Analysis Overview
SHA256
10638b1b21e30b12ddf9e7c14e3276481281e7ba6faae6191f475f96e58eea78
Threat Level: Likely malicious
The file Sliver5.zip was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Obfuscated with Agile.Net obfuscator
Obfuscated Files or Information: Command Obfuscation
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Gathers network information
Modifies registry class
Modifies registry key
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-25 23:18
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral27
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
132s
Max time network
136s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicescreenshot.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicescreenshot.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:27015 | tcp | |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240611-en
Max time kernel
54s
Max time network
63s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\LIBEAY32.dll,#1
Network
| Country | Destination | Domain | Proto |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
139s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\ideviceactivation.exe
"C:\Users\Admin\AppData\Local\Temp\ref\ideviceactivation.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240611-en
Max time kernel
82s
Max time network
106s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicedebugserverproxy.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicedebugserverproxy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 199.232.210.172:80 | tcp | |
| US | 199.232.214.172:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
134s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Renci.SshNet.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
79s
Max time network
84s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\imobiledevice-net-lighthouse.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 15.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\imobiledevice.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 24.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Launches sc.exe
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\clipup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Store\LicenseManager | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\ValidDeviceId = "02xkfdhpyutzutmo" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};" | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL | C:\Windows\System32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\ValidDeviceId | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo\DeviceId = "<Data><User username=\"02XKFDHPYUTZUTMO\"/></Data>\r\n" | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\ExtendedProperties | C:\Windows\System32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nspqinmyxbpnib\Request Wednesday, September 25, 2024 23:20:42 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAXRnlolYMgUy8tDu1+1ToVQAAAAACAAAAAAAQZgAAAAEAACAAAABYiEF81r1mEA+9Q+eH21uC0CW4OiId6kPaJyUc75pS0AAAAAAOgAAAAAIAACAAAABrV0dhO6QbFl+D12r7BYeaayVchLLV0cZtLAn3KXPe80ASAADSy6cOHYFs+P8Y7oNOPO7r/G8kCJGpyUiialiVmK7bAY7ao+U7MS0ZR+T9PPuKkXQE9w257jbe93s6oyaRu5qgHY3Fk8Ikh1j/c6ctL9E9kdjZnXH1U8/wJP2a8MPGJuJjSJGMyvQdhHjKKIgbZaAZUWQpd5E0pRBP1fZvMamidCqWYX2Gc5myLF2f/UGZylk6jh/JzTssYEWdmNu2y8JXDw231KSwARHk1zg+5974sLAFPi6Yfo7RKWYxdqplLV06TUpnOpkgXcfqUQhPllFHmsvQgHNLvDzVZ2tFF2UJqH6oCMkUQP+GwESRxsMVH3ZiogSzrMQ7yIPwcn6j0SerhX/gBR31o3JyR85EJnHwcCEUHIM7wvoja1pV6Lk25Mz2wbraCitbhONuAnNFR4Pxvq3tQeJ4cbAWsXYGS9DoEqVLyRhqqb7Q2PL7cjoK2cBPf/ChUSkodq2Z6l+CC87N0QnPvXYcTwN7OP/8zhzWQp2r68pZv1DSna2EA046dFwEp1jyh4cOEOfvdThVwNkKZgXI6ZTGbJjcP+m0PH5tmXnkedZQKZ2SatkcWw0Au9ge7KOq6t7j+mbHLKx2trdfrihbKYX1gWmo5GZHYAty9VqLCBLBqslERZNccHdXIFKyVzLDHR+e6AHYDN1pHvMBxpFv4PwAUIrGIqIsF86FW9Uff4w74vr671VtopdGqyIz+rgKuev3TA5uF5gzNDeSQ/IzyZT4uOd5nTB2Nbh4uy3eVaeym7LUkejqcg+RCz81aCLsz6Coj19fV8GNJKRqvuDcac4+CHj3rwzQsv14uujCOFZWiHiCr47okMJWQxm4CD8Du+rPPgpW37KQBrNdJK2GXaQ23CEITN2FNy4IneVqRkLoFVT7/Oe8PqhT0m8aape8XSWL2NkQhAPcTPBt/OblTiE3uGswDCLIQt5uLnOsCgOFPr/whWNMSuyHSQhQpB7do3lh/9tpQ+7BCYZRrCAxIVUvo8MlZDEKWjfIcr8qSoO/0Sg/5oC35wikTwJZXFTcRV5JmpM9YZ2tWRvGW+0/a3kxmQwzvqvOgD4rAxHr6jF01t3DKku0IZOrbflDlBZ2pvb+Nc9QmEXr4ULoCenqG09qhfZQqheiaHA/ofvh3YPb4SkEwSTOOYwmKLkw4IJORjSYrjAiZA7UB9GhjtBkFzxhvRAgBV2r1fZzPW6ObPiehJyl4JUsZok45hox4PssdxFetVV9HQyXyw5iSfgfcW1nWL67klIg1y22WE1Ba1/YXQuVpFH2c+qirAqAtAmKoruKhkMp51iXbR4++dNEEFZBsHmDyWacEEFf/y8paQT4uAWZWnIxC2kbild7xtbnHtU0mdxJDdMzJkxnDteifOwIKsJn9SkNftddlP7MCZtCGSWITGALt/l63qU9nloBVaG0DD8xoDKu4qMyP8iLOYVU1A+xA7VBAgoOH5pzP2DpJPYPGFFzwDzHfyx594nnAk//U1J4+IkzeP27cme8311k7ZpL3655TThL7QzOgaxn18omBzdwDfjpepaP9kjhIBWvjbv1aNMbukoxL4ruSJcLMIEVoxGI4fNkEWSjj+d3j1sUW2XEy/Z42zVt5uP20LH148fTpXaqk+SBpXEppGiViXJAoeuuBXnu/60NjWuwmA0LCXwUEwYPiFQt+3bZOAEjXWT15xz08BRdL7dVpd4C3t1aChB4tNQUplecjdapV3HezeHZ1Gca8PUK5THKTCQhiW/9NWhMjz7yttEKT0Mod1bw6J3YSv1lCc3yX03J9FF+buCIy/rQPLmtY/7LG/O9qHnC25ekX6PuoL+hxrfBVxNx9pVWT/ZiMfWYhWS59OOgY5GEFTnGrUgL33G4zUYSjPZX6Y9FZQg1x8bLeOeqKKt+izVtdSqcofD3bTNJRYoL6yZ+c4z2z6MYEdwJnp4bLkFCLtEz5qItj74ZpoBnyS/upKBTwXz+tJF3GCmfS9cceB1c5h27a3FHO9oXeFFblo31fytEjyHmdW1kXVM+DUWHXnfikG/iDqgnE5MSnGFG0BdsDnVwGX+ODbIKFlKjgykan5Ap/CAbeR0jhp5KTuM0vwCi5iMu8PUHne5ySNgq3qDmRm48MlMbC48Rjhwa43IqSDRH085v9iCoHl9irUM9Ij9Gk7K4unc3fDQRlsDNoun6whj+KE1uXGT5bIZUz6frwDyQ/X3v+x6R4VFHmgpieTpt47DLuJlqfVpAQ92iTzQXUrNx1Kv4UM+MzDk1Wose6ARbDwwLSN3L2XQ1kGjtoi2+KotvYkjM+/henEbg9BCgHuvW8VZgQBdGS/xvIT1tvYQu7pNW04ShMWC+jHuEDibv5STriUubALaglK3qOQrimFGI6PpHJRQ27aSBkBxhMonUAoDNNMeU5xu3RXN+gpblxhKYziXSD3H7sWb6neulPeyJNC9+TNuhdYNdozIWTXHlqVp5HB/frvwCbJPRVXSC2h0d7LFSOIkQfum1Jml/lOEU8zXgF49soxxSGS0IkROA5xN+IS11YQovNh3jEHMYFu+kKXuvD0ii5O37VRPxDcvK5UaRT9/FP4YBYOKLYHLLlDnzbrGJ86ODUpvebJGvZspuqRGIBOo7GuBSx4zOgUwepKaXhaqgoaaaZYyFSwjSMSBEUvhCE2XVgFWpYqSBo0Y3Z2VObxG7sBXb6fZQuoEmm/Fqfvntt1q+WbGdWYHoIl4TtojF6mG2OKbtB0Pw6HKAb/aCVLVBvSLV9+ccHz5glNNcKJCXP4zzd5H4qNXHFhYSlZWu4ZkA+Oxjm302tlSSoWJLxVvX6/D4Np/B99BwXRXFo45EANfReA4/4LYTJwYRBQ9O7Sbsv5OUGqlPXEiPocMnaNDAPOAHKty+wZjLnPVgxNZ7l3JTv7gybZcCmRFFtZ6SCANSHrE8ROsA7023I3C5Ta4DauVKQkOSJssuUYK9u2tjgQ2Bd6t+GgS5UMZVNOYy3X50XTsK2K8C33v1gabNxYEq5uq1m4PFhg+uWHXuvhCuwClCIjFkI5ySgDEaE2ptuo2EYlGjSexqRZ3R5otMKs/Ls/n0G4EENI7+fs8qNHQSifwSClrUAv59tgkahoABEUsvHw/vQ+ept4oR9b4Bsqytfd41L7H+6C0u+11yRMTMd7RnhcAVW6BKWKMZU86KZisNOzQqFCagkmS9ZPNZBLGbD0KiT1PylptFioPoRebEKFGLK8oALypqxqLMxQbG8uKl7oFtuLu4+I7eSP4cIKKyibp1eFLSH1vvzIJexGraoteFI0jYw390xz6isV5nwb3S+60UdEch0OeMRsrIPkzkg7ak8insvjzQEvMCfKlxpd+pBm/GZ4QdLY9cA9K91aCtRdsk3tJ4xvVZiCkCzaPserqAqFMAoulSp3f2TDGZoSMRkg/HNd5NXxTA29qpmyfqZqwkgEYC5xY4I9NyvwbxrKBEMVY1MDxLRmG2PTV5mNKpX79ICni/6YZio86+ls5RTT6V1AR/+ToIYM/GAzCBt2llRn4fYi94lnqexWqWGoMnu//9vb2Ymz2kmqrdLs1vdYqa2D7+KhgiB8WkLwi7k7Cc2dHUMYZpkDVMm5+SJMW1HG+BpAdVgY5ub24JQAbi252sfLTOddRjNg3zNKkqqzJ91E+wIwq5UizstAmuFzEU5uCMkSgQSKK9fSTWV63ZDJOB54/Xshyz/4Ir3KbxdivDmv/8Tpw8d2BZGtz9uizMPwC7lEqLP8mbeTUywiKDezZvIaZCVi+gRrK8pETVb30s+0NY85FDvZwXPzPXrZHDKXTk/1qDVU6WQH3TJuPu7VgNqHv0zGabBeEoiaA43qBkttfjmIz3w7rj8GodVLHptg+OHh96susLjl4SXGAjGiH8c+z1M3e2MkBZysDlxfH5G5KWwhgC29p92UhXBK6UWXyBl7lKgppPFQQN7gxeXSDHpAffZ00kjs+XTyYNHo6MGrfzJXaVtTXT5ZInVj6SCYtPMBSU1QPiGaWUMGt1hAsaP+Cz1VU5Gg851DVgci7Wg06wQsIdgez764IBJD14Y6xvUhHwNyyshDkUjboNJ5jKMHL0uLhAYyF3jk5tHBH1uNFBqai95DgMtUkeZCsLJrZek919cZvOmOq1dvZwn9FMQAu9xGsZbFKT4Beo9XoGLxLlXbfxZUChL8tWiCJIj0NeLIaZUp6AGiEiTnGVL5niB2m9UiDWZKmuCgH9CRsPpJzCc7T4I3n/P98tZptTAmvocae2OsKJS70ILIxzEqesgmgELuIdR4MmcyarxoCC/g2jiF7CWynaI2/hFQZQsGbdnXDn/WWvKFffIylnbrOkdKsxdbL4dnJRKCVbUSVS7oemjWTBfiYvsaixo1qn6DTEsQegVbbYRgFHtSDF3RTUTJNzRhLgMKpVP1ydrJrxSaZurGqPwMQwCJnW+rw++BRYJEP501tE3n/ntSETNC9EZZiztm/h3c0o++WmhUN4sr/ZIwLT0lm8L2cIgtOOYevf8nmozMdUCqLsRIZzbZKmJIGIh6RH79N/45ZudBWQmZGngKMnCEpnqL5beiszxUM4o7vPidzJQoesACMVIyjqXBU9Ho2QXfNnmsyZw+xDjXc+nQl2kD7fuo5HboUJ+X9s5KbBotOIL75pn8+kbrKyZajcPVJ7l5QVTT7ClzECNBv0lX7eyPDMStCkqsq6SQe8JeJ7qdOXKeIFwuvBKp07zdp9fLFk6RGWZ6K87dLCXSWW2qCW7I0D5fHGCvHcCy6e9Cm7WOX6hvNR3CY3jmIBBu8RQktB4Ba7QvOBS0DU7ntX0imsDMxvvdwoETf+J/V/FjzxonUlukIGIbZSY/ISWd5PkAzeWN2mjBwrEAyyduOvCPR8aMZOvcZjINRwaJK0v1Xr5llcfo7U1KfakmIF0wJFg8XSiDuewII4SmpwPibn+9Um1vWRPyVfPAmAauHUpvIApWCk5YlXXIcDPo+dydo945K7LiQPYiypH6rbAcS8u2DzcrZ7lkpceHQTSVuuTFUaid1/u169klKc2tU0rX+B1qXBJKf7wtZMrvHziPi20MSsOX62Iyk3RcblYI5erbumVN3lEB4GAV0xq6Bdc5GNCc7w0o0YsHpCoCbAg1dDenPuMu+/nkUmYNCfOvBUGywdJBgDlKjqC6GL1ZlfU5gMy+jJiBCn/Gvmm+UtgFhe5nVwp/+4giLt5wfbVQBEkP9TQT8Wt1K91MmdwVNXZp0rG6bpeYocRwqus8qCTQc2CwCfMXxV9BDs8xhN0L6hQOgFdi3Vr+kko3GaMTh0URkSetQ+A97b/ua2sPXcyFMrZTXnRCRviiSvabk9Uvy34aJP4q4UHE1Ft5mCn76onJGipbXAlpRQ/YggpvQvexb1NL8NofzqmGAOQzFxwzR2EMlGsT7rGW5zZXJhkuJ5gpTpa+c7xac5rfZ/Ft32xjx0cz0P63BoVr/WZDnDP0TzebJCVI/1iHxc4HAoUFpcxgzktHxPhamvYiY4yO8OwraNB070edYiPbuBZBKgmGtCP3YkOyMf8AkIaIEjV7icC08DYWZs+C7xrghjwonD96hvwtnYIZ4otCqX4vL9FiahVmCdpRMqs+Uz4+fdgOik61roKrGSgZG7kFMc1rJybf0hqTckB5dII1Ss7zulYzFWYrxYWcNCmU8oWJcsj0S5RXnDtMeLEtlFykoMy6b7uDA7PhAVuFir85khQM7BWkDBUc3UrFyJN9i7Cn28xFuR8tzWAqdPbmkxiA+trRu5vC2ChQZRU6GobKIW1SrCybRHMZe7pLujaV8n9QcePm/kaa9RNiF7K3MaTOqTSVThbhSmsBfblvZIX1Oju9fCUBgk6n62YNLJFKFw1Cu/9JyXHTgdIoU1ZnKcNPpjPkDBDWHCA1sHxGW9PZYvcmg/L2fwqj3UolXtq8+iCIoI6d0bmmbt27qe4mBnaD9BXjagiq6xPZMCZyeSmi6Y2wfkkd5xTZ4YaAvkkk4thOMV50JqMjj5m1fKEe2uXwzGU9Wr/1pIABYLpaQk/Y2Mk1bq0gdArVguwiKSdB+lBJPFzkCngWEhTcYtyfE2eBOrTtpZo8BEK/+zj70jXLuHbrbNih3X5DfOvDnSffwz+y6dpceYPlfxcy9xYbYQQgptXhd6eEwpA7kyrURfmT67E6ImZeXe64F3QmNf6Eo2UF/GxA0P2Ku0VB+dyoXJd90MbyEkt5+trZSDtUNEfUJQ3yDBAsMCwx/wxuhjQAAAAKj/ElZ0t+sFbvMixDVdSm39DAc4rGW12z7SInA6UyD4t6zeZiAE2JTObTJlXi213RxXibU3F8MWb1HF2j7W8vw=" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production | C:\Windows\System32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02nspqinmyxbpnib\AppIdList | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nspqinmyxbpnib | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nspqinmyxbpnib\Response Wednesday, September 25, 2024 23:20:42 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAXRnlolYMgUy8tDu1+1ToVQAAAAACAAAAAAAQZgAAAAEAACAAAABy/r1mXbv/ai08ciKWVlRYiW8wNOXsf54v2mL6fbrJWwAAAAAOgAAAAAIAACAAAAAML5qdDNt28wtXT4ETOtWnXEy81s5Cz+zBOeDdzWlksnAHAABHRoivdm7jSGVIJf/O3fmiXimUlfcUSKSEQhg0sUT0eWsC2S1n/rTFXJ5IHglbDB93E80/bHOoMnDjQqerJL4Q7MJosKI1/K8R57+AGinlD8dG+oV2a8rrmJv9VQw1WWcflS3caS+jTblvPE76MWo2xRLvHiFDotOpXKcyFD16niQghLCObibXrm209O2XUQ7DnYL2Rb/nqWrkmWx6WPJVBEFarorlrd0sW8iH4bjEHCJt6g+rsUxWvCUkGuONS+9ZqIrizdVfs4M22XRJ8Cj5Nw2RR+37uzTlANWhfKNKeQ5obxjKKTKtcT8q42CDfNpsqeXabbtt1kmB2mPgj4hUSa+luqiCCSYlB0AvDoAp6elRaQe2B+gJSx6f4x7v8CJyIYhzLGO4WIEzX2+f86fepjrY1zTDaWNq4tC4I8COtvLyfS47C5aWed6ouiEaqdMhcdhZwncczCZwdjz2nRJwVqdXSx/+EFOdcPyxQLG1xyelq6WOceJpJaBTScCGXQ+TOHfGZUzSLQApoAzeo0Y/sKUSLHcSbYy7+vaUR4lirHv73t9MPvgcuiyiVP7S/dJS6n649bBnc0kAk+rMjcjL0SvgD7wJ3bOsxaF5CSqyO0/FK2oF6sHBGTbjFG207LXSpzXvBeNvUANL1wjpg/Fq+cpJ661/3q8WhsTvGHOW51QIisDaHEbQ0FJbLSo2jnWHvWb4EMHhnjp7US6QU5fwc+Q2g0wBWgteRSc1XG/L/H3ASY00LhutBs+cgKoPCGY9EOPIICkUFnnNlG4a/L0JvR/5wAZ196+D6Z0YLfKm7MP3pV0hNJYIVBifeVsAcwyhMprCPX/yQuo/Uer8xrxIHm3zP75ZTgsjNeoUOvEbc2ydZrPWIIaRZOw8pJPty5l7PDtzk83LYV8QjwpUtG7RoOfstQA3isdu/j56fry3jm55enRQ2dNYIdygo4vaOf3PieQls2ZHRe3N6onkEu6Z8LDuyUI4J3u5LXucbDJy5r0MF35EkyhuGTipNI1HHJU6J/K6btUshIE/ZM1PYyejq09X7n/7UqQsSIJ3BP5DQc3cmOiD8fsmF81fd0UUXEgYEQQ59vvn4RMCLvComai7He4q38pDDCxUI8NePKxPHtJt9PXGk5QraeJRdcIFh9vgIiq827OPgmi0r8KWmtMtJ9lfLoS3COlNlRr/9G3qMVyTg3/f5hp+myj3Imx6pVctLqKxK9Bpkwmywp9niSvDzs5N5N1YpVuyK0HVgaLejANBhNf83zM/+QIJBSJXKsLkebWzsR+1iDdwn+ECD8nBxMiRWBeTa0oJcP3Pp8T+WNeIbscC06GDKmu7Rtijvg+OT4JvnDWUNfubUJ4cfMuKH2/CqYC48Bti5BKGMH6KB4tvxO/15yipKIpecqTqJZFviWIucsvVXd8D+DnoyZQkUwbiw9rBAjgBufDI2vJhZhTOdEafDW/sqQ2Cy7vzeWxJ17m0BDL93e3rOikso1VKT4HVSHs4CpiQhkmLrhgtb0GaDynD8Q5Xfv3vP9j60hrNagVeQ0khPka1YiSunRO+KiPeKPdhwgRy6iadso8l/NT8CLLwNuTQvoZojiS/1WaFKBObCw+2LRKlgsNfjwo5Jfn1eO6MHTl5cTjjaABGCEY19lJWlHTYGyw/t4L/yLMpmwF+sFgYejbzAauxK6pG6XavYqsLGpfn5IJ2ArbQkxjrH2FPs23B4ur38jK+pR8fvm3gEHKcxsaL6VaX8xPGDYSphmLg8LAgL08TQXMr7KwVt32MNjvP1rxFbuNfHQSpGVeNjXUuXXpkds7j2+0t7UxtBSCdG9uAeVPHWHVK/vbrkn/Y9tEh3jWIQ4n+7RpOyyhKNaXNzOduvHqWE1GY/NdDva+fOPH/UuV1Txf0HDwgdW454pBE+mN9o3TvMA1yoVVFBpakuHnvdcZrJq0AVKLP+IJMANS5fq8w8zisc1RI3mlUDMGSTJSQSlj/2eLQ5W3l8QnNRUqT5P54uNdSau3ZbXx6C542iG4kCZHVptCnvbbQG8S+FShPTalmUfgVwN0rVR+vbpe5+DFHQFbvltDmdeMo6sDy73e1QvDtzqicQldn7GHC3ta4fGNiF9ulLn9UXmAcwdLhvhwdvQPjnK/O2OVD7C6ugjETUFIl/HSIMJEtMBA6NDckxLMaRU7KGcNcL5sAvBvyFPue+NSsarkdAJYb8HKx5+qQGZPQjG4zaEoa+7y+zQuhVlzoR14Yb6UsdULySAgnFn4lSYHWwAhPaircl6JaAzTqZcvUdZPqNyMHvAFvNGEzv2T7XnOIw+7jV2S18iRpuj2A8ZFytDtPUCHIaV7mLhMs0NFvKsC/L+hb24ExG0+rks8cMH482mZVgWYrgiwz/z6cKM92GfSxoGmDgCv6rmLHwf81xso5P7T2NntAa0nGmOnkc5l1/s8WnGRawClQYZKareeGDUTK6a37vfsjgzGbqsYXs/gz8So0EAdK4m3RHznkWEsnEWwNQeX8mF8UMIqC4e052/MZytvcoq5wxN9s1ID8dUAAAAC848zXaeULd/81Nr+Q287tZJj9YWhS+t8X4SXrRQTMMzVSuibegj99j+GNjXfTD1PxX4GJJXUGQcB0S8qr3FGf" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02nspqinmyxbpnib\Reason = "2147780641" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo\DeviceId = "<Data><User username=\"02XKFDHPYUTZUTMO\"><HardwareInfo BoundTime=\"1727306444\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\"/></User></Data>\r\n" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3968772205-1713802336-1776639840-1000\02xkfdhpyutzutmo\DeviceId = "<Data><User username=\"02XKFDHPYUTZUTMO\"><HardwareInfo BoundTime=\"1727306443\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\"/></User></Data>\r\n" | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive | C:\Windows\System32\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry key
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe
"C:\Users\Admin\AppData\Local\Temp\Sliver 5.exe"
C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe" -l
C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe" -l
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.0.1975208909\367719197" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdc835d5-26ce-41d2-b0e4-fc759370729f} 96 "\\.\pipe\gecko-crash-server-pipe.96" 1796 10ff10d5458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.1.1644361913\2133725011" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eac37c17-41c8-481d-8764-60095e075407} 96 "\\.\pipe\gecko-crash-server-pipe.96" 2152 10fded72558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.2.1658708370\912227210" -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 3024 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8f04446-10e3-42f8-85ec-4a1c1a8485d9} 96 "\\.\pipe\gecko-crash-server-pipe.96" 2820 10ff1059458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.3.1094442883\563898317" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbb3847d-64ca-47c5-a03f-5832b486f316} 96 "\\.\pipe\gecko-crash-server-pipe.96" 3508 10fded5b258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.4.661897959\685127865" -childID 3 -isForBrowser -prefsHandle 4284 -prefMapHandle 4280 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cb38251-9332-41b9-b58c-dfb9237d615a} 96 "\\.\pipe\gecko-crash-server-pipe.96" 4204 10ff69e6858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.5.513375050\21568666" -childID 4 -isForBrowser -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {322ebba9-04e4-471e-ba75-87ca7503013c} 96 "\\.\pipe\gecko-crash-server-pipe.96" 4908 10ff524cf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.6.1162447971\124473440" -childID 5 -isForBrowser -prefsHandle 5048 -prefMapHandle 5052 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd3a2929-2a0a-4ebc-b7c7-1e3963bbd25e} 96 "\\.\pipe\gecko-crash-server-pipe.96" 5040 10ff524b458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.7.633172750\929389782" -childID 6 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffd62923-6497-4f89-8efd-737953965b69} 96 "\\.\pipe\gecko-crash-server-pipe.96" 5228 10ff524db58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="96.8.1282322734\763338099" -childID 7 -isForBrowser -prefsHandle 5632 -prefMapHandle 2592 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1061182-1052-487b-b957-8389f5bbbb5a} 96 "\\.\pipe\gecko-crash-server-pipe.96" 5544 10ff214ec58 tab
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd" "
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\cmd.exe
cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
C:\Windows\System32\find.exe
find /i "FullLanguage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd""" -el -qedit'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd" -el -qedit"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\cmd.exe
cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
C:\Windows\System32\find.exe
find /i "FullLanguage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
C:\Windows\System32\find.exe
find "127.69"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
C:\Windows\System32\find.exe
find "127.69.2.7"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/S"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\mode.com
mode 76, 33
C:\Windows\System32\choice.exe
choice /C:123456789H0 /N
C:\Windows\System32\mode.com
mode 110, 34
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "AutoPico"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "R@1n"
C:\Windows\System32\find.exe
find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
C:\Windows\System32\findstr.exe
findstr "577 225"
C:\Windows\System32\cmd.exe
cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
C:\Windows\System32\find.exe
find /i "Subscription_is_activated"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "AutoPico"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "R@1n"
C:\Windows\System32\find.exe
find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
C:\Windows\System32\findstr.exe
findstr "577 225"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
C:\Windows\System32\sc.exe
sc start LicenseManager
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s LicenseManager
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd') -split ':wpatest\:.*';iex ($f[1])"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "7" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "
C:\Windows\System32\find.exe
find /i "Ready"
C:\Windows\System32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 221a02da-e2a1-4b75-864c-0a4410a33fdf 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 8b351c9c-f398-4515-9900-09df49427262 b0773a15-df3a-4312-9ad2-83d69648e356 bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 e7a950a2-e548-4f10-bf16-02ec848e0643 ef51e000-2659-4f25-8345-3de70a9cf4c4 fe74f55b-0338-41d6-b267-4a201abe7285 " "
C:\Windows\System32\find.exe
find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Name
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Nation
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Set-WinHomeLocation -GeoId 244"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
C:\Windows\System32\find.exe
find "AAAA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem5B3A.tmp
C:\Windows\System32\ClipUp.exe
clipup -v -o
C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem62FB.tmp
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b -2147023838
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\reg.exe
reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 10 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 10 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -s LicenseManager
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 10 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b -2147023838
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\ipconfig.exe
ipconfig /flushdns
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
C:\Windows\System32\findstr.exe
findstr /i "PurchaseFD DeviceAddResponse"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
C:\Windows\System32\findstr.exe
findstr /i "PurchaseFD DeviceAddResponse"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"
C:\Windows\System32\find.exe
find /i "traceId"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 10 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Set-WinHomeLocation -GeoId 244"
C:\Windows\System32\choice.exe
choice /C:10 /N
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd" "
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\cmd.exe
cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
C:\Windows\System32\find.exe
find /i "FullLanguage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd""" -el -qedit'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd" -el -qedit"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\cmd.exe
cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
C:\Windows\System32\find.exe
find /i "FullLanguage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
C:\Windows\System32\find.exe
find "127.69"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
C:\Windows\System32\find.exe
find "127.69.2.7"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/S"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\mode.com
mode 76, 33
C:\Windows\System32\choice.exe
choice /C:123456789H0 /N
C:\Windows\System32\mode.com
mode 100, 32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[IO.File]::ReadAllText('C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd') -split ':sppmgr\:.*';iex ($f[1])"
C:\Windows\System32\mode.com
mode 76, 33
C:\Windows\System32\choice.exe
choice /C:123456789H0 /N
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\mode.com
mode 76, 25
C:\Windows\System32\choice.exe
choice /C:120 /N
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:27015 | tcp | |
| N/A | 127.0.0.1:27015 | tcp | |
| N/A | 127.0.0.1:49779 | tcp | |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 86.161.69.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:49785 | tcp | |
| US | 8.8.8.8:53 | massgrave.dev | udp |
| US | 172.67.201.171:80 | massgrave.dev | tcp |
| US | 172.67.201.171:80 | massgrave.dev | tcp |
| US | 8.8.8.8:53 | massgrave.dev | udp |
| US | 8.8.8.8:53 | massgrave.dev | udp |
| US | 172.67.201.171:443 | massgrave.dev | tcp |
| US | 8.8.8.8:53 | 171.201.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 172.67.201.171:443 | massgrave.dev | udp |
| US | 104.16.79.73:443 | static.cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | cloudflareinsights.com | udp |
| US | 104.16.79.73:443 | cloudflareinsights.com | tcp |
| US | 104.16.79.73:443 | cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | 73.79.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.activated.win | udp |
| US | 104.21.24.156:443 | get.activated.win | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 156.24.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updatecheck.massgrave.dev | udp |
| US | 8.8.8.8:53 | l.root-servers.net | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | purchase.mp.microsoft.com | udp |
| GB | 95.100.104.27:443 | purchase.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| DE | 23.55.161.211:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.169.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 27.104.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.161.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.169.217.172.in-addr.arpa | udp |
| GB | 172.217.169.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigl6nsd.gvt1.com | udp |
| GB | 74.125.105.41:443 | r4---sn-aigl6nsd.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigl6nsd.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigl6nsd.gvt1.com | udp |
| GB | 74.125.105.41:443 | r4.sn-aigl6nsd.gvt1.com | udp |
| US | 8.8.8.8:53 | 41.105.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 172.67.201.171:443 | massgrave.dev | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 22.142.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updatecheck.massgrave.dev | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/1716-0-0x000000007329E000-0x000000007329F000-memory.dmp
memory/1716-1-0x0000000000F70000-0x0000000000F7C000-memory.dmp
memory/1716-2-0x0000000005C80000-0x000000000617E000-memory.dmp
memory/1716-3-0x0000000005820000-0x00000000058B2000-memory.dmp
memory/1716-4-0x00000000057C0000-0x00000000057F8000-memory.dmp
memory/1716-5-0x0000000073290000-0x000000007397E000-memory.dmp
memory/1716-6-0x0000000006270000-0x000000000627A000-memory.dmp
memory/1716-7-0x000000007329E000-0x000000007329F000-memory.dmp
memory/1716-8-0x0000000073290000-0x000000007397E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\eb603676-a404-436f-848e-13f5088e2e19
| MD5 | c2fcda7e7e3450fb043480efd7214298 |
| SHA1 | 7e6677cbedc3030960ad2f3f1c0ae6222bee4735 |
| SHA256 | 4f7acf6ca6354a8179e6d79fb0ca016a542363f140fbac630f59bff8f8dd84c8 |
| SHA512 | b072bad183d7351b88907dbcfa6e75ad2436e871fb27259a3ed506c85e6cfb83a317fa12d15b332e98a38937d752181c0a892bfd6ebbcdddd679744bd9e16123 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\ae4483d8-26b8-4e7e-b545-bd38d8564886
| MD5 | 12ebed1be2449a7947ab882af9622b36 |
| SHA1 | 2142e72187742f3c4db7d203005e91de830d09b5 |
| SHA256 | 659df0e1de0c3fd56ae240deff2072096e71bc1594ac9741f15361f45614e419 |
| SHA512 | a28b6a31ab6ab3d6c8301072eb9a15713e7f90d6b4953f2774a660ff815f03c069e6cc00284d266aac90c67cc7d823cc1bc39b4d1bfdf6f5cd4ce6ff60e15d92 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
| MD5 | b5a8ffd93edc77ccd12d66a1f8775150 |
| SHA1 | 2e2ac82fac3206f89180d6cb348324bc670ff9ac |
| SHA256 | ed22b68cc4a09d30257bb1d23a746c5e77fd8bc589bea4bb7a0695bf724eaf27 |
| SHA512 | e2442eb14df45ae680839ff9431915109fe900966b876e17de45c5ab62b78c9ebea7f36f927b428c2cb8bcccc444622c396eb87c4a6dc15192faa3ada9220dfc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
| MD5 | eac22ee4d84e24dcce7729b8eba5d8c3 |
| SHA1 | d6820968c2f7527587886ec629e66a3246f7c16f |
| SHA256 | 0b6e64aaf1badf5d11f49d6260a9fb2980423ec0d78909e8d5e7851aec9f65af |
| SHA512 | 2bd86c55de68410872967b574cd21840438329d825973c659ade0c334f5be2ff46bd3ada65d30de012621067a88476537ce050c7edd357674b0d38814cea4cd6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 0ed2663971e8051b2bcb574926400fa8 |
| SHA1 | 467756bf41c377bdb07c8be10d5391f1df1d80a7 |
| SHA256 | 0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c |
| SHA512 | e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
| MD5 | 46d41a32632b78e234c9dbaaa7e41a86 |
| SHA1 | cec32ed3e009774727397db8fb859ed504e2d64f |
| SHA256 | 77f1b4c1d514f46ab21d5cee597d73231e5269f1bfe222cca3ebbb4c5915461e |
| SHA512 | 3e84aa5f79d334f62458a518fe0402aa4d3fbd6f13508fa80a30e48661a1745daffc9917f1aca4f1570050412179d09d6117edb5d36d96508ebc148211ec0288 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 4770d3f8e38cd5d9d8b2205c6b2fffea |
| SHA1 | 02df541a429f82cf61022145f06e3fcb8f984484 |
| SHA256 | 4ea397e8e9b7ae073b15d79c96815a4f4cf21c6cfcc4aae52b3b56543fab474f |
| SHA512 | 5da3e6f4f0fb816dbc5bac7993bdd116625e3d2a095f4520a128035d56af961bbfd1b57ca975dab37b8ebba6bdca8f1b3a418c319fee8905de37cded8a913975 |
memory/996-183-0x0000028F712A0000-0x0000028F712C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjugcnw0.rnk.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/996-210-0x0000028F71420000-0x0000028F7145C000-memory.dmp
memory/996-221-0x0000028F71970000-0x0000028F719E6000-memory.dmp
memory/996-236-0x0000028F71BC0000-0x0000028F71D82000-memory.dmp
C:\Windows\Temp\MAS_a1411251-765d-4fa4-91da-45ef6def5cab.cmd
| MD5 | 5727915734f85d6f86a48b290bbecdf6 |
| SHA1 | e86775c3e7000ba5203ac2d20ce74622c7ff5924 |
| SHA256 | 3fe1eb8eb7eaabbee4b89c755040acf110f69ec7af2b766d558aa170c781a1ce |
| SHA512 | 1e7c40a65e97418f2b362b0499b8a710fcdac3aabeaf8096ca92014c0d8fd9f1df668cbb5d09a79663b5c3f1bac2177e386b7fae2d5ef61658d3ded060845a18 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 56efdb5a0f10b5eece165de4f8c9d799 |
| SHA1 | fa5de7ca343b018c3bfeab692545eb544c244e16 |
| SHA256 | 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108 |
| SHA512 | 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 63de4cdb3c60907a0d74c4d09fdbf072 |
| SHA1 | 0918deec76c85e56ce8dae3889eb9dd73531e774 |
| SHA256 | 2527d156e26a28afce1e3fe224acd9ee54ba2484a385d5515c55448d9862c743 |
| SHA512 | aee6f2b1de1590bad969c1cac1f73a7da81cd46d25b2753522d4e097d349ccaa9b5d241a4af451d28520fd464b2ddf0c942e8d39077afab2bcf55c997a865501 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0c750e6c8f69297928c995fa97382cda |
| SHA1 | a97bc651a87d85ef7cb31863866afe2bc3211cb8 |
| SHA256 | 7a0df243d7606a238b7f0e3ec1a7ab5e25593d070b22a85f42cacccd9bb47706 |
| SHA512 | 5b4a2f98076396a3fbaf294cb42d6f09da2b1f1b48b21388c180d97f0d010ec5a7a27ae592d1235a30758311e8fb919278830f7b5fba4a122d8a00f43212abbe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 498a97174cf373733a3cbb910d9415e2 |
| SHA1 | daf1ef1cae805f1f8463fc26a84cd8168a75d33e |
| SHA256 | e2df11e25158545f6ec8dfab5f75b170d873780a6d7db4e5cc4da9b09da04619 |
| SHA512 | 79c537c222ce280ef70cdca159ad1c63f9b714f98a7311d32afb468cfb09ee46cc24a493603bd9f8e361c5feeec923d1409bcaaeec73fea6dde156e5e10e8f00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 76ae630d24d08ea754de37796b70afed |
| SHA1 | 08efd4b402fb186d0000e5db34fcdfa2208c9d4a |
| SHA256 | a2b3fe7e2ba590ab93f88c9fc3d22250544a52f902f8d0df2f868ae7d6c87f0c |
| SHA512 | 01fd5f2535452747ccb69ecdede884f366851bfc4a34bcb4601fe1b2eb2a1b3a83f593f739362deaa1a6efe1e8959f4d75f8d6dca59d6de294b70d9b2780cd7a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 917edc283687096c90a4e3ead005f546 |
| SHA1 | c7643b818403c9016ec13b41f11311d9c3e3deac |
| SHA256 | 15ffda804bc0794267d5969e99db5918d972fbbd3729f72909e74a29be31b65b |
| SHA512 | d2cb1207184e27b1324960f0aec683c964058de10900964129bae617de2027708ee0f6425cd42972f267d910fc41b642ce2f25a73bae507315b5f00e886d960a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb633bdc924f399bd24030eaaf893fa3 |
| SHA1 | e7998a6faf44eda7b3ec6a6ab8bef66373016dcf |
| SHA256 | ae091b8b1394900020809fb08f813f3e1ee789ea6e00fe53f7f25972e543e196 |
| SHA512 | c612202b23601d7dd0ee51e845bddff0ab8df35b9c46eeba9dfcf024de0efa2ab9b53272515dfcd900a68296f45b0ab276614a896844ab7320317ce7c7b041f2 |
memory/5792-414-0x0000018BF4C70000-0x0000018BF4DE6000-memory.dmp
memory/5792-417-0x0000018BF5000000-0x0000018BF5208000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
| MD5 | f489250578495a86e1b447cdf0284942 |
| SHA1 | c71cd1c19042df43f53e599219a41eae34480f4d |
| SHA256 | ed892aa75528a57882a05de9f61a6eeee26c072dc8a7e0fa939b86811addeaf0 |
| SHA512 | 759ed1c5fca808470bb100d82d880bc176f2b539a95aeafbdb98a1d2317b2b72236f4f8f91ec7956fa8fdd171fd222d43c766ff4b0ccf3a0c4d7d8f8ea5e1067 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 41c4f30a30b2d2e0b1bd558b9ee9d83e |
| SHA1 | b230adacf78be5e5738ba318ce7a0bfe0b02c0ab |
| SHA256 | ffe80791b65b5a7368ca14db654c15213bf732aebbc1dac42a9148d6ed2156e2 |
| SHA512 | d22965cb56e123224b8dae6e6495d343710876188376fc3c091190c22196bb76c980fa72a81bf2e6fba94849fb452829e16d3f5acd568cbad66679a3f66dde5c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a8aaebe1bb5415c6d932f06106b1afd |
| SHA1 | 5d10e29e7c9f2d1dd82a9a853c6e69f3a5f71038 |
| SHA256 | 36e13c384e9151347b5aa040baa0d16cece3d0b68687f6a7a003eec85877ec69 |
| SHA512 | 89943668d64856e2d0ec7417d810027b72faf2d8433761575d181294663ae7bea818a8f5f5378d2d3e010966850e9fd6e3509f2d69eaff82ba8fdf9efe6a6e48 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b9606c757e8c194e5517a5e5075941c6 |
| SHA1 | b388eba6ad2dbf42765f531dcbc1c7157cd5398b |
| SHA256 | 22c279a1669ed4095e9a2f1e45e942debeb691cd28f6a6f404f79b1e61168b7c |
| SHA512 | 32473ad0890a8837c1840b8b7842e02cbe4ec4023f6bcc7d8aa39ddd2b81d49b60d701c8600b4e056929db7fa54bde49c4a84320cdb9e8df7695253436421460 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 2143b379fed61ab5450bab1a751798ce |
| SHA1 | 32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e |
| SHA256 | a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81 |
| SHA512 | 0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 84bae0be0d5a0b2c4eccfc92fb5274f7 |
| SHA1 | fb5636558d887ed4ab32384207de39e46ae60d41 |
| SHA256 | b6a6412f81c097777698665be2a8eaeb9a47ddd9413c1e70e026aa6d1b189090 |
| SHA512 | 014c644d6cd13412372794671063da614534b83cc3797d9821433ba1f558d524f83179f2c4f2be503f49803bac085ff3928ce352ee99b1992eb26c0bf732d8da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 46b20b97928d46c2771ff058d7749c9e |
| SHA1 | e728aaf2cec08a85423e3e1b073be94b7d205114 |
| SHA256 | a1e74e7e57fef2407afe7aebf74294e0e3d8f7ef5fdaec94deb10b9cf8061b1a |
| SHA512 | 57fd3d098f84830471df30ba0da1313e91ff6c05135573cc5623b5d3997f645484cba8710adb2407f34a3378f294885d391043b423225cf02d327813aaa80d59 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29a8b81f5a892003d2f11c68b3a7b9ad |
| SHA1 | bea340257f739d227f0ce54dd84611f572677cd6 |
| SHA256 | 192f406c2b28824d3c5ffbfe269d8fbf86700028473cef16a1dacd90b30bb6fb |
| SHA512 | f1617f4e7779017442877a4e141fb3991e27d31834ff925e3d3658abc05cde4caf32717860d9469b90fa68bc316927ad56398fb257661ab552f8440b4a214b03 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 265234209306ddf3f66c998f0418abd2 |
| SHA1 | 4853eba1471323eaa7b7f0b626db5079fd47fcb1 |
| SHA256 | 415652409f909e1d1bb1f2a8ecd82a821599a8b5a419bb76a202900ae1bff8af |
| SHA512 | 90d5d26d2b6d282369e609ebdc4d8d10fd128ba211db3f836d41fbad5d368d8ceacc57bc10b1f2b59d1ead4a074960289b92bef8abaf9277b47e64ec5087dd10 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b3e963b300a2b3faab74d1653e85bc0 |
| SHA1 | 2f1c6a1aa0f2eacd6164b0793b26d96c4897c0b3 |
| SHA256 | 1fe2a9c8a40572fb174af35cbe94e93e0c5bbe48dd12e2ddadbee7a7f65399d1 |
| SHA512 | 4d8b009c94accdadb7b829c5641695cccb4c0611660c57125793cb6b7f91a0d663c0b9265c26cb56c33b5f5f964a0839be6d4add6a58670ac65226b2c533ad11 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bf22ca0ae402befcf7e87cae9e5adb77 |
| SHA1 | 2817c9cf93be912cf758f7956e06cb820f377e0c |
| SHA256 | 8de63052e4d25ec73f1d7f450219c4b6b429296eb246e100b9333e4a50d49eea |
| SHA512 | 264b8c9425036003eaaa6f9eda79b79ff229b7f9cc50e386cfb2516da1a8e46a4cda7b6c220ed08aa5eed29f9e060a60fe6d1f0dcb05a869c9b85836ec910540 |
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket
| MD5 | 67a8abe602fd21c5683962fa75f8c9fd |
| SHA1 | e296942da1d2b56452e05ae7f753cd176d488ea8 |
| SHA256 | 1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411 |
| SHA512 | 70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2193f296574065a3c91ac9a63d917907 |
| SHA1 | cc7016b159dd3135bb7046faf11c48e1683719d8 |
| SHA256 | 30ffe636dfe7522316ac61f6c86b9f27f2e2c57644dd57e82ff89598251e7b44 |
| SHA512 | 4d71a71654b5115dab729c9d5af7116c339cc36bc633cdbbfa5c4a47f053c1638279fa8849ba78b6ea13df303310c2d4893ecb3c572fae77e0ebae952efb190d |
memory/5864-802-0x000002C4A1560000-0x000002C4A1570000-memory.dmp
memory/5864-801-0x000002C4A1560000-0x000002C4A1570000-memory.dmp
memory/5864-800-0x000002C4A1560000-0x000002C4A1570000-memory.dmp
memory/5508-807-0x000001F49FE10000-0x000001F49FE20000-memory.dmp
memory/5508-806-0x000001F49FE10000-0x000001F49FE20000-memory.dmp
memory/5508-805-0x000001F49FE10000-0x000001F49FE20000-memory.dmp
memory/5508-811-0x000001F49FE10000-0x000001F49FE20000-memory.dmp
memory/5508-810-0x000001F49FE10000-0x000001F49FE20000-memory.dmp
C:\Windows\TEMP\tem5B3A.tmp
| MD5 | b13af738aa8be55154b2752979d76827 |
| SHA1 | 64a5f927720af02a367c105c65c1f5da639b7a93 |
| SHA256 | 663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b |
| SHA512 | cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4 |
memory/5864-814-0x000002C4A1560000-0x000002C4A1570000-memory.dmp
memory/5864-813-0x000002C4A1560000-0x000002C4A1570000-memory.dmp
memory/5776-839-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp
memory/5776-838-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp
memory/5776-837-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp
memory/4552-844-0x0000016B7F370000-0x0000016B7F380000-memory.dmp
memory/4552-843-0x0000016B7F370000-0x0000016B7F380000-memory.dmp
memory/4552-842-0x0000016B7F370000-0x0000016B7F380000-memory.dmp
memory/4552-848-0x0000016B7F370000-0x0000016B7F380000-memory.dmp
memory/4552-847-0x0000016B7F370000-0x0000016B7F380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tem62FB.tmp
| MD5 | a4ddf689da158b5b22edea3907bfe6f4 |
| SHA1 | 170bc7f8cb70b2c026c985bf87ddf797d2f78564 |
| SHA256 | 73d162f9c191ee5a658324546db049e3f5d8ec53f8506cb9f858adc43dab6362 |
| SHA512 | 9c5555811290630fc033e4e4a957fcbf01cd063f1271fadae34f4ea825c86c3b3a57ba9895ee510880265da4163b954442434bbe3571108ad67b5c3040dd278e |
memory/5776-850-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp
memory/5776-851-0x000002AAA7B70000-0x000002AAA7B80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cf1835c4a581b835d7a057601cb015de |
| SHA1 | 167dffa799768b87d64a938c9b828054c94a5018 |
| SHA256 | e6c6659ba1a47cd7f75a7218842517365c03d77367c50523ca3171348dc82220 |
| SHA512 | e2682534b81e0a40c4c44c20623f84e75c32bbce3bec54d9e8bf32b5ed48a1b33276ff915e3915a4caac951667af72407f6cb975c1063051a583cace8c2854c9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6a92769f7e0e6c5e82fd8f9f714f2276 |
| SHA1 | a5764ff70f32e15217ae07ed2357485df0c93095 |
| SHA256 | f13ed165f8830b82401d47ae1848590ae076cafb3d8f0d40f9cdc835ff608355 |
| SHA512 | 9871e5b78a4eacaf40b6a3e428c0dc0868c38b0396e4588c5b44f4f45bffa14b3c42ed540171976034bb5b00d27d75718ceeb933d6ed93994a97b32108517d3c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57ceb5bcfbee059d903d0a38435386af |
| SHA1 | 353ef80671eebc8552103491e5fc058ee5fbda7a |
| SHA256 | 96c07db2c1eef66c21bda0c6744c56d49dc2649cfbed355f75781c7a5d3f4ffc |
| SHA512 | 82beada4beef5448c13af5eeff3afc3ab0f038899436ba3855c522ca5b09fc65d9573d7f841e31b29d0a45d0da6d95c462d0d2bd2931f6de02e72933e9c1631a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a9be6d1dfa70c99ba21831ac21ec114 |
| SHA1 | 1e573e134951d1d775c79a50a969be5c90634fbe |
| SHA256 | 8c95c17914fb2163b9a262725f7a8947089145f892a1842919af6dfa8f79a649 |
| SHA512 | 3c0682841d0f66ea49567bfb3e5c63254364abe8431b0e2a3ee2613cef68e9a6cf242c08d56bc93affa18ca7b69d123ac03730fce24f373203e7443ba9ad95a2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d03ea3315740d525df699ad5dfa45d31 |
| SHA1 | b95ea36f2f0649f76292e0202a01841d1867d4dd |
| SHA256 | 866a8a9404566580cf220e174be61383fb6ecc531d7e9b06bcf065816c054785 |
| SHA512 | 4a4d6f1f598d45e92c0c8844ac9eb39277b441835cae84ece9f0dc36075376d0a5b77406a832b74e98064631290191312825d62fef388e7db9d1cfe35c9d3d07 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f70c9f0e25ab267da1b18063e408f160 |
| SHA1 | 2c428ff4922872a25bdcbe22c86d220fefc4278c |
| SHA256 | 14224a71449c308853e57a560094577d4d0f4bc2057b9127d3607316268db771 |
| SHA512 | a30be79b11770862c454114389589537133fcb4d79c6dbdfe92086c350cb052a5526f0506542eb50b92395ee1d70696938ec6f4550239fec67ae7d6c2df945ec |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 910e0c930cc35e14ccb3e4a99381e8a5 |
| SHA1 | c9dfdbfe31dce98d36066d4dd20a38c79ec74b90 |
| SHA256 | 55b4e6b0bba1e903e84941ea0578f0d2f69c299e62dc777f02b27021106200c4 |
| SHA512 | 42e8c10db9be1c9ae77f7f6611cfdf013b633794878118ed44e2ad33f9bc1ad30eb57bfa56d53912ffbc9e13dfccca5f3136e803eb7f931606d1f166d16073a1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
| MD5 | 2da37dece657897020c158d4a165112f |
| SHA1 | b1e979d6f0570c186903315d5863b576ca5a6afa |
| SHA256 | fc789a37a3cd6a5010608b7f948752689ece2853d7b169a8059a03636b033ef3 |
| SHA512 | afa73013946871bbfe30d1732a03b1f060edb1b8725765a7d0225e7f814ef771805bb65de7fb9f99c47b95769ddd7b666dbd0af9c2e755e9683c1ef7e7c67b14 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 006394a0a8cb74e55e45f8c3b142a295 |
| SHA1 | 3224a854edd22640a195aeb0da030910ebb318a0 |
| SHA256 | 8ce10ba775aaceb4568c72e0920b2359267c1b8d48ddc986e52a70fdd4c54caa |
| SHA512 | dbfdc0a9f6ea600feb1f3da1aebe2a40a6e70030b851b5415fa11d508944e532a6fedbdbbffadf59d18aab5061a7134465567c030b034844bf7d80f2c0a60340 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3400baa318c9ea173062960c7610776a |
| SHA1 | 986517120f5843708d2660a4bf4df16c3b5d1abe |
| SHA256 | c592e9741bbbd4b37a5923f6884e9db0bea89e353d7a60312fe8c0fbaa25fac6 |
| SHA512 | 75d416079d6d4ec8bddc316791895fce556b7c0239a70bf01ce653262e1807a1e553c71d8119f0e81e7cfb9436251df32b67d43dd8d871de8699563f9c471f42 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 61174c105d05d9be0a5b00891fe4bf69 |
| SHA1 | f6a5899758b63e132997c4fb5854ede986e84538 |
| SHA256 | 6acf9f8f78e7ef8912070d8fa6617f96ecb86bae13074b6bb02936f1db3b2ec0 |
| SHA512 | 3c7cc88e11c72e56da1cea102d44f589d6f18893c5d09b0caff3e31b0603155ed3077c24861efe6a3900a7c3c86f56cd7e250fe84d27e09fd4eb1033629ebb57 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4
| MD5 | ce2ff8e96e91f6b28108076363501f7f |
| SHA1 | c50264ab73d01b7ee71ef1e5a2e17a40eed97ec8 |
| SHA256 | 91ba0807728153c63f432452f769a60aec88ce4ec9f1cba4e5b731861d3218df |
| SHA512 | b502060b2bd244aac1fbde6e78c9298aa022b02c3bd1bd888a604eb2311c9d006fd9fcb449ab4484cfe2fa8aa65a21d4840ef46efe43d485476f8246b6b77edb |
C:\Windows\Temp\MAS_6759eee4-4b48-4ddb-901d-b781c1496e70.cmd
| MD5 | 3b3fd94a2f442dfa87108469573a5d44 |
| SHA1 | 85ddb80ce8b85b4d6a03dda8b9298457ab78f084 |
| SHA256 | ba6b5d1dba1fa3fd809accd0b1722deda5543cbb0b9a5fd5c2b5b1eee670902e |
| SHA512 | 3f491af17c5d707be13ce2b8af7e4c1f6e7fa670bbbe3c8d6e9bb8085890bd30d55ef62268b3109d38da4975f1eb2c80c8f8463c71d3bd5c20cb1f5a9e63d91a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 950a874c5efdadeb7ec4d43cf050e770 |
| SHA1 | 4cf4ffdf220eab582de7d38f92372e9e73d4eeca |
| SHA256 | f5a70a8329050d12e58dd1808fb9f4041add34a146afb7ae0dde6eac7a54bd5b |
| SHA512 | 58b64508ea7bf49d36e961a8c1a68db437861055d878c5ae2f6305685e16d69aca451a413ffdc458338c2fb495fa10e63cd319e003a49f61427a2fe88e8f55da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3804adba0d7d5be10b42b3d94be655e0 |
| SHA1 | 88f18a4f3b3597156f562e418cb1a08a59acaf62 |
| SHA256 | ec33cabe6a1c87f08ae0f58e855bcf24a1f1d8522c61a8802e5d1015a6b571fd |
| SHA512 | 8feadbde7a63f0171addb2db0d0fbebd130c8101d04dcaaf2b39f7c6dc50a6217fcffc7cc7cc6ddcddcdc37baefd70e41877eb313c7ddaf1c0652d57aaee41df |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 211213000afd5d42b50f8cfe13a65b28 |
| SHA1 | 0f27a878145ee153440eda0b4a91764622d29625 |
| SHA256 | d522a915555a5e48bdcbff30ab1cc2e42841421d2849a260681ad779ceadc25b |
| SHA512 | 229fe0391e0e5cf3b253a577c23523060c4b6e32e9e2dbd435a2950493bf5da8303c86a98c9d5080b1b4b9ff19acdad97e88a81694df5e8864add04c0218b37d |
Analysis: behavioral12
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
139s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup2.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
139s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicepair.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicepair.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\SSLEAY32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.f.f.f.9.d.a.0.2.d.e.b.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
76s
Max time network
79s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicecrashreport.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicecrashreport.exe"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicedate.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicedate.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:27015 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\ios_webkit_debug_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\ref\ios_webkit_debug_proxy.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:27015 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
140s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevice_id.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicedebug.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicedebug.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\info.exe
"C:\Users\Admin\AppData\Local\Temp\ref\info.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:27015 | tcp | |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
141s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\ideviceimagemounter.exe
"C:\Users\Admin\AppData\Local\Temp\ref\ideviceimagemounter.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\ideviceinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ref\ideviceinstaller.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicename.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicename.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:27015 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
140s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\ideviceprovision.exe
"C:\Users\Admin\AppData\Local\Temp\ref\ideviceprovision.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
138s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicerestore.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicerestore.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\ideviceactivation.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
149s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicediagnostics.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicediagnostics.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\ideviceenterrecovery.exe
"C:\Users\Admin\AppData\Local\Temp\ref\ideviceenterrecovery.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
148s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicebackup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
140s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\ideviceinfo.exe
"C:\Users\Admin\AppData\Local\Temp\ref\ideviceinfo.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:27015 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240611-en
Max time kernel
129s
Max time network
138s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicesyslog.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicesyslog.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:27015 | tcp | |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IFPDZ.Protection.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\bz2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240404-en
Max time kernel
80s
Max time network
87s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ref\getopt.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 24.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-09-25 23:18
Reported
2024-09-25 23:22
Platform
win10-20240611-en
Max time kernel
129s
Max time network
138s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ref\idevicenotificationproxy.exe
"C:\Users\Admin\AppData\Local\Temp\ref\idevicenotificationproxy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |