:53 get.activated.win udp
US 104.21.24.156:443 get.activated.win tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 156.24.21.104.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 updatecheck.massgrave.dev udp
US 8.8.8.8:53 l.root-servers.net udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 purchase.mp.microsoft.com udp
GB 95.100.104.27:443 purchase.mp.microsoft.com tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
DE 23.55.161.211:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 27.104.100.95.in-addr.arpa udp
US 8.8.8.8:53 211.161.55.23.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
GB 172.217.169.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigl6nsd.gvt1.com udp
GB 74.125.105.41:443 r4---sn-aigl6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigl6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigl6nsd.gvt1.com udp
GB 74.125.105.41:443 r4.sn-aigl6nsd.gvt1.com udp
US 8.8.8.8:53 41.105.125.74.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 172.67.201.171:443 massgrave.dev udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.22:443 bitbucket.org tcp
US 8.8.8.8:53 22.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 updatecheck.massgrave.dev udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/1716-0-0x000000007329E000-0x000000007329F000-memory.dmp

memory/1716-1-0x0000000000F70000-0x0000000000F7C000-memory.dmp

memory/1716-2-0x0000000005C80000-0x000000000617E000-memory.dmp

memory/1716-3-0x0000000005820000-0x00000000058B2000-memory.dmp

memory/1716-4-0x00000000057C0000-0x00000000057F8000-memory.dmp

memory/1716-5-0x0000000073290000-0x000000007397E000-memory.dmp

memory/1716-6-0x0000000006270000-0x000000000627A000-memory.dmp

memory/1716-7-0x000000007329E000-0x000000007329F000-memory.dmp

memory/1716-8-0x0000000073290000-0x000000007397E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\eb603676-a404-436f-848e-13f5088e2e19

MD5 c2fcda7e7e3450fb043480efd7214298
SHA1 7e6677cbedc3030960ad2f3f1c0ae6222bee4735
SHA256 4f7acf6ca6354a8179e6d79fb0ca016a542363f140fbac630f59bff8f8dd84c8
SHA512 b072bad183d7351b88907dbcfa6e75ad2436e871fb27259a3ed506c85e6cfb83a317fa12d15b332e98a38937d752181c0a892bfd6ebbcdddd679744bd9e16123

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\ae4483d8-26b8-4e7e-b545-bd38d8564886

MD5 12ebed1be2449a7947ab882af9622b36
SHA1 2142e72187742f3c4db7d203005e91de830d09b5
SHA256 659df0e1de0c3fd56ae240deff2072096e71bc1594ac9741f15361f45614e419
SHA512 a28b6a31ab6ab3d6c8301072eb9a15713e7f90d6b4953f2774a660ff815f03c069e6cc00284d266aac90c67cc7d823cc1bc39b4d1bfdf6f5cd4ce6ff60e15d92

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

MD5 b5a8ffd93edc77ccd12d66a1f8775150
SHA1 2e2ac82fac3206f89180d6cb348324bc670ff9ac
SHA256 ed22b68cc4a09d30257bb1d23a746c5e77fd8bc589bea4bb7a0695bf724eaf27
SHA512 e2442eb14df45ae680839ff9431915109fe900966b876e17de45c5ab62b78c9ebea7f36f927b428c2cb8bcccc444622c396eb87c4a6dc15192faa3ada9220dfc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

MD5 eac22ee4d84e24dcce7729b8eba5d8c3
SHA1 d6820968c2f7527587886ec629e66a3246f7c16f
SHA256 0b6e64aaf1badf5d11f49d6260a9fb2980423ec0d78909e8d5e7851aec9f65af
SHA512 2bd86c55de68410872967b574cd21840438329d825973c659ade0c334f5be2ff46bd3ada65d30de012621067a88476537ce050c7edd357674b0d38814cea4cd6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0ed2663971e8051b2bcb574926400fa8
SHA1 467756bf41c377bdb07c8be10d5391f1df1d80a7
SHA256 0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c
SHA512 e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

MD5 46d41a32632b78e234c9dbaaa7e41a86
SHA1 cec32ed3e009774727397db8fb859ed504e2d64f
SHA256 77f1b4c1d514f46ab21d5cee597d73231e5269f1bfe222cca3ebbb4c5915461e
SHA512 3e84aa5f79d334f62458a518fe0402aa4d3fbd6f13508fa80a30e48661a1745daffc9917f1aca4f1570050412179d09d6117edb5d36d96508ebc148211ec0288

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4770d3f8e38cd5d9d8b2205c6b2fffea
SHA1 02df541a429f82cf61022145f06e3fcb8f984484
SHA256 4ea397e8e9b7ae073b15d79c96815a4f4cf21c6cfcc4aae52b3b56543fab474f
SHA512 5da3e6f4f0fb816dbc5bac7993bdd116625e3d2a095f4520a128035d56af961bbfd1b57ca975dab37b8ebba6bdca8f1b3a418c319fee8905de37cded8a913975

memory/996-183-0x0000028F712A0000-0x0000028F712C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjugcnw0.rnk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/996-210-0x0000028F71420000-0x0000028F7145C000-memory.dmp

memory/996-221-0x0000028F71970000-0x0000028F719E6000-memory.dmp

memory/996-236-0x0000028F71BC0000-0x0000028F71D82000-memory.dmp

C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd

MD5 5727915734f85d6f86a48b290bbecdf6
SHA1 e86775c3e7000ba5203ac2d20ce74622c7ff5924
SHA256 3fe1eb8eb7eaabbee4b89c755040acf110f69ec7af2b766d558aa170c781a1ce
SHA512 1e7c40a65e97418f2b362b0499b8a710fcdac3aabeaf8096ca92014c0d8fd9f1df668cbb5d09a79663b5c3f1bac2177e386b7fae2d5ef61658d3ded060845a18

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 56efdb5a0f10b5eece165de4f8c9d799
SHA1 fa5de7ca343b018c3bfeab692545eb544c244e16
SHA256 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA512 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63de4cdb3c60907a0d74c4d09fdbf072
SHA1 0918deec76c85e56ce8dae3889eb9dd73531e774
SHA256 2527d156e26a28afce1e3fe224acd9ee54ba2484a385d5515c55448d9862c743
SHA512 aee6f2b1de1590bad969c1cac1f73a7da81cd46d25b2753522d4e097d349ccaa9b5d241a4af451d28520fd464b2ddf0c942e8d39077afab2bcf55c997a865501

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0c750e6c8f69297928c995fa97382cda
SHA1 a97bc651a87d85ef7cb31863866afe2bc3211cb8
SHA256 7a0df243d7606a238b7f0e3ec1a7ab5e25593d070b22a85f42cacccd9bb47706
SHA512 5b4a2f98076396a3fbaf294cb42d6f09da2b1f1b48b21388c180d97f0d010ec5a7a27ae592d1235a30758311e8fb919278830f7b5fba4a122d8a00f43212abbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 498a97174cf373733a3cbb910d9415e2
SHA1 daf1ef1cae805f1f8463fc26a84cd8168a75d33e
SHA256 e2df11e25158545f6ec8dfab5f75b170d873780a6d7db4e5cc4da9b09da04619
SHA512 79c537c222ce280ef70cdca159ad1c63f9b714f98a7311d32afb468cfb09ee46cc24a493603bd9f8e361c5feeec923d1409bcaaeec73fea6dde156e5e10e8f00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 76ae630d24d08ea754de37796b70afed
SHA1 08efd4b402fb186d0000e5db34fcdfa2208c9d4a
SHA256 a2b3fe7e2ba590ab93f88c9fc3d22250544a52f902f8d0df2f868ae7d6c87f0c
SHA512 01fd5f2535452747ccb69ecdede884f366851bfc4a34bcb4601fe1b2eb2a1b3a83f593f739362deaa1a6efe1e8959f4d75f8d6dca59d6de294b70d9b2780cd7a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 917edc283687096c90a4e3ead005f546
SHA1 c7643b818403c9016ec13b41f11311d9c3e3deac
SHA256 15ffda804bc0794267d5969e99db5918d972fbbd3729f72909e74a29be31b65b
SHA512 d2cb1207184e27b1324960f0aec683c964058de10900964129bae617de2027708ee0f6425cd42972f267d910fc41b642ce2f25a73bae507315b5f00e886d960a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb633bdc924f399bd24030eaaf893fa3
SHA1 e7998a6faf44eda7b3ec6a6ab8bef66373016dcf
SHA256 ae091b8b1394900020809fb08f813f3e1ee789ea6e00fe53f7f25972e543e196
SHA512 c612202b23601d7dd0ee51e845bddff0ab8df35b9c46eeba9dfcf024de0efa2ab9b53272515dfcd900a68296f45b0ab276614a896844ab7320317ce7c7b041f2

memory/5792-414-0x0000018BF4C70000-0x0000018BF4DE6000-memory.dmp

memory/5792-417-0x0000018BF5000000-0x0000018BF5208000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

MD5 f489250578495a86e1b447cdf0284942
SHA1 c71cd1c19042df43f53e599219a41eae34480f4d
SHA256 ed892aa75528a57882a05de9f61a6eeee26c072dc8a7e0fa939b86811addeaf0
SHA512 759ed1c5fca808470bb100d82d880bc176f2b539a95aeafbdb98a1d2317b2b72236f4f8f91ec7956fa8fdd171fd222d43c766ff4b0ccf3a0c4d7d8f8ea5e1067

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 41c4f30a30b2d2e0b1bd558b9ee9d83e
SHA1 b230adacf78be5e5738ba318ce7a0bfe0b02c0ab
SHA256 ffe80791b65b5a7368ca14db654c15213bf732aebbc1dac42a9148d6ed2156e2
SHA512 d22965cb56e123224b8dae6e6495d343710876188376fc3c091190c22196bb76c980fa72a81bf2e6fba94849fb452829e16d3f5acd568cbad66679a3f66dde5c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a8aaebe1bb5415c6d932f06106b1afd
SHA1 5d10e29e7c9f2d1dd82a9a853c6e69f3a5f71038
SHA256 36e13c384e9151347b5aa040baa0d16cece3d0b68687f6a7a003eec85877ec69
SHA512 89943668d64856e2d0ec7417d810027b72faf2d8433761575d181294663ae7bea818a8f5f5378d2d3e010966850e9fd6e3509f2d69eaff82ba8fdf9efe6a6e48

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b9606c757e8c194e5517a5e5075941c6
SHA1 b388eba6ad2dbf42765f531dcbc1c7157cd5398b
SHA256 22c279a1669ed4095e9a2f1e45e942debeb691cd28f6a6f404f79b1e61168b7c
SHA512 32473ad0890a8837c1840b8b7842e02cbe4ec4023f6bcc7d8aa39ddd2b81d49b60d701c8600b4e056929db7fa54bde49c4a84320cdb9e8df7695253436421460

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 2143b379fed61ab5450bab1a751798ce
SHA1 32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256 a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA512 0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 84bae0be0d5a0b2c4eccfc92fb5274f7
SHA1 fb5636558d887ed4ab32384207de39e46ae60d41
SHA256 b6a6412f81c097777698665be2a8eaeb9a47ddd9413c1e70e026aa6d1b189090
SHA512 014c644d6cd13412372794671063da614534b83cc3797d9821433ba1f558d524f83179f2c4f2be503f49803bac085ff3928ce352ee99b1992eb26c0bf732d8da

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 46b20b97928d46c2771ff058d7749c9e
SHA1 e728aaf2cec08a85423e3e1b073be94b7d205114
SHA256 a1e74e7e57fef2407afe7aebf74294e0e3d8f7ef5fdaec94deb10b9cf8061b1a
SHA512 57fd3d098f84830471df30ba0da1313e91ff6c05135573cc5623b5d3997f645484cba8710adb2407f34a3378f294885d391043b423225cf02d327813aaa80d59

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 29a8b81f5a892003d2f11c68b3a7b9ad
SHA1 bea340257f739d227f0ce54dd84611f572677cd6
SHA256 192f406c2b28824d3c5ffbfe269d8fbf86700028473cef16a1dacd90b30bb6fb
SHA512 f1617f4e7779017442877a4e141fb3991e27d31834ff925e3d3658abc05cde4caf32717860d9469b90fa68bc316927ad56398fb257661ab552f8440b4a214b03

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 265234209306ddf3f66c998f0418abd2
SHA1 4853eba1471323eaa7b7f0b626db5079fd47fcb1
SHA256 415652409f909e1d1bb1f2a8ecd82a821599a8b5a419bb76a202900ae1bff8af
SHA512 90d5d26d2b6d282369e609ebdc4d8d10fd128ba211db3f836d41fbad5d368d8ceacc57bc10b1f2b59d1ead4a074960289b92bef8abaf9277b47e64ec5087dd10

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b3e963b300a2b3faab74d1653e85bc0
SHA1 2f1c6a1aa0f2eacd6164b0793b26d96c4897c0b3
SHA256 1fe2a9c8a40572fb174af35cbe94e93e0c5bbe48dd12e2ddadbee7a7f65399d1
SHA512 4d8b009c94accdadb7b829c5641695cccb4c0611660c57125793cb6b7f91a0d663c0b9265c26cb56c33b5f5f964a0839be6d4add6a58670ac65226b2c533ad11

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bf22ca0ae402befcf7e87cae9e5adb77
SHA1 2817c9cf93be912cf758f7956e06cb820f377e0c
SHA256 8de63052e4d25ec73f1d7f450219c4b6b429296eb246e100b9333e4a50d49eea
SHA512 264b8c9425036003eaaa6f9eda79b79ff229b7f9cc50e386cfb2516da1a8e46a4cda7b6c220ed08aa5eed29f9e060a60fe6d1f0dcb05a869c9b85836ec910540

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

MD5 67a8abe602fd21c5683962fa75f8c9fd
SHA1 e296942da1d2b56452e05ae7f753cd176d488ea8
SHA256 1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA512 70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2193f296574065a3c91ac9a63d917907
SHA1 cc7016b159dd3135bb7046faf11c48e1683719d8
SHA256 30ffe636dfe7522316ac61f6c86b9f27f2e2c57644dd57e82ff89598251e7b44
SHA512 4d71a71654b5115dab729c9d5af7116c339cc36bc633cdbbfa5c4a47f053c1638279fa8849ba78b6ea13df303310c2d4893ecb3c572fae77e0ebae952efb190d

memory/5864-802-0x000002C4A1560000-0x000002C4A1570000-memory.dmp

memory/5864-801-0x000002C4A1560000-0x000002C4A1570000-memory.dmp

memory/5864-800-0x000002C4A1560000-0x000002C4A1570000-memory.dmp

memory/5508-807-0x000001F49FE10000-0x000001F49FE20000-memory.dmp

memory/5508-806-0x000001F49FE10000-0x000001F49FE20000-memory.dmp

memory/5508-805-0x000001F49FE10000-0x000001F49FE20000-memory.dmp

memory/5508-811-0x000001F49FE10000-0x000001F49FE20000-memory.dmp

memory/5508-810-0x000001F49FE10000-0x000001F49FE20000-memory.dmp

C:\Windows\TEMP\tem5B3A.tmp

MD5 b13af738aa8be55154b2752979d76827
SHA1 64a5f927720af02a367c105c65c1f5da639b7a93
SHA256 663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b
SHA512 cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

memory/5864-814-0x000002C4A1560000-0x000002C4A1570000-memory.dmp

memory/5864-813-0x000002C4A1560000-0x000002C4A1570000-memory.dmp

memory/5776-839-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp

memory/5776-838-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp

memory/5776-837-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp

memory/4552-844-0x0000016B7F370000-0x0000016B7F380000-memory.dmp

memory/4552-843-0x0000016B7F370000-0x0000016B7F380000-memory.dmp

memory/4552-842-0x0000016B7F370000-0x0000016B7F380000-memory.dmp

memory/4552-848-0x0000016B7F370000-0x0000016B7F380000-memory.dmp

memory/4552-847-0x0000016B7F370000-0x0000016B7F380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tem62FB.tmp

MD5 a4ddf689da158b5b22edea3907bfe6f4
SHA1 170bc7f8cb70b2c026c985bf87ddf797d2f78564
SHA256 73d162f9c191ee5a658324546db049e3f5d8ec53f8506cb9f858adc43dab6362
SHA512 9c5555811290630fc033e4e4a957fcbf01cd063f1271fadae34f4ea825c86c3b3a57ba9895ee510880265da4163b954442434bbe3571108ad67b5c3040dd278e

memory/5776-850-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp

memory/5776-851-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cf1835c4a581b835d7a057601cb015de
SHA1 167dffa799768b87d64a938c9b828054c94a5018
SHA256 e6c6659ba1a47cd7f75a7218842517365c03d77367c50523ca3171348dc82220
SHA512 e2682534b81e0a40c4c44c20623f84e75c32bbce3bec54d9e8bf32b5ed48a1b33276ff915e3915a4caac951667af72407f6cb975c1063051a583cace8c2854c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a92769f7e0e6c5e82fd8f9f714f2276
SHA1 a5764ff70f32e15217ae07ed2357485df0c93095
SHA256 f13ed165f8830b82401d47ae1848590ae076cafb3d8f0d40f9cdc835ff608355
SHA512 9871e5b78a4eacaf40b6a3e428c0dc0868c38b0396e4588c5b44f4f45bffa14b3c42ed540171976034bb5b00d27d75718ceeb933d6ed93994a97b32108517d3c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57ceb5bcfbee059d903d0a38435386af
SHA1 353ef80671eebc8552103491e5fc058ee5fbda7a
SHA256 96c07db2c1eef66c21bda0c6744c56d49dc2649cfbed355f75781c7a5d3f4ffc
SHA512 82beada4beef5448c13af5eeff3afc3ab0f038899436ba3855c522ca5b09fc65d9573d7f841e31b29d0a45d0da6d95c462d0d2bd2931f6de02e72933e9c1631a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a9be6d1dfa70c99ba21831ac21ec114
SHA1 1e573e134951d1d775c79a50a969be5c90634fbe
SHA256 8c95c17914fb2163b9a262725f7a8947089145f892a1842919af6dfa8f79a649
SHA512 3c0682841d0f66ea49567bfb3e5c63254364abe8431b0e2a3ee2613cef68e9a6cf242c08d56bc93affa18ca7b69d123ac03730fce24f373203e7443ba9ad95a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d03ea3315740d525df699ad5dfa45d31
SHA1 b95ea36f2f0649f76292e0202a01841d1867d4dd
SHA256 866a8a9404566580cf220e174be61383fb6ecc531d7e9b06bcf065816c054785
SHA512 4a4d6f1f598d45e92c0c8844ac9eb39277b441835cae84ece9f0dc36075376d0a5b77406a832b74e98064631290191312825d62fef388e7db9d1cfe35c9d3d07

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f70c9f0e25ab267da1b18063e408f160
SHA1 2c428ff4922872a25bdcbe22c86d220fefc4278c
SHA256 14224a71449c308853e57a560094577d4d0f4bc2057b9127d3607316268db771
SHA512 a30be79b11770862c454114389589537133fcb4d79c6dbdfe92086c350cb052a5526f0506542eb50b92395ee1d70696938ec6f4550239fec67ae7d6c2df945ec

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 910e0c930cc35e14ccb3e4a99381e8a5
SHA1 c9dfdbfe31dce98d36066d4dd20a38c79ec74b90
SHA256 55b4e6b0bba1e903e84941ea0578f0d2f69c299e62dc777f02b27021106200c4
SHA512 42e8c10db9be1c9ae77f7f6611cfdf013b633794878118ed44e2ad33f9bc1ad30eb57bfa56d53912ffbc9e13dfccca5f3136e803eb7f931606d1f166d16073a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

MD5 2da37dece657897020c158d4a165112f
SHA1 b1e979d6f0570c186903315d5863b576ca5a6afa
SHA256 fc789a37a3cd6a5010608b7f948752689ece2853d7b169a8059a03636b033ef3
SHA512 afa73013946871bbfe30d1732a03b1f060edb1b8725765a7d0225e7f814ef771805bb65de7fb9f99c47b95769ddd7b666dbd0af9c2e755e9683c1ef7e7c67b14

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 006394a0a8cb74e55e45f8c3b142a295
SHA1 3224a854edd22640a195aeb0da030910ebb318a0
SHA256 8ce10ba775aaceb4568c72e0920b2359267c1b8d48ddc986e52a70fdd4c54caa
SHA512 dbfdc0a9f6ea600feb1f3da1aebe2a40a6e70030b851b5415fa11d508944e532a6fedbdbbffadf59d18aab5061a7134465567c030b034844bf7d80f2c0a60340

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3400baa318c9ea173062960c7610776a
SHA1 986517120f5843708d2660a4bf4df16c3b5d1abe
SHA256 c592e9741bbbd4b37a5923f6884e9db0bea89e353d7a60312fe8c0fbaa25fac6
SHA512 75d416079d6d4ec8bddc316791895fce556b7c0239a70bf01ce653262e1807a1e553c71d8119f0e81e7cfb9436251df32b67d43dd8d871de8699563f9c471f42

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 61174c105d05d9be0a5b00891fe4bf69
SHA1 f6a5899758b63e132997c4fb5854ede986e84538
SHA256 6acf9f8f78e7ef8912070d8fa6617f96ecb86bae13074b6bb02936f1db3b2ec0
SHA512 3c7cc88e11c72e56da1cea102d44f589d6f18893c5d09b0caff3e31b0603155ed3077c24861efe6a3900a7c3c86f56cd7e250fe84d27e09fd4eb1033629ebb57

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

MD5 ce2ff8e96e91f6b28108076363501f7f
SHA1 c50264ab73d01b7ee71ef1e5a2e17a40eed97ec8
SHA256 91ba0807728153c63f432452f769a60aec88ce4ec9f1cba4e5b731861d3218df
SHA512 b502060b2bd244aac1fbde6e78c9298aa022b02c3bd1bd888a604eb2311c9d006fd9fcb449ab4484cfe2fa8aa65a21d4840ef46efe43d485476f8246b6b77edb

C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd

MD5 3b3fd94a2f442dfa87108469573a5d44
SHA1 85ddb80ce8b85b4d6a03dda8b9298457ab78f084
SHA256 ba6b5d1dba1fa3fd809accd0b1722deda5543cbb0b9a5fd5c2b5b1eee670902e
SHA512 3f491af17c5d707be13ce2b8af7e4c1f6e7fa670bbbe3c8d6e9bb8085890bd30d55ef62268b3109d38da4975f1eb2c80c8f8463c71d3bd5c20cb1f5a9e63d91a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 950a874c5efdadeb7ec4d43cf050e770
SHA1 4cf4ffdf220eab582de7d38f92372e9e73d4eeca
SHA256 f5a70a8329050d12e58dd1808fb9f4041add34a146afb7ae0dde6eac7a54bd5b
SHA512 58b64508ea7bf49d36e961a8c1a68db437861055d878c5ae2f6305685e16d69aca451a413ffdc458338c2fb495fa10e63cd319e003a49f61427a2fe88e8f55da

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3804adba0d7d5be10b42b3d94be655e0
SHA1 88f18a4f3b3597156f562e418cb1a08a59acaf62
SHA256 ec33cabe6a1c87f08ae0f58e855bcf24a1f1d8522c61a8802e5d1015a6b571fd
SHA512 8feadbde7a63f0171addb2db0d0fbebd130c8101d04dcaaf2b39f7c6dc50a6217fcffc7cc7cc6ddcddcdc37baefd70e41877eb313c7ddaf1c0652d57aaee41df

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 211213000afd5d42b50f8cfe13a65b28
SHA1 0f27a878145ee153440eda0b4a91764622d29625
SHA256 d522a915555a5e48bdcbff30ab1cc2e42841421d2849a260681ad779ceadc25b
SHA512 229fe0391e0e5cf3b253a577c23523060c4b6e32e9e2dbd435a2950493bf5da8303c86a98c9d5080b1b4b9ff19acdad97e88a81694df5e8864add04c0218b37d

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup2.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicepair.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicepair.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicepair.exe"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\SSLEAY32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\SSLEAY32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 f.f.f.f.9.d.a.0.2.d.e.b.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

76s

Max time network

79s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicecrashreport.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicecrashreport.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicecrashreport.exe"

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicedate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicedate.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicedate.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:27015 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\ios_webkit_debug_proxy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\ios_webkit_debug_proxy.exe

"C:\Users\Admin\AppData\Local\Temp\ref\ios_webkit_debug_proxy.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:27015 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicedebug.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicedebug.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicedebug.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\info.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\info.exe

"C:\Users\Admin\AppData\Local\Temp\ref\info.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:27015 tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceimagemounter.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\ideviceimagemounter.exe

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceimagemounter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceinstaller.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\ideviceinstaller.exe

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceinstaller.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicename.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicename.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicename.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:27015 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceprovision.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\ideviceprovision.exe

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceprovision.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicerestore.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicerestore.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicerestore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\ideviceactivation.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\ideviceactivation.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicediagnostics.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicediagnostics.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicediagnostics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceenterrecovery.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\ideviceenterrecovery.exe

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceenterrecovery.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceinfo.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\ideviceinfo.exe

"C:\Users\Admin\AppData\Local\Temp\ref\ideviceinfo.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:27015 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240611-en

Max time kernel

129s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicesyslog.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicesyslog.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicesyslog.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:27015 tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

134s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IFPDZ.Protection.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IFPDZ.Protection.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

133s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\bz2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\bz2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240404-en

Max time kernel

80s

Max time network

87s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\getopt.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\getopt.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 24.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-25 23:18

Reported

2024-09-25 23:22

Platform

win10-20240611-en

Max time kernel

129s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ref\idevicenotificationproxy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ref\idevicenotificationproxy.exe

"C:\Users\Admin\AppData\Local\Temp\ref\idevicenotificationproxy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A