hxxps://giggle[.]co

Analysis

max time kernel
1800s
max time network
1313s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29/09/2024, 11:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://giggle.co

Score

8^/10

bootkit defense_evasion discovery execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
25	1104	PowerShell.exe
26	1104	PowerShell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4468	PAssist_Std_20240929.14356228.exe
2220	PAssist_Std_20240929.14356228.tmp
2028	aman.exe

Loads dropped DLL 14 IoCs

pid	Process
2220	PAssist_Std_20240929.14356228.tmp
2220	PAssist_Std_20240929.14356228.tmp
2220	PAssist_Std_20240929.14356228.tmp
2028	aman.exe
2028	aman.exe
2028	aman.exe
2028	aman.exe
2028	aman.exe
2220	PAssist_Std_20240929.14356228.tmp
2220	PAssist_Std_20240929.14356228.tmp
2220	PAssist_Std_20240929.14356228.tmp
2220	PAssist_Std_20240929.14356228.tmp
2220	PAssist_Std_20240929.14356228.tmp
2220	PAssist_Std_20240929.14356228.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1844	powershell.exe
4648	powershell.exe
2412	powershell.exe
4088	powershell.exe
4732	powershell.exe
5376	powershell.exe
5020	powershell.exe
2688	powershell.exe
4568	powershell.exe
572	powershell.exe
5392	powershell.exe
3360	powershell.exe
4108	powershell.exe
4888	powershell.exe
5432	powershell.exe
440	powershell.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	MBR2GPT.EXE
File opened (read-only)	\??\Z:	MBR2GPT.EXE
File opened (read-only)	\??\Z:	MBR2GPT.EXE
File opened (read-only)	\??\Z:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\F:	MBR2GPT.EXE
File opened (read-only)	\??\Z:	MBR2GPT.EXE
File opened (read-only)	\??\Z:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\D:	MBR2GPT.EXE

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Writes to the Master Boot Record (MBR) 1 TTPs 12 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	vds.exe
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\diskmgmt.msc	mmc.exe

Drops file in Windows directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	vds.exe
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\SystemTemp\temAEF8.tmp	Clipup.exe
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\diagwrn.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE

Launches sc.exe 36 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5464	sc.exe
4432	sc.exe
3180	sc.exe
2628	sc.exe
4660	sc.exe
5720	sc.exe
3468	sc.exe
3248	sc.exe
4760	sc.exe
3592	sc.exe
232	sc.exe
2172	sc.exe
2632	sc.exe
6084	sc.exe
5896	sc.exe
5024	sc.exe
5984	sc.exe
5292	sc.exe
964	sc.exe
5272	sc.exe
5312	sc.exe
1144	sc.exe
4668	sc.exe
3724	sc.exe
3780	sc.exe
348	sc.exe
3976	sc.exe
5064	sc.exe
5972	sc.exe
780	sc.exe
4072	sc.exe
5904	sc.exe
4492	sc.exe
4804	sc.exe
3244	sc.exe
2884	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\PAssist_Std_20240929.14356228.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAssist_Std_20240929.14356228.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAssist_Std_20240929.14356228.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aman.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
676	PING.EXE
2672	cmd.exe
3172	PING.EXE
1056	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\InstallFlags	mmc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e8a88e67b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000d0e63f000000ffffffff000000000700010000680900700a100e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100ecf88e63b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000505d3f000000ffffffff000000000700010000680900700a100e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LocationInformation	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UINumber	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c439ff0-9cf7-43cd-961e-9299a4c6c157}\0064	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	mmc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e0a6bdd5f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900700a100e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d700a100e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	mmc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e078be6530000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900700a100e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0013	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e904db48b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900700a100e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0f93a0000000000400600000000ffffffff000000002700010000d87c1d700a100e000000000000b0f93a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d700a100e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	mmc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}	mmc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e904dcf8b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900700a100e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0f93a0000000000400600000000ffffffff000000000c00010000d87c1d700a100e000000000000b0f93a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d700a100e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	mmc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e8d68d88f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000d0e63f000000ffffffff000000000700010000680900700a100e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a0f93f0000000000400600000000ffffffff000000000c00010000d0fc1f700a100e000000000000a0f93f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\WindowsHHDPerformanceData	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e0d6bdd7f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900700a100e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d700a100e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Exclusive	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000A	mmc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Address	mmc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e9368d8cf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000090e03f000000ffffffff000000000700010000680900700a100e000000000000d01200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060f33f0000000000400600000000ffffffff000000000c00010000b0f91f700a100e00000000000060f33f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e9968bd0f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000050da3f000000ffffffff000000000700010000680900700a100e000000000000d01200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020ed3f0000000000400600000000ffffffff00000000270001000090f61f700a100e00000000000020ed3f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	PAssist_Std_20240929.14356228.tmp
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	PAssist_Std_20240929.14356228.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	PAssist_Std_20240929.14356228.tmp
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main	PAssist_Std_20240929.14356228.tmp

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\ExtendedProperties	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	reg.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	explorer.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5700	reg.exe
5804	reg.exe
3944	reg.exe
5952	reg.exe
1420	reg.exe
5516	reg.exe
1344	reg.exe
1628	reg.exe
1328	reg.exe
5720	reg.exe
2708	reg.exe
5528	reg.exe
2004	reg.exe
6104	reg.exe
2984	reg.exe
6060	reg.exe
6076	reg.exe
2052	reg.exe
5760	reg.exe
3076	reg.exe
4712	reg.exe
3592	reg.exe
3052	reg.exe
3404	reg.exe
2240	reg.exe
2200	reg.exe
4604	reg.exe
1396	reg.exe
1028	reg.exe
812	reg.exe
1264	reg.exe
1036	reg.exe
2484	reg.exe
4816	reg.exe
1032	reg.exe
2704	reg.exe
2436	reg.exe
5128	reg.exe
4336	reg.exe
3700	reg.exe
2612	reg.exe
4460	reg.exe
6092	reg.exe
2892	reg.exe
4816	reg.exe
4092	reg.exe
2220	reg.exe
3020	reg.exe
5464	reg.exe
4528	reg.exe
1728	reg.exe
5192	reg.exe
1116	reg.exe
4780	reg.exe
3372	reg.exe
3532	reg.exe
5760	reg.exe
4928	reg.exe
348	reg.exe
3380	reg.exe
1128	reg.exe
3944	reg.exe
3360	reg.exe
1652	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 425722.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PAssist_Std_20240929.14356228.exe:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
676	PING.EXE
3172	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
4720	msedge.exe
4720	msedge.exe
2652	msedge.exe
2652	msedge.exe
1844	identity_helper.exe
1844	identity_helper.exe
1104	PowerShell.exe
1104	PowerShell.exe
4108	powershell.exe
4108	powershell.exe
4108	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
572	powershell.exe
572	powershell.exe
572	powershell.exe
5392	powershell.exe
5392	powershell.exe
5392	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
2004	powershell.exe
2004	powershell.exe
3360	powershell.exe
3360	powershell.exe
5020	powershell.exe
5020	powershell.exe
5620	powershell.exe
5620	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
5432	powershell.exe
5432	powershell.exe
2324	powershell.exe
2324	powershell.exe
5584	powershell.exe
5584	powershell.exe
3472	powershell.exe
3472	powershell.exe
1496	powershell.exe
1496	powershell.exe
440	powershell.exe
440	powershell.exe
5664	powershell.exe
5664	powershell.exe
6024	powershell.exe
6024	powershell.exe
2012	powershell.exe
2012	powershell.exe
5376	powershell.exe
5376	powershell.exe
2688	powershell.exe
2688	powershell.exe
5536	powershell.exe
5536	powershell.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe
5040	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	mmc.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4944	vds.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
5476	msedge.exe
5476	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	PowerShell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	5392	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeIncreaseQuotaPrivilege	3532	WMIC.exe
Token: SeSecurityPrivilege	3532	WMIC.exe
Token: SeTakeOwnershipPrivilege	3532	WMIC.exe
Token: SeLoadDriverPrivilege	3532	WMIC.exe
Token: SeSystemProfilePrivilege	3532	WMIC.exe
Token: SeSystemtimePrivilege	3532	WMIC.exe
Token: SeProfSingleProcessPrivilege	3532	WMIC.exe
Token: SeIncBasePriorityPrivilege	3532	WMIC.exe
Token: SeCreatePagefilePrivilege	3532	WMIC.exe
Token: SeBackupPrivilege	3532	WMIC.exe
Token: SeRestorePrivilege	3532	WMIC.exe
Token: SeShutdownPrivilege	3532	WMIC.exe
Token: SeDebugPrivilege	3532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3532	WMIC.exe
Token: SeRemoteShutdownPrivilege	3532	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2644	mmc.exe
2644	mmc.exe
5644	MiniSearchHost.exe
2644	mmc.exe
2644	mmc.exe
4468	PAssist_Std_20240929.14356228.exe
2220	PAssist_Std_20240929.14356228.tmp
2028	aman.exe
2220	PAssist_Std_20240929.14356228.tmp
2220	PAssist_Std_20240929.14356228.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3860	4720	msedge.exe	78
PID 4720 wrote to memory of 3860	4720	msedge.exe	78
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 3720	4720	msedge.exe	79
PID 4720 wrote to memory of 736	4720	msedge.exe	80
PID 4720 wrote to memory of 736	4720	msedge.exe	80
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81
PID 4720 wrote to memory of 1040	4720	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://giggle.co
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff6db93cb8,0x7fff6db93cc8,0x7fff6db93cd8
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,5120816135986343320,12733567584402100449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
  2⤵
  PID:3684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2224

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd" "
  2⤵
  PID:2540
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:3592
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3260
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd"
    3⤵
    PID:3380
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c ver
    3⤵
    PID:3284
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:1464
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:1728
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:3548
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:3444
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:3080
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd" "
    3⤵
    PID:2632
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2616
- - C:\Windows\System32\cmd.exe
    cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
    3⤵
    PID:1128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4108
- - C:\Windows\System32\find.exe
    find /i "FullLanguage"
    3⤵
    PID:5620
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:3576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\System32\find.exe
    find /i "True"
    3⤵
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd""" -el -qedit'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd" -el -qedit"
      4⤵
      PID:5336
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:5720
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:1800
    - - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd"
        5⤵
        
        PID:3392
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        5⤵
        
        PID:5568
    - - C:\Windows\System32\find.exe
        
        find /i "/"
        5⤵
        
        PID:3812
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        5⤵
        
        PID:5324
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:4824
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:4012
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        5⤵
        
        PID:3100
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:5892
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:3904
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd" "
        5⤵
        
        PID:5964
    - - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:5980
    - - C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
        5⤵
        
        PID:5356
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
    - - C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        5⤵
        
        PID:3324
    - - C:\Windows\System32\fltMC.exe
        
        fltmc
        5⤵
        
        PID:4920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
    - - C:\Windows\System32\find.exe
        
        find /i "True"
        5⤵
        
        PID:2796
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1056
      - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:676
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
        5⤵
        
        PID:2332
    - - C:\Windows\System32\find.exe
        
        find "127.69"
        5⤵
        
        PID:1672
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
        5⤵
        
        PID:3236
    - - C:\Windows\System32\find.exe
        
        find "127.69.2.7"
        5⤵
        
        PID:4472
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        5⤵
        
        PID:5140
    - - C:\Windows\System32\find.exe
        
        find /i "/S"
        5⤵
        
        PID:4912
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        5⤵
        
        PID:4244
    - - C:\Windows\System32\find.exe
        
        find /i "/"
        5⤵
        
        PID:2672
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:4464
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        6⤵
        
        PID:1180
    - - C:\Windows\System32\mode.com
        
        mode 76, 33
        5⤵
        
        PID:1604
    - - C:\Windows\System32\choice.exe
        
        choice /C:123456789H0 /N
        5⤵
        
        PID:2792
    - - C:\Windows\System32\mode.com
        
        mode 110, 34
        5⤵
        
        PID:5228
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        5⤵
        
        PID:780
    - - C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        5⤵
        
        PID:440
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        5⤵
        
        PID:1452
    - - C:\Windows\System32\find.exe
        
        find /i "R@1n"
        5⤵
        
        PID:1996
    - - C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:1256
    - - C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:1396
    - - C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:6060
    - - C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:5128
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
        5⤵
        Modifies registry key
        
        PID:5760
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
        5⤵
        Modifies registry key
        
        PID:3944
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
        5⤵
        Modifies registry key
        
        PID:2708
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:5700
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4816
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
        5⤵
        Modifies registry key
        
        PID:5464
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
        5⤵
        Modifies registry key
        
        PID:4780
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
        5⤵
        Modifies registry key
        
        PID:2052
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:348
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        5⤵
        
        PID:2040
    - - C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        5⤵
        
        PID:4092
    - - C:\Windows\System32\cmd.exe
        
        cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
        5⤵
        
        PID:4064
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:4864
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
        5⤵
        
        PID:4648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
        5⤵
        
        PID:6028
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        6⤵
        
        PID:2200
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
        5⤵
        
        PID:6024
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3360
    - - C:\Windows\System32\find.exe
        
        find /i "Subscription_is_activated"
        5⤵
        
        PID:5044
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        5⤵
        
        PID:4868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        5⤵
        
        PID:6088
    - - C:\Windows\System32\find.exe
        
        find /i "Windows"
        5⤵
        
        PID:6072
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5620
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        5⤵
        
        PID:5652
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        5⤵
        
        PID:5324
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:3236
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        6⤵
        
        PID:4472
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        5⤵
        
        PID:5140
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2672
      - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3172
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        5⤵
        
        PID:3296
    - - C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        5⤵
        
        PID:1136
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        5⤵
        
        PID:5676
    - - C:\Windows\System32\find.exe
        
        find /i "R@1n"
        5⤵
        
        PID:1956
    - - C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:5344
    - - C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:5996
    - - C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:976
    - - C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:2308
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
        5⤵
        Modifies registry key
        
        PID:2984
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
        5⤵
        Modifies registry key
        
        PID:3404
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
        5⤵
        Modifies registry key
        
        PID:4928
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:5804
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4604
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
        5⤵
        Modifies registry key
        
        PID:2240
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
        5⤵
        Modifies registry key
        
        PID:2436
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
        5⤵
        Modifies registry key
        
        PID:2612
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:780
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        5⤵
        
        PID:1576
    - - C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        5⤵
        
        PID:1452
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:5292
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        Launches sc.exe
        
        PID:1144
    - - C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        5⤵
        Launches sc.exe
        
        PID:5972
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
        5⤵
        Modifies registry key
        
        PID:1396
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
        5⤵
        Modifies registry key
        
        PID:6060
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
        5⤵
        Modifies registry key
        
        PID:5128
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:5760
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
        5⤵
        Modifies registry key
        
        PID:3944
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
        5⤵
        Modifies registry key
        
        PID:1344
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
        5⤵
        Modifies registry key
        
        PID:4528
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
        5⤵
        Modifies registry key
        
        PID:4816
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        Launches sc.exe
        
        PID:5464
    - - C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        5⤵
        Launches sc.exe
        
        PID:232
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
        5⤵
        Modifies registry key
        
        PID:1032
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
        5⤵
        Modifies registry key
        
        PID:348
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
        5⤵
        Modifies registry key
        
        PID:3076
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4092
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4336
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
        5⤵
        Modifies registry key
        
        PID:1028
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
        5⤵
        Modifies registry key
        
        PID:5528
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
        5⤵
        Modifies registry key
        
        PID:812
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:4072
    - - C:\Windows\System32\sc.exe
        
        sc query sppsvc
        5⤵
        Launches sc.exe
        
        PID:3976
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
        5⤵
        Modifies registry key
        
        PID:2704
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
        5⤵
        Modifies registry key
        
        PID:1264
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
        5⤵
        Modifies registry key
        
        PID:5952
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:2220
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
        5⤵
        Modifies registry key
        
        PID:1036
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
        5⤵
        Modifies registry key
        
        PID:2004
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
        5⤵
        Modifies registry key
        
        PID:1628
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
        5⤵
        Modifies registry key
        
        PID:2200
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:5904
    - - C:\Windows\System32\sc.exe
        
        sc query KeyIso
        5⤵
        Launches sc.exe
        
        PID:4660
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
        5⤵
        Modifies registry key
        
        PID:3700
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
        5⤵
        Modifies registry key
        
        PID:3532
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
        5⤵
        Modifies registry key
        
        PID:1728
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4460
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4712
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
        5⤵
        Modifies registry key
        
        PID:3380
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
        5⤵
        Modifies registry key
        
        PID:3592
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
        5⤵
        Modifies registry key
        
        PID:1420
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:4492
    - - C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        5⤵
        Launches sc.exe
        
        PID:2172
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
        5⤵
        Modifies registry key
        
        PID:3360
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
        5⤵
        Modifies registry key
        
        PID:3020
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
        5⤵
        Modifies registry key
        
        PID:1652
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:5192
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
        5⤵
        Modifies registry key
        
        PID:1328
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
        5⤵
        Modifies registry key
        
        PID:6076
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
        5⤵
        Modifies registry key
        
        PID:6104
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
        5⤵
        Modifies registry key
        
        PID:6092
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:2632
    - - C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        5⤵
        Launches sc.exe
        
        PID:6084
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
        5⤵
        Modifies registry key
        
        PID:1128
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
        5⤵
        Modifies registry key
        
        PID:2484
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
        5⤵
        Modifies registry key
        
        PID:5516
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:1116
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
        5⤵
        Modifies registry key
        
        PID:3372
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
        5⤵
        Modifies registry key
        
        PID:5720
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
        5⤵
        Modifies registry key
        
        PID:2892
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
        5⤵
        Modifies registry key
        
        PID:3052
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        Launches sc.exe
        
        PID:4668
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        Launches sc.exe
        
        PID:4804
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:5312
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:3724
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:5896
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:3468
    - - C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        5⤵
        Launches sc.exe
        
        PID:964
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:3524
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        Launches sc.exe
        
        PID:5272
    - - C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        5⤵
        Launches sc.exe
        
        PID:3780
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:5340
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        Launches sc.exe
        
        PID:5024
    - - C:\Windows\System32\sc.exe
        
        sc query sppsvc
        5⤵
        Launches sc.exe
        
        PID:4432
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:1160
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:3248
    - - C:\Windows\System32\sc.exe
        
        sc query KeyIso
        5⤵
        Launches sc.exe
        
        PID:5984
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:5980
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:5064
    - - C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        5⤵
        Launches sc.exe
        
        PID:3180
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4280
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:4760
    - - C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        5⤵
        Launches sc.exe
        
        PID:2628
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:2512
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:3244
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:5392
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        6⤵
        
        PID:5932
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
        5⤵
        
        PID:1488
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
        5⤵
        
        PID:2808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd') -split ':wpatest\:.*';iex ($f[1])"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5432
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "6" "
        5⤵
        
        PID:5104
    - - C:\Windows\System32\find.exe
        
        find /i "Error Found"
        5⤵
        
        PID:1692
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
        5⤵
        
        PID:4768
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        6⤵
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:3352
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        
        PID:4384
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:5420
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
        5⤵
        
        PID:4728
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "0x800410 0x800440"
        5⤵
        
        PID:2148
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
        5⤵
        
        PID:2036
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
        5⤵
        
        PID:4356
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        5⤵
        
        PID:3460
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
        5⤵
        
        PID:4452
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
        5⤵
        
        PID:4168
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
        5⤵
        
        PID:2992
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
        5⤵
        
        PID:1392
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        6⤵
        
        PID:5736
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
        5⤵
        
        PID:5476
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
        5⤵
        
        PID:5536
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        6⤵
        
        PID:2812
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
        5⤵
        
        PID:2784
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        6⤵
        
        PID:2988
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
        5⤵
        
        PID:5220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5584
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "
        5⤵
        
        PID:6036
    - - C:\Windows\System32\find.exe
        
        find /i "Ready"
        5⤵
        
        PID:4204
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
        5⤵
        
        PID:5600
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
        5⤵
        
        PID:3884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:440
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        5⤵
        
        PID:776
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
        5⤵
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5664
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
        5⤵
        
        PID:2596
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        6⤵
        
        PID:2560
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
        5⤵
        
        PID:812
    - - C:\Windows\System32\find.exe
        
        find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
        5⤵
        
        PID:1068
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
        5⤵
        
        PID:3976
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:5180
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        5⤵
        
        PID:3992
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
        5⤵
        
        PID:2004
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        6⤵
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
        5⤵
        
        PID:756
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        6⤵
        
        PID:4968
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        
        PID:2656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6024
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
        5⤵
        
        PID:4492
    - - C:\Windows\System32\find.exe
        
        find "AAAA"
        5⤵
        
        PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5376
    - - C:\Windows\System32\ClipUp.exe
        
        clipup -v -o
        5⤵
        
        PID:5728
      - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temAFB3.tmp
        6⤵
        Checks SCSI registry key(s)
        
        PID:5356
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        5⤵
        
        PID:4540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
        5⤵
        
        PID:1672
    - - C:\Windows\System32\find.exe
        
        find /i "Windows"
        5⤵
        
        PID:2796
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
        5⤵
        
        PID:5652
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b -2143326207
        5⤵
        
        PID:1824
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        5⤵
        
        PID:1472
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        5⤵
        
        PID:5324
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f
        5⤵
        Modifies data under HKEY_USERS
        
        PID:5476
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
        5⤵
        
        PID:5332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 10 | Out-Null"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 10 | Out-Null"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 10 | Out-Null"
        5⤵
        
        PID:5044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2412
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        5⤵
        
        PID:4652
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
        5⤵
        
        PID:4432
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:6072
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        5⤵
        
        PID:3184
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        5⤵
        
        PID:1800
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
        5⤵
        
        PID:6100
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
        5⤵
        
        PID:1132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 10 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
        5⤵
        
        PID:5112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4088

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:1124
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\temAEF8.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe8,0x10c,0x7fff6db93cb8,0x7fff6db93cc8,0x7fff6db93cd8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,9847571721683712996,2546616190624156040,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,9847571721683712996,2546616190624156040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,9847571721683712996,2546616190624156040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,9847571721683712996,2546616190624156040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,9847571721683712996,2546616190624156040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2740

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: LoadsDriver
PID:4944

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5644

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2320
- C:\Windows\system32\diskpart.exe
  diskpart
  2⤵
  PID:6052
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /verify
  2⤵
  PID:3292
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /validate
  2⤵
  PID:4700
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /validate /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:4868
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /convert /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:4108
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /convert /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:4408
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /?
  2⤵
  PID:2216
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /validate /disk:0 /allowFullOS
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:2860
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /convert /disk:0 /allowFullOS
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:3396
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /?
  2⤵
  PID:2744
- C:\Windows\system32\diskpart.exe
  diskpart
  2⤵
  PID:3368
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /validate /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:1908
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /convert /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:3204
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /convert /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:1820
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /convert /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:4032
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /convert /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:5184

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5580

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4032

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1664

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5856

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff6db93cb8,0x7fff6db93cc8,0x7fff6db93cd8
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4924 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1820,16629567719040421989,8116516577918202283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1388
- C:\Users\Admin\Downloads\PAssist_Std_20240929.14356228.exe
  "C:\Users\Admin\Downloads\PAssist_Std_20240929.14356228.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\is-V7E1I.tmp\PAssist_Std_20240929.14356228.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-V7E1I.tmp\PAssist_Std_20240929.14356228.tmp" /SL5="$1002F8,81260807,619008,C:\Users\Admin\Downloads\PAssist_Std_20240929.14356228.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\aman.exe
      "C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\aman.exe" -Cookies
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:8

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4596
- C:\Windows\system32\MBR2GPT.EXE
  mbr2gpt /convert /allowfullos
  2⤵
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:2372

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5828

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4924
- C:\Windows\system32\diskpart.exe
  diskpart
  2⤵
  PID:4228

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5480

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
- Modifies registry class
PID:1728

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3944

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
- Modifies registry class
PID:3800

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4436

C:\Windows\system32\systempropertiesadvanced.exe
"C:\Windows\system32\systempropertiesadvanced.exe"
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0a997801-6687-4e8f-bbdb-ea0238bb6438.tmp

Filesize
11KB

MD5
58476486b395e086c54a390cb1e73f85

SHA1
92213283e7cf24184184e2b9d86e8cda3a772b1b

SHA256
8313a51ba2805a60c1400062d31904f906bad162b074f13ca8f5fbd404fd28fa

SHA512
a388b931031411f1f79578e5ad582530792b5c34fe26fee9a9f21d65e29b29392608ca3a093ee30c7e8f05ef2dcc8b7e3171c15d6f8a1c2be32dedf366930568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec945291e442cc96be3515d2d00714bd

SHA1
0bdd448b4856eb7410743b2d8dcbd53519388747

SHA256
e1258c3c227b9af167243da4e8ed6ebd6cc265f903d5b9cc53572eb03f66aa24

SHA512
17e12fb613167bdd06001e72f73ed115919dee2d0b5ddf1675816a27680edacc5f2a61cf7d5cb53927d9878b11e56bb9884526b9d6a93da7605c71c2bb28bfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
223dc495b5bb9fef012ab0a333989e2d

SHA1
331f4c56c646cdd6f0cc967291acc9cc570f3524

SHA256
0681c1b40cfada03163fe44ad3fa21f2f0505629659821359abbbb61abb14a2e

SHA512
62a30f55048a158b7688d236b8afdca5fcfbc38f380be062d5cef9db7066bbb5fb10dafd6fe19056e42cea1b4b299c6662048b55f4fde57672e4830d5ff13ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\821d3fc4-3055-4682-9f25-d02a619fd8c0.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
27KB

MD5
4aa91eccee3d15287b8f2a01e4254255

SHA1
d89f8203934a66b5741256aee086c04f966cc6d7

SHA256
79c601189597c9c5691b763f0ec6fdc9ec8339eea80e49713f76e9fe9199a7d7

SHA512
46424f50d444aebf1dc3a93607b3a374d3e7e988137e291cd8ec28211d05a687d0b6214b45d6dbfd27608728df6b34138504e3343e6bbfd6e1c0af98199179e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
b8342e949bf4231447b14d6f140f7612

SHA1
bf37818cbfcdbc4e907a4f18b7bd02667c5d436f

SHA256
ef960a15ec34018da382ca8a67fc03fbebb124802021bcdce0ea43e3d9c9b984

SHA512
366a9267a0f6b861aaf78d584bae28c2c889ef0175535c8ee38986c02bcda0e4a5a8cb0aef852bd2a51f4fc409c514936fe31777c7987fdad98046a894592c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
becc845d70414c78e5ef04212085a4c6

SHA1
ffa1f7d7c164e76f1182badbd484cda7050c3cfe

SHA256
e30d7c4ce18533a6c588e23a4effb50e7d7fddc8c8f0ec6481cd157173c0c68b

SHA512
a55f92faf8138cc904145c79b90518edeae3d9b8bade9b2123c07c1b8c15d5acf7d7df75ac2315e1c306c7cb775592d236b24a3a45a21d3e11057e4176716773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2020948c64caa661eb3f94c73f5ff0ff

SHA1
90224d193bfd598f31e8abd097cd788e461f08f3

SHA256
f40ffd5b1a3da5e594c71430fa3be1bd1bf073ddc6e7d7084be587321987bda0

SHA512
f64af91e2a333c1f4dc9043902c02fc4386be27d6d7a29d1a71b6b977c1bbcc3596ef13e50615afacc6c16ff7935b9c419491e7e17b74b2d42626090f1246385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
963511f122b91d1fef0efc151223da95

SHA1
9c4ac79f0b144f4c43f394c819d37db276f2a5f9

SHA256
07ad9170c7c9b78c8ce4ca05428673a68a936323568388b9027f6f5ac0641ca0

SHA512
2577d87c3747375ec5261211f5dbc22070cd3e454cb3b8150d0d671912e69fdee65082bc1164279bc8155c9cde63b37cba9c16b85ee1e437cb335fa16478a78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
ae0312dd33af1cef980292ea920665b4

SHA1
794dca5321f7f973d918b6a2070e154b826c92a1

SHA256
94f4e88685292ea17479d5896988757d1c77f8fbdd20256dacadf2948c0ad7bd

SHA512
69c1c2529b74ad7800bb9a9aafabdcb4679889d7a666833f145b5c0598c22501b41a57489cc911fb01c5c0fa313c0b5783d0be080e3a3a2b43449a6c0837c694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
247B

MD5
4a54e9537274fa60c82edd2a0653e865

SHA1
65030234b609b3c1150ee3d184863ec4c8b13795

SHA256
680dd4119843b060849290689e9d073522fdc0d480355b4008941946b961ff46

SHA512
e10253ca88a4b1fd1697312eb18a0b4a76a571ae318d086f0bb68e7c7caa53245b385aed8544aa5dc1fe637979562e6f80cd54319230183e75084d0c4acb2c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
247B

MD5
0fe22f261b96afe8b7bca976be93dd29

SHA1
59b3031acb8b4baa346c4e542b589b54737aaa75

SHA256
e190ec15caa5d558939217e10670d57979fffdd5c5c6529ff53ac454eccbb76f

SHA512
b1357ecc67f815e2f1a9a04110787f58e74c3da29d70ac9210eb68ad51b121bcb09598ed07184c34d2c3b8bad659eb80357eac877cf83cff17901d9908a00ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
511fb27f9ae22193cfcda91f92b33b92

SHA1
ae15183e6a43cd4d4b26666e1c53ee79ffeb622e

SHA256
e6550f9f25223deae71a91694e8989894a8ea95af260b0a5dec300815fec9f83

SHA512
f583975316f40bbef978a0830584f80bbcb9d55b04f5180080ae83b1746e56c0df75f74ec832d53848eba281ed4c3e8822db147dce57075c38d45febc70348d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
b3b2a9a2ca375d850aca3272e742316e

SHA1
52c1e9c7b1b2599836fa64e19698bbf33307c160

SHA256
2f016d0b8422e1af2f4acb470e7ca53f72650ee9ceed8faad666c40cff8dc64f

SHA512
451793d4a4e37fd67502395dba5ffd838e766f99df32558c28c1b908aeaa2b26468bb58337b7101b58724c00fd3c589318c089d96b55dec4d00d458e2b485784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
78f97a3c775b157d9b93d537653bc592

SHA1
7082a3e1eb1db0b41ace32fec1286b58407e76e1

SHA256
0292145786fda64eb169a971516a900017027d63a8248ed2d630890c3cfdf1ee

SHA512
07b62bcf90dda3bdf44cd75162ed2c96f07fde2c77e6c9d4500a4bb202ccb50cf4795d9233b1e70b244b9ad1df1c309f8b514efa05ad84c282fb25d310f40620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
7e0f107c43edc161afa7ad88f85d5c93

SHA1
df7dfd41bda543ff40bfdaea4984756ab8dfed51

SHA256
b7f63b0097ddb0fae0ed23b2291e2fa70c23309854a12d75fe4798db12d19b5f

SHA512
dc1fde6f681bf354969c91e5f8483f57d259391a5d776e2579d3986f1fe1673f11d0f3f1ebec4996216173449851cd61bfabbe1e4765c9d4a6e31e5de69bea99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14c2967880eece50965cbd8d742cd640

SHA1
61518cb6962a9385f0159a7589ca835173e71744

SHA256
770fbb5493a8926a076f439341f6b3f0703ae4419ece715ec3a35c5672b9177b

SHA512
a1b197d65319866cdb95dc98c3df19645dedc602289399707d394d6737d95033f74656bb42f4548b91dbec754aa782c18887e81c4d6e5ec48c0e47d76b342015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8d7fe4ca83f96cd5d44dd59e8687efc

SHA1
e476fed46d5980857a800c0a9ccb7757819a9a48

SHA256
30483ad44a6e51f4c89f43d157f0f677d9e1f53fd3ded041227654c82f289165

SHA512
9daf8a4c456f249c7db492341b7f08bdb78d88cae49084690ef490b5d03808c3343eddab4d6da5017368270b8a8396306eb1e926e25a756e9fdb9b2d7fe335d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cdfd0f36483f6c7b18c2c0c90c8de82d

SHA1
4f0331c93afd64682b043bd599a82f02ce7eb530

SHA256
6fc2e00ed96b7ca062b14ab26fbc168196e2805b6eca84bc5f9f13accb509a87

SHA512
3fd09ac3973cb92650015be2f0e33a0ac034c081ad27578b10e671739e0a325716fded6fe929897c173a2ac507ac666478ce8f6b742538828dd89eb12c6c42b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f7e31a07d792eafea63965efb63aaee8

SHA1
a1661d44d3534233e33226265625e963b70a709d

SHA256
dbb49f5dd710a996e38b187c6004053e43017c3be02b8da7cfdeeb456ba6b531

SHA512
da24e17b032208e32996efb430ece2ed71f3956800e10871c9d800536077761ac5430e50c358c5f67b9b56497310973801db2d34dcfb9bca830c643d167a2e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38498f10fa520a07a0114aa9fb843ea5

SHA1
b8d59a51e931245dfd3731b892352e1011d19c8b

SHA256
eef39b325036344aecb5cd00fd9d774c7e4415652d9ac555ed5e858fbc728e95

SHA512
39c86ae741cf65ba0c37fc0dffe318120e4fda4df6ff749ab279d49551e62ac3647a1da5dd4704f36ec412b30b68d25c41760d9d71a4492532a9e1bd83c431ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7e7db2828b8e169d99207cfe23f675b7

SHA1
275bd94b201cf854641853f734df0dcd2eb80654

SHA256
4a167420ce35e00b86e7c8fa06f93790c88a40c815e6458d84fa45ca1c0029fd

SHA512
b1d608ee1ef94d050701d212a188adce0e8fea8f4f302ceb111fd7d1cca6f85a83c1f17720db914cd97d238e1c78b6a2453a1e07423b8b9d0a26b392493605c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
660bf79b54d258eb2080a753d4875b81

SHA1
3d41b40244dcea7a9685932f32c45c909c15d475

SHA256
f98d3c32f3e403f369a84e7a2822ae870dc3f0a065eb68fd3c747563552eaa67

SHA512
5f08c0cd593f52d9b32a12c06d5945a45a7b1306593f7c19526f9d4edc51d0bf34321d823ea0aff8ea41b4ed6e2746648cd5b3de9ef42ed53f49b778dc7bf352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
05cb64320860d0f25eda27355250c2dd

SHA1
0b36269e6f0fc4960c69bd61f4d7c156e1820896

SHA256
356185558ccd41b147390a16ca68d083bf38cd9d62c706d4613edb1d81bf61ea

SHA512
8c618f6580a78f5a5cdef2565c4eb444f839c6be959f2d047e2e677b1de2eadaf64026efe05a38af4e92179ac3afeafeb2f68f57912d33ecf224493b39312447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
875dd7d86b7dd3bc493254dc58c1025c

SHA1
ed4d499028fc34afa52381471e42ce7167c01e53

SHA256
270885e2a29c0615b48f53cff904666f9af44775bcd276b5bab78feebeec6cbd

SHA512
47f312dcb766544acb5494cfee6fc87b1715b3273f500881784981be65f31fad1694bd899fcf649c6b47001b7c4cc306116305ae29fca972f94c11961517a15a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e9e527b4c210ef00fc880ac54608a28d

SHA1
d556fed9ac8f1f86769f6783e93b8f5d6bf71c6b

SHA256
f6065f4b0c316ef1171ade997d0497d45458c42efaabf7f6e8b7f5ecbb5b76ec

SHA512
04cb9f61a4a2fba533c88d066253d66028df914f50df4a2cf04bc5c64aea77cfc0fc335faa19e88fdc9ae7664cd7a06eec94875e511d3baa16f79f3663e47c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7caf8e9ce876f0e7e2df53fc981ace2a

SHA1
96dab8ca50487d595fa4d89514aaa3b4556829fd

SHA256
91216c433f6b215095cea181363cfebaafd65dac7b47ef96b8923b526e0b95c3

SHA512
e1f8aad9b708d8fa9652d614bde2620a459f340d667f1972649a35945cc6bb7089c8881747c3f84190e06c907568472e7d4dd80f6a22fe1d682bcdbdd5b0e7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cb7085083bc6fb60bfb0b9deb186f9a6

SHA1
2bbb186b2f35c68922dd2e82cb2ec308a9063ddd

SHA256
3b2f784603a40f95c573337ebd84b6af21faf163fed0c8c110ef8802ee1978df

SHA512
c2843e61bfb6995c96dd89cc7aac3fe77bb8992d3aaa87732810235d40b496ad5724c4375ef9c3dedaff8928ad937b7b52a44fb6da3df92ba727d875b6c5fc30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7fedd83085a379a2e9df7f5feb96dbc4

SHA1
46c75cae98f44f3af0ffea90fea35334f9168b73

SHA256
18c0e62565d15a7480c959ef222e9c601b726dff448bbcd6b73b0687581fe5d4

SHA512
17e26c9b5148a9f27283f7b2d7768ecf79a0dbd32274d2fa2d8e6ae3f0e12a8669bc03f846c3f978a9e89647a101a0116900833610d7b04820452ffafa69a724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8802aee2b45bc243fb5587319ffaa61a

SHA1
48f372c8e0f6050b6a1247d0f4be07e027a5b513

SHA256
9e1e53a9bb81187ea7aedbe2dc7f1934fe56f820a0e198a0f2383e658e5c812d

SHA512
c053648ac7d86c28561152a5dfae1f4522f43c3558118c89536c1e5a79aa3eda04bd6df2573664d0fb50db349842bfef4e078e0928aaf313ffb21e8a89ad80b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
02bc6db81358b7af7e5bd2f37e28b79c

SHA1
971fbd64ad03c8d67b8d07475c87e829706c3b9d

SHA256
5ba296052345915f89ab281bd3a4317453038e0b503356ecb93e238a6ef18163

SHA512
8c7ba53a53a1e9f1945926cd66cae5c62c77d3fed80a773027796931d35281de804ba76ae8e2ebf0113f317df777340ff6c1c1db4c9b03b5b6b7a63ead6958cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9d5ac4245a107678129488a3d75456d

SHA1
f497f931e30eb570d2007bec9c15225f2c17bb72

SHA256
11152d781a2fd69cfaf5c5e16ac54389191532ba6d4f2a7c2bb42812324d3c0f

SHA512
051f95f43d97cbabf209cf688efdb5203c893fa73ff257789fc10338547ab0916f01f6c007d8f6f0da0c05555886a74eeeb944c594274905484324b766184175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d7d7330320a63d64506fb7765064e96

SHA1
5dc9ece3293c3f24a45850412bb7084ac49147ed

SHA256
672bcfaa6e6f4ff43a75fe5132d64e1fdbf0ec050f1b8987b89d1b1cfcda977f

SHA512
1ba795236697791e9ef411757989873f5cc866f698152f8625e35880911f3cb42642659392b0dca0df043118456a29f1bc482a0104f65cd99b586c446458665f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d6c1b2283177d8e478660a15f7c984a9

SHA1
f677fce69ee75c7011bdfb4b521d0daef8d8b402

SHA256
eaab07ed19ed20923c1df2e911fe39c282e13dd7fa370ee60b22e32bd93cbc05

SHA512
64e67a982f001ac424f6088c17b93497c261eef92f9fbc9eb74d3798737ef73c7197964576d2348a3bc6fcb998d7ddaf73b0963e7f1509532ee563d4bead371f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6fda6b971e091d4e37ae27b9e6f44c61

SHA1
18fb469b8f7efea96bd27e99d114ce068c15e80c

SHA256
5a5082f23ab1f5077ef0ef71800c503e2d8ce4ac66ab6b5fda2a80d4a110ad95

SHA512
bd2c2b359ed5e6f2933a455fc686e6f7acdf15d5562fc51abe99d1e5241c04a8bf5f8d99cb9e9653fe6f8f70018e0d42d9a3fdf1b8569d692d82c580f36b54c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c83e426859e7b1758a8119a227a00a96

SHA1
26ec9a005cd05e315104eae636f087ee7862432f

SHA256
a9e78ade9e64883a27cc122a53531dc8ba3b20f66ff60b688de6ddb3757209dc

SHA512
6a90412fddd9bbcd64bddbf692b31fafb400896ae1626ea2066368d8d93e721efc191c2548fb3af4822e24b2136c6fe94df245684ba830cfd38bbe6b0a15f60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e01b53d476e2e5e0bad52d3f195ce26

SHA1
82320df900cc2d8be78459e34d238ec963ad441e

SHA256
80baf18870e01cd90d51f6712070c5a55ad18e46581da639d6d27581184fb4ee

SHA512
acbfbfb836b1d7aa4ef9be01af235e6d795429d583733161c62ed8fc14d63889f9d660991eb93df21f911236c630454f4a2f86ee0c9b311904450f778ed0f27e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6550cb.TMP

Filesize
1KB

MD5
294ce2c4276d2a7afb5a104780e330b5

SHA1
82db7c6a5d162e0cbe446270e7ee9f2419201aee

SHA256
db2893ef1e0a22db2a6fd872d38301448ecab8a8e40201b63e0c718ce894a539

SHA512
f7f6640849ef6e7f698cd769b7802aadbb9d3964448fa0e2e7d90c44df0db8630b9a3aaa8672b70a872d7898a54f50d982df8cb76dfa67d2b1b97d503b7869bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
071fea3593f8e24bd8ece82ea0557575

SHA1
225056008a1a56b1654e188c6b7e5e996ca186d5

SHA256
18e82dcda07a17639ca664b9ddbaf525baf93c4b5c89f801933ed48aa232237d

SHA512
2adc607c8dcb5678f18da5097f02dddf70932653450e53392277bf89ec37a016d506ff34b6148d9748d858b0b760522fee3c27281b2fb41d05413440681d51e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
51812beac3ed4479b238307309dfb575

SHA1
d9a9f77d1195827a9b84a6d099380156d56bfe41

SHA256
0d9f40b6e7712a40caf556d105042eaa0c782d3983f93a9ac6a9baa3d16b41dc

SHA512
8d17b095917fe7edc9d6d4dcf82e091429d66a21490cb97a07dc8e60dc6738f2e22736425385072fc392443127a5952c1d4f5b0ef0862f0ccbd110a6a186d48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f46e2b118e9893080d0c208fdedc3673

SHA1
7009c5303c273ff98fc040231b846c12fb6250d2

SHA256
753b755f621e18a19de43026b98c99e0359eda7d92db69198c98043b6238a60e

SHA512
a866bd03f67a5436c7396dcafc214117283b9754cad5d7d811bc836f06362ab99e1a780fbb1bba4a85f7c9e183977fd486c6f2bb6918cc6f8b314b86f6843a6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d78fbb6050d8b15e0a9787c6b110e873

SHA1
814efd3fc67befe3ef28131a2ac739f0fefdb6af

SHA256
e26d0e4db05e9e429788be4c54a33d20540ff9227711daf688ef523c742cedf5

SHA512
5d0d82a75800ce0e64c7f7cf12e2882c22c76bd9ebc6560d19697a14d390224e6d3cba5e89b05b1f450ea493f3ae3051b974df7be59ebeba76a58599a80d2b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ed0c6b5cf667ff5648c7f564b66b5777

SHA1
77f7aaeef5120202ab25408aef453b73b5364e98

SHA256
7345deb6d421815e9ba7167cbf53fa78611493738dc36a646ae53eaf36d1c4c5

SHA512
67c700de026ba8c9f9293a412d612e2d90f86657f2d5f7e4a968e43854780859d8c779273372b500f7fb93e4665bedd4a4da20f313c7ae30408c2ab9784fea74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a679ce9569a50ef6422636d9a86c07de

SHA1
2464f599b28ca2c60046cda50bacfe759ee5ef14

SHA256
45e4732828092e437f807388507f4ea28737a320db9e9ab96521c9b6ff5e79a3

SHA512
497c577007ecf36ddcec3e85758838d20f383e87eb2ef6ac94c982f05c5045a1b4de2b63618bf574c9ea43b347af118022e46223e7287a8ba8dd49cc61fee580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a54f78e5742d5dbe738e0d18e80aa46

SHA1
6785d6e09f96b59d95425c649761e85a2f135846

SHA256
7410b2a1f6a323e363a119c78bf51264ef69341ae23823e014a8a2597b352b0a

SHA512
9675491280a24e80ddbdfed27fe424b191d3d7fdda61e05c2f4e19a465bacdc87a72edf28049b8781495970744905502d07810a5647bddc7020891541ee25834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b36bbc9b38128a5fe2f032a334d4084e

SHA1
e088fb71bd8bb77e71c0c2a268061e2da6686505

SHA256
6e46af244135f7d44c90eccceb450fbca5cb333069a18e29a873d0d6739e1207

SHA512
49d0e4353e39d70c0d33379300e4fb4cc154f5d38f0cc8870a2fcd9d5f2b6542980a9b93e4ec1f2fb0a16fd18d30ce4eb8d060059c20efa300c214164c97944b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f9209e4109db2578db036e950adec5f

SHA1
d6212e8da042b864293ceaf23961a083964339a2

SHA256
7cdafbfc2c4842f46795b540b22d5239a646432b117b81e7a95acbdb9f52d97f

SHA512
2e5eebae3865e2649ef43351157e1530a110d9a364f2e4cb944801bac740b6e1a839e8832098e5a271dbd247275f5ce78eeeaf385ed6f21a60da45a31fbf3b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a9ce637f47cb4acdbef782b0c075292

SHA1
61c4f0209f159fae19220a78c4428848c90d0e01

SHA256
fd949ff64bc93b6bcff447de4f7307dbd4cfb391faf81efe2a845f8349d9b10c

SHA512
6452ea5fff0d3139dd61de41cb37738a228bd13f7b039aa519acb8ab5f2084c10473415f0d3631a68829e81da3dc6018e37cff3618c48ae358c9a94fa91eb122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b61169c9edc1a98db544cef9bf2252e6

SHA1
4403b93c1c9a645874148498d5f517b9612ae500

SHA256
381e3cd06ab77d3c83c2289fc0507cf684ebc2b2c8ba978b5a148499b6c831d3

SHA512
85f85ac0a6c442534b470df7088d3f358679cd934ce9b9f5f4c006dd7403ad4c20c29ade538970782670da519afbff7bdf1714910651d382fd6059405c6b3268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be40db6c8fd0d8b32dd97d14f10f8d1c

SHA1
b0f3a526f60d03ca3e0e6ecd5340358b0d345768

SHA256
cca996ce3a1fb9cc44bcacc9002798fc66eab27146004d38e65ef98539510f66

SHA512
0c595146fef4919951f9f04b2f13a03094d51c87063882ffe9beb1f1b0e36fb08ca3ff53bdf0bf1c234e02ac7f878fe5bf185ec8db2c437651e74a9a47414f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8763501687bb4a9fe9c1e5cf46300f51

SHA1
707ffedee9090e87f84cecbdfb2e56301369575d

SHA256
6c48610e3f917711bb88c066f6cdcfee4a7bf6aaa46f07c614bae0bb964ae848

SHA512
68e95316361fd88c665c0561a222e1e9c1580f90ddd545d5e72cda892413bd010195dde0804a3585785aed7a48cbcadf64b62e42b87535d3bef36497c559b0f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37d71b371e1bbe4561a49e6116522856

SHA1
1d27f38a48be87081ef46b6f3a84cc27bdae53be

SHA256
1a5e28798e2c7f55061a7f9674713dbd1effb1bb324ce55b886da49d0fe47455

SHA512
c75a9035b9701db0af52b17fec1c7cca1e221e8af5678812326dfe007adff3bd748e84b82e999cb8c657303a8e778a511d880699c915577a5be2def2d38555f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b680078f8f3eebef30aa416a5c6cde3e

SHA1
f0a81dbe9678bde16f1c21108bc0e7c76d712def

SHA256
740a2911a17db45b27ad7cdf3b240e6320be79204f096f6caae535c9179cdddd

SHA512
a3cb38dcda920bd6565c0ece10a4c5270bf665e660dd05fff322421a236e1e67ff88c4b82c90e397307e4d21eeee46ff789fe5defe2ef92c3e8f2d0c8ccfd758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0a3aced4b267e373c90b61888b5c4e0

SHA1
31cc397554a0f13bf4f8229f69d631e7567c0512

SHA256
0a5933c24625dc4ebed39d480380eb8e44a0ec81f39d7fed760f2096ca4f61e1

SHA512
d5c9c62572cc9abdf04fb078595610bd26b7ef8f94e9d31489f1e33f5f5240a172a04826f609e40d5939aec50f1da174767a8e2a50a2fafa83ae46668481b04b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80598409eeae658c4e2301ea27c1ea00

SHA1
3a9a9394c2123e72557ffd773f18a8f10cb30beb

SHA256
08105023aed9c8efde6f83639e7d642639a7a6cfd0d89afae5b62fe3797f3101

SHA512
7940290ec4ea4e4c0ab33cb70bbfef8c64543c2867ba90e7aa5662e3c68ff845a7041178e8c939c6dbc434a431238eb827470bfdce1331f078e5863a11a0b6a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d942feb15f8628ee6c63bde417216fca

SHA1
a48ece419a788bbf0cab75ece316884876a3b6c0

SHA256
4659a56d5c61f0faa84d94c896404c25b391f9d248c9f55143184f377fd9a498

SHA512
3eeb05fe2c5f861bae9e61b4642281837a786078de287a0d68b03798cc7e988d60b4abe7766357b73211190af52f4ac582b4de6f4cb87c180318fa9b56395865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b39699ac9c2b170e28dd720814f42597

SHA1
bb0af159eb9f115fe3cdc6ad8fdae9617def589c

SHA256
03ca3419b3a7aeff9bf22455b86768cabb1c04701d16e687e89cf5015f85c525

SHA512
494f80ba70f2a86dce4492597c6cabd9831c9ce5c37cf80f891255077f79bdb3ba73d6a16b0fc482b45888a0c7f49f7ef193826fd6265da7b8e94b301f36f449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
364857eb306dfd3bdfac049bc1b0c3b5

SHA1
e5e93ad89198a1f5300f4f0771757dc4b709a0b2

SHA256
77036c94b86132766347e5f39ef5226dedcc6160c8e3debc84698e7a10692268

SHA512
47a933aca23cb60147e49d732276bffe20e1a03abe8195490a5365c93fd94a5bf75debe42b53890dfcd310777c28f71a720f886b1cc9c938fef3b0bb37000ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
b6c336e3b3cb2cd04d42baac1aa4aa0d

SHA1
35a943816f3e9cd596e91be92c4bdb1b05a42d88

SHA256
4518fb6ffb3f70be78cb243cac94fcf74d9c58d2e7bd8c510ebe696d3f81cb60

SHA512
42c4a8f07051ac7c00014ddaa0b0db50bdbcb49a30ae96803e37f3a566c100932367e0a50baead881509ae4a4d49c769513626c5015fe0a02d1d3ae22ca759f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2eb0516581f575d665c8f25ee96d69d9

SHA1
d041bc23b9053c09588c4feb81f9a145aa24aec3

SHA256
1d5fa257306338d5c41cc387525ab4ecc6677a5896858b76e2272156269cd5df

SHA512
382e8e90451eff13a6ce3d4e6f979c69612016f634d6e884579e7b6d2ee93b6b1b3b21294a161099e33d4d81aaa5cda5582e6a28a799e726e887e409b54ca245

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c3e08121cabb9380e3d50cadde97d53a

SHA1
0e666954e83e97e3883e52092fe2be88a520e8f8

SHA256
76e1d3ab7320c4b863adb091b5b77205d81e13eafb539a18ebe3d8ea46b29433

SHA512
9a6ef7710781d2f3a1f873129b21990548c1b275720080d87fe4051b464b0aef4ad8625656c388a65163563c6fb2086c29c01ba5f518c5b9679e7227fcc7941f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kacyqawc.rvb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\CheckRunning.dll

Filesize
72KB

MD5
5f7de6775125b31caaa0edec7b8f2ad3

SHA1
a8f7a8ee6ce4eb8c7faa97b222b404e25604be5b

SHA256
bd83b596384b414ae4f2f9adfb0b80b2231572df12ee32a80647aaf92abe575c

SHA512
ed6c959ddd936962ddb34a13f129d0f2a0943ba12797944b6f57febeb0cf60e1c081028af1438d439fceafcb0ee1b0462fa12ab78b41a833aff8ac9fd3f1f8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\MFCButton.dll

Filesize
240KB

MD5
89f2f18309679dfaa520218676816719

SHA1
bbc1a5cbeb27cc80b3f2b53a742a00132bb2cb6c

SHA256
c3e299b95595941981fd3e3bc0194c20e62e1282ec2e52c67a5cac89a31fcefc

SHA512
2917ed234c018fce30607890f937b3338a7229a50f7d18b35d02a0cedc07ff2d81c69a47f8801e9dbd6a04bfc6a1a5636f6098b49e0d3650d1a8d531b79f690e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\across.png

Filesize
137B

MD5
ece0524c346240947640289ebaaf5a83

SHA1
b588f039b2ce34ae51c30d5fc6bae7a91c639c8a

SHA256
b4a667f9a966d6cd35a8bbf76ed849ead7b14dfe08ce4f149f8c17809418ca99

SHA512
ef38ed18f5e9521c1f0faf38d0553fedc8aeea00d82ffefe041698ccfdb5ee6bbcc5cf7dcce3be7a63aebd825771b0cad38a9717c88d18323a13a1bc34d87cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\aman.exe

Filesize
1.1MB

MD5
e53271e7cd54cedd7057cea764b88419

SHA1
fd9526d5e13302e96909055e882b799d4b69214c

SHA256
46f1e3143008be9bbdf05540b4ab7a7a07228f55b24e18a8b8943aa92b943074

SHA512
895593689c7348aea1702155abff18d9541d2cacf080011bdd5478390eb8da446e49db21bc9b4f7a14a08376f72d2585eaa57d92fb5deec86ca7457aaecce3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\iconclose.png

Filesize
274B

MD5
3a58934b887aab94f6b08f937379cd27

SHA1
1b56a9405cc8b818c4c2584372d30ff2e3f07173

SHA256
2412f5c1a826c923b6afbf41aa700066f8845227bc6c0732f1917f4671e16015

SHA512
f5232174b1c4c3871fbc0fbcab403d2281f8d2c207127466d215de44b23d4472e5dee32210e3adf2294a9be31b334e0dae14f0421ee05318ed419239bcb983d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\iconminimize.png

Filesize
375B

MD5
5577c4f4a5b74020337c273b94744d25

SHA1
46c46b1d15a07319d7396e9ab1bd686764abf785

SHA256
8e9e7818db8b22e2d7e836ae72712eb402b4e94fc43aa1b2a6b1217dfb90e9ac

SHA512
3cd31fc686103a83ce8779fc94771b51afbf1343f5ab4e36f3f2d1ede013feb6eb4b0d66c48c5f00217eefb9c407071fd30188dc0a16244d86899116c6fc4f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\install.html

Filesize
129KB

MD5
11ae2b6d5f4afb3a4c9edb1939d59606

SHA1
02a42ec515b68593d6c1827e7518393bd9c7b7e0

SHA256
af0ecad803372b0350941bf55c246d8061a6826bb4ac6abcfb6978fa3f907906

SHA512
2bf921f6600eb8b63b237da8979ac27ef5552cc6524aa9d50cc0e630d582ad127d78c8856e703dc6ed351c2ddcc614c2536b285209445646e1c2bb4ea0711e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EENVV.tmp\vertical.png

Filesize
140B

MD5
2f1b4ef6b5c3dd2174030eca6f402ba2

SHA1
c15580e3dcc711a77d290d0c57036249b527a6d5

SHA256
d7c73c8deacc5d6ebd2ab64834a915bd02040b357eb0e325300232751270b7d3

SHA512
f7f5e43a688baf360beb710b46ed0386740f6c4056a33204168b0ee8884e446ed0c9079fd4fdbbdc181d22ed5dca122ae2f0ccf361a2dce076792d58aa32c05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temAFB3.tmp

Filesize
582B

MD5
8a61e54c036cc53fed6cc70133437180

SHA1
1fd78931fea6ba5b5b96fe98c55946d499007926

SHA256
3560912572d8bda24c4451a5dfebc0a9a81a5994f330112e8dcaf8e4b33d7308

SHA512
815dc62a8861ef11475d16616d78edd7b70add16ad7afadf600f47649f6d443f9f5ed06678509596b013ebd2f17ecb14edfe0dc70c805987c630311ff3424ab7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
df266ed4149386798301ab523d92e7ae

SHA1
232769736d88b887b1c67346f844600352134892

SHA256
b492dcc20c6074e1d760fd39e152985de1b60434dfbda05db77d0b5fdb77252c

SHA512
fd3d111d5a01c6d614b0ee3e9b97781fff522f247e4bc211e7bb8ced2f82a22d3bded2aa8ae54a6b977bab26414e00fa876cfc43954910e632da61d1b2ba0151

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
5a9f343b90c5b5dd29602e315abb4f23

SHA1
20500a2b941e7666b9654f1c0ee32988ce8aa9a0

SHA256
6e9ef7f3423b6172cba19bb84990a5f6d0cb27c9b856345d434b1904200d9f5b

SHA512
4b61c2ffc9f2fefa64e02b741be028b0754c416de5b2d053922edb68357a26094a0baddc50c5b0ee4274d19db19d4d835dda69313d4ccb1feac3540be8eca1c4

Download Submit
C:\Users\Admin\Desktop\ApproveReset.dxf

Filesize
355KB

MD5
ce84f2bccddfde72305bd0c312e7cef6

SHA1
ff02ff7c8ee292c2e6690b2a7d51ee707d3d67e1

SHA256
143b66ad09474013ab8a45c5b63a142770c4b246aca73fffcefe073b757c5ac7

SHA512
a19479b73c4b29a77cfc32d6900d88b2d041d014a35df272628d59fcb75e65dfc4aa0ef43691ce8d6acc4d8edb207be16140761f41efaf75e1054dcbb910fbf4

Download Submit
C:\Users\Admin\Desktop\ApproveStart.css

Filesize
391KB

MD5
547379cb8c44ede41851cf749db3bbca

SHA1
ed8bb4a9146658d63449a5641270ec55032aa635

SHA256
09ab1c575b020a205a9f5de013c438b5adf63a183808be894f17d038bcf203a0

SHA512
0712bcaa29acbd7e61b36caeb02728c6580fa682e8e4da7b957887f185e4d0b571873f0aa101bacddb9ba3a467b5b569ecf5d7d2d99fbb86f147ccc4a7dd0f99

Download Submit
C:\Users\Admin\Desktop\AssertSearch.snd

Filesize
551KB

MD5
e17062023426a1301f430090b0436932

SHA1
847d30e42c47d383ee1c5cf2cfe4e22fb396de83

SHA256
7f11cb988cfbdad31d6b792bd234aa75f0a0afd1d87108f720b32d532b09b13b

SHA512
25b0d925420055f6456da3cdb97c8629f9e82d34f71fd32254d45acf52b2558262bd162c56daf5f3acedd52145066828a796901191775ca5b12c077246855556

Download Submit
C:\Users\Admin\Desktop\CheckpointEdit.eprtx

Filesize
497KB

MD5
4058601714cb8476916f9fd7d4f0c058

SHA1
a0300b56f89ebb52029a14aa7376ea47a79dfa2d

SHA256
6b074a7cf8b54e0d3196b56432827b00c253391c69ef366ca17d9fc1c1093131

SHA512
f6879246a8108510d68982bf53c685326425e00d89aa92c216fdc5f3eb6e45dba3a817098c17ef945867bc86d650efa5197c67e4d7b23f2a4ba4b10618ab99fe

Download Submit
C:\Users\Admin\Desktop\ConfirmSubmit.mpeg3

Filesize
231KB

MD5
5b74bf3533c28455ee4c262af7ad5d65

SHA1
df8cc683352e15d878affe32cdd49af9c91574f0

SHA256
5cf73d0199f8ff7278a1d2bb3ad7e1b335173344447be5aff8fa4ecca18fa930

SHA512
8654af80af8d9419b47ff274f36b38955edf58d38ec294c15304f156cc65bbd687ad53e6818ab46c8d09e2e28d994c86ec944866c1d1253286a7550e37eda057

Download Submit
C:\Users\Admin\Desktop\ConvertFromRemove.html

Filesize
266KB

MD5
f820118363a0824702959904e3bb1a3a

SHA1
67b02580ddfebbebd44d0d81a09b46dd7289615f

SHA256
11141626fe9bec6a75abd1f6665819ed93645414ad6e28cd56a6c84f645d2c72

SHA512
efdb1176c25a5ad6b43ec759d482645577321feba6d9e7a7f729b51edc900579afa385f4260ec297841f4055d418eb5b65d0aea68465df8785840cb46af32cd6

Download Submit
C:\Users\Admin\Desktop\ConvertFromShow.rm

Filesize
604KB

MD5
3a6bcc6d7d500b1195e2c9a251292bc0

SHA1
101e6d5c665e8ad56c2c5518e2ca7adb6f78cccf

SHA256
1c1cfb382de9a15e8372da699d6369165581402d3d4b5640472b96e87f7d9be0

SHA512
d4d3deea3062a1aa5adcfe7a81b79fc32b255e334a6ee253268ed2534676da0b45a589e4e3ae99cf128dd74330a66b7989f0e9c96fa01b8bdde706db58568e4a

Download Submit
C:\Users\Admin\Desktop\ConvertToNew.lnk

Filesize
479KB

MD5
6874e4fe3dccf2104e849a88057387f9

SHA1
2d5a6552fac4df1f7a73e8f7c4254de32639494b

SHA256
3e69558620e6f3d354281e698e8a0f1d9499c8385ddb74fe639fa840f305bbfc

SHA512
3a315bbd8a91c6afd50d4eb533370001f6e3a827dc02a8db093ef4a62c013cc6e227ef4e1322e086ee5e2b3d40fe2a2e23f594865aadb60a66effa5e5d54bee2

Download Submit
C:\Users\Admin\Desktop\CopyDismount.cr2

Filesize
284KB

MD5
415056ac3d69a7415a5c3cd7d13cdb6f

SHA1
4afb33624e15ae7b0c81e197bd93b1c6063edce3

SHA256
224f91a3d87ec6aa799bce328c2d7ff85542fd736f0194f91e556680ba7229ea

SHA512
cad97befe11e74aacc158980e3b7023fcadb4437c06382de1075da0f527de5f8cc7f51da42b8d341ba7a05949f750d2916b42be262f43576fda8c6fc1ea9ef60

Download Submit
C:\Users\Admin\Desktop\DisableUse.mpg

Filesize
515KB

MD5
e70876d08acd8024016a21302fa07c1e

SHA1
6adccf5bf8db0f0f9168a9ae5702e8dc6006f80b

SHA256
85eb74eaf524e68363b50789b0052bb9023936eddccde124dd9b56785a654400

SHA512
aee73814da8dccb354df3e1c0e938d53510e14668ea3c28b4ee5f3689648d77ab0d49e5e8afe153646b5b7e8aa4ebd926c1fb4f8b8caa36988e8db3665aaf23c

Download Submit
C:\Users\Admin\Desktop\DisconnectEnter.docm

Filesize
835KB

MD5
6e4b323728f8463b30f1bff4c37538e8

SHA1
ee0460440c7b7741ae44fd8032704f31f544fca9

SHA256
5a8d25ce4cb573d19d6730115466676eac062f6f2625ed45167ecda723208fe0

SHA512
ccc073f9deb1be62d26f7d7bac98f84d29e61730425cbd883fa780aff53c3d1609b9250ffbfebcddee8c09044c4aa386e2e699d0ce4f3705ec95307f529080b1

Download Submit
C:\Users\Admin\Desktop\EnterSwitch.docx

Filesize
19KB

MD5
7271377e5a5d92b732e0d33dbc75a634

SHA1
f388a1e3ad61ccd2304617e8bd6cb7507b55ba77

SHA256
a24c9f5f1ed14910efbf5b9ffd31e6c09b1904366a736d062b5160eb8c8ab868

SHA512
cb013b72a3007fcaa771dd6493f99ec04bfa09bb32eea3e6dc28ea49c79c8dc6e539c4d84eace7d9deba00f3e6ae298e081697e60296677d43eca5ebb2604b30

Download Submit
C:\Users\Admin\Desktop\FindProtect.wmv

Filesize
248KB

MD5
fd5ab6c50f279afce21526c5939071f0

SHA1
04952050e61f4dc05e33223a5652d21e542e0c5e

SHA256
20b79c6ffd3d6d25484dacc05d580e3fb6f4e20fe5c3d1d7c5f2a0a3170e595f

SHA512
441f122039d73893da52fd83d4f5ffbcfcba85889114b0a055ceefff1dbdadcb6128b2ab5c8b6905388c96975026b5703ab697dc7bbc86a09ee3e8d548621a3c

Download Submit
C:\Users\Admin\Desktop\HideDisable.xltx

Filesize
302KB

MD5
24d311168b7997299656614a9f0fe040

SHA1
6c638a0556f4ae1ab98a2b1cf07463cf963e6226

SHA256
321a249788a410ce5c804b26fb815d18d3883fbbeee073b591b88992e431088e

SHA512
7986993e88d8237b24fc29991d0a408f244825a1382fe442704c34a042d8f45174b7cff9b123cdc597e28b59dee86de078991dfc1f5e6c878fd6d46ab7a1c371

Download Submit
C:\Users\Admin\Desktop\OptimizeUninstall.ico

Filesize
533KB

MD5
9f3e941105a0d342305ff2ce60c217d4

SHA1
f2a14c6a980de19f712cc1e0041a2e7968cebce5

SHA256
9e9cb15682e9a27462194fc84643fcacb5723e8c1474a4c4c2f81ceb4b5cc705

SHA512
4783e39ff14dfb3ca24b48fe0c06b24b03b998f1e07dc53d83fa9429be30227bf935199b159737b57cb6ea2526e4b7a69296c6e74b77e8d6e94e305082f8899e

Download Submit
C:\Users\Admin\Desktop\OutHide.docx

Filesize
16KB

MD5
46d3e0a5b1d3ed2137642db75dae8784

SHA1
f8f9b548b609b796bdc458fcde3fe0bdbcd8bc05

SHA256
3743883fa709cbef5fe8a5f6326289bcc859274af15bc7014b94be04c4cb3c95

SHA512
1f6aff1aa09d8e26bf5d9bbcbf2d7a4fe501eee3e1708a975c9f7bb1b244056de7ba14000e968a103d22659b2c07c44646c8bcccae4f821ea67daa8f9756eb33

Download Submit
C:\Users\Admin\Desktop\PublishPop.vbe

Filesize
337KB

MD5
29498f8e7adc599d1541ecf86450e750

SHA1
0ae0ce894b580642891c657f55176dad6578d6f7

SHA256
a4a8ada5e9f9ac7721cd4335eafbce6f8ab69f41b5efd147f058d43841558281

SHA512
7c5a11d40a408f891ab14254e0f6ff47807bed73bba299fde1cdcff37156312af18829fac5230dfb78c899d7327f20e195d96065eb41ca54ac609112bc96c518

Download Submit
C:\Users\Admin\Desktop\RegisterInitialize.docx

Filesize
14KB

MD5
893dc08be34f94e44d544cd1ea8196b1

SHA1
55e7a57706b6f75bc657e635810957a95ddeb349

SHA256
1b48b352602d186f5fc119b0c3041c213146821d1b30b97662ed7d776c26864f

SHA512
e0b350645bae87d62dcceee1e0df07cab4444ebf0d63d0378f6848e6e6261367c8eb1c9601e41d06736e47aa853b51a3978eb0c843d584683828aece2ddf1edf

Download Submit
C:\Users\Admin\Desktop\RevokeEnable.php

Filesize
568KB

MD5
b4bf6011ea6a928bb7f8f6f6a8413599

SHA1
3da68dbe234a05285bd39a2b38bf59c1f531a0dc

SHA256
dec16a0499f4a536048bfa6275f9db834a1f70327efa76e8162ac7086bb7e1e5

SHA512
8168804668986b154f587899feb8d967abe8cbf4b83aacee6c7849ea183e00bc209b525bee7c9ba60c1b2a49b7a49e15baac7c19d1fe2509b204a32023fcbcb3

Download Submit
C:\Users\Admin\Desktop\SearchSubmit.fon

Filesize
373KB

MD5
7a82d68c074f4cb6f273a95336512acc

SHA1
892f4ca3d4c91c2bd99cf055f4b5953944267885

SHA256
d0bcf93468757ac2c136e402c3e40559b840f0f919767b84862799a6aed9d801

SHA512
f464606c9ab3b6a698f067bede24035834283157646c8fba47633e220fe14080ce627e24d4a7c2f40c3fd8ba4c35e543ae42c6feaf1c5cdf776deb9b095aa0e4

Download Submit
C:\Users\Admin\Desktop\SwitchComplete.sys

Filesize
319KB

MD5
3e33c5fa71942fb28bb09b0f2e714a96

SHA1
c6654447876d91f1b6d2c031348b356115a108c0

SHA256
9cb03b1528aa054144a2960d5484e1d2c98ed1ceda2e2147db0306ce380d0ab1

SHA512
e927e508bc50d623938308493c0460cddd07e0c06ad9fdd52a274225ac84b5722ae292161c66a44d84f8be11040d8bbe5c6542d5a6642587e995ab6695801907

Download Submit
C:\Users\Admin\Desktop\TraceConfirm.rm

Filesize
586KB

MD5
a3a7a9274ebb6342a235c752c63f52a0

SHA1
8e8590838bfe9cc2e6cf8fd17a0a9d8ece30fdf3

SHA256
7a92fdfd37430fea744ef66e9cd3b630b7b88971f3559e2e9cba97106f40336c

SHA512
16c8598e8a265a630053fc82bceadf1eade5d6fe052abe0b6bf66863e6ecde3ce332a8b4f2758a6fe48dddec91b5791f3a131f420748eb6d24037d3d09667678

Download Submit
C:\Users\Admin\Desktop\UnblockStep.kix

Filesize
462KB

MD5
3c5333c7ec4aaced1e07710fe6880244

SHA1
12995c3bffa8f2300ab7f33ed337fabe03b82c3b

SHA256
063f77e06ee24fc374ef1b3fbf78ed31a29a3e17281217036f7d9a0b3fd66900

SHA512
684a2d50020affff46636adf165a1985c6c0beefe19822209044a83a6ab6e70a069713ddeaaf4afa5c73bade008cfea4dc705949fa9c7a88c48f98f57b564326

Download Submit
C:\Users\Admin\Desktop\UnlockPing.dot

Filesize
408KB

MD5
8fadb3f7f0b00e62aa9bbe2944e3dc19

SHA1
02e47dbfbd75cf70d7e944508c6c9b53c5263a06

SHA256
3e8e450f8c98337494b3d87dcf635af39ff88a57043a178e6ed55a47d3d399f4

SHA512
c03d0bf3a8115d9e466c0657d8ec714a7a7726ac4f0f87d6c8484842c0c3d9115e5fd0f8623011dc52978b2e9e58b3d96b7fdb6bd337940a3bbb4cc2e28b991e

Download Submit
C:\Users\Admin\Desktop\UnregisterMeasure.sys

Filesize
213KB

MD5
06655cf51cd9b13296eea55e2ff7c1cf

SHA1
fce4ab8929e5033b2413fcec4420cfee2efccb26

SHA256
01a965c037e4e2805efd9a5ecf063c2b295a0affca0429eee4fb9c60072b4da0

SHA512
f205c68bdf9209b6b3968d9d68d4e33cd1b24453165bea1989350787d497beb6620929bcda74959211cd1738ecb23cdab5aa4716fa432f58515e0cc5bd214a61

Download Submit
C:\Users\Admin\Desktop\WaitMeasure.edrwx

Filesize
426KB

MD5
636c8600282e642349ad9d47f2d428db

SHA1
8461bf684b9c3b605e32272cdb15d6073ebcadee

SHA256
17325d1897dc60a5e2cd34b715e833965604801beac5b83eb31b1e7b5e3a3441

SHA512
c6c4139847f307238100820c76c4e13352fb9d94b8e25c3b77e566db0ba2442c9c82ca36da06f1824d5bf53e76541a59be51688a9726c4a0269e146c88df79a3

Download Submit
C:\Users\Admin\Desktop\WriteConfirm.contact

Filesize
444KB

MD5
623b9a6a34682950fc7f18abef4263dd

SHA1
4f834bffb3fac101fa3d188c9b06566a669f1703

SHA256
c797e9febd789c1e4e9f3a8ada468744a4195535b5099cea59fcb7081dab6c5a

SHA512
16f24143c608fe7b9591cff0ea0b6cf116e409579d29136ed54e84c98e98cf10fc3511d80cced1e4d1109ce90168e84f0d4daf01cde75e053ab77977d9e12791

Download Submit
C:\Windows\SystemTemp\temAEF8.tmp

Filesize
206B

MD5
b13af738aa8be55154b2752979d76827

SHA1
64a5f927720af02a367c105c65c1f5da639b7a93

SHA256
663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b

SHA512
cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

Download Submit
C:\Windows\Temp\MAS_64daa097-aa2e-458d-88f3-5d65507b8d7f.cmd

Filesize
426KB

MD5
dfea7e1bc10293cd7a9ef732fdcfa174

SHA1
9226e8f9662bee16886e23159c5a9da71aec62c4

SHA256
6e7254e4d8f70ddefee46f8fe69f6678049734bce418737b7c6071348bec754b

SHA512
6f36812074a2d53fa22d3568babb98e4e6b4fd86ed383ccfcee042eea1c77262a2dae6d07e586e7a83f003ed06442565240873b7be795ed4b042e36886eec00f

Download Submit
C:\Windows\diagerr.xml

Filesize
12KB

MD5
68f7ef22b3e26dcc90cc81e48155129d

SHA1
a5e38db13ffa22ae23251573c7b1b079c4267a41

SHA256
e7cbca9904aa7547c6c617e60ca7658761cd550f1e83c450529b59ba0f26b88e

SHA512
ce3ae8d0cae1ffc876699f7b4692bfb018998a38660a6664dab1530cc24b07f466971e31dbecf39c786c0fa86c1b980af5c5af71d91520985cf158d755d8192f

Download Submit
C:\Windows\diagwrn.xml

Filesize
13KB

MD5
70757bb715401d58378cefa1164902c8

SHA1
bd3a062d175b954461d0f0f705520648e87836a1

SHA256
eb1bd7c706c8294fb195901c8f0c653df6850504c913484f070ce13d4159973f

SHA512
09b6d56c517f236a631c9cdd82ae997ddb44d28b9c7c458da77b279048245a7842f01543aecbfe1a3887903ace1a29e216adb5884e0f8d8ec93eb41d247ce821

Download Submit
C:\Windows\setupact.log

Filesize
39KB

MD5
0da4ec09c2d08215eb5d04f682abb197

SHA1
ea2eabae46eb9aeb3f779cce7ca03f76965183e8

SHA256
42c87a5b756c6842eba0a8e833d9276a036100b388b55aa0e29bf524563ee3f9

SHA512
2dbb3ee27df61fb967260d265bd17e74bdd420115e76099606520f477158eed926189bc077cef64c762d9874e894dcacb4d856b541e10c5bf6f42526af3d7e41

Download Submit
memory/1104-61-0x00000220F3E50000-0x00000220F3E96000-memory.dmp

Filesize
280KB

Download
memory/1104-82-0x00000220F4510000-0x00000220F46D2000-memory.dmp

Filesize
1.8MB

Download
memory/1104-52-0x00000220F3D90000-0x00000220F3DB2000-memory.dmp

Filesize
136KB

Download
memory/1124-415-0x00000209A52A0000-0x00000209A52B0000-memory.dmp

Filesize
64KB

Download
memory/1124-416-0x00000209A52A0000-0x00000209A52B0000-memory.dmp

Filesize
64KB

Download
memory/1124-424-0x00000209A52A0000-0x00000209A52B0000-memory.dmp

Filesize
64KB

Download
memory/2220-1855-0x0000000003C40000-0x0000000003C4E000-memory.dmp

Filesize
56KB

Download
memory/2220-1713-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/2220-1850-0x0000000003C20000-0x0000000003C2E000-memory.dmp

Filesize
56KB

Download
memory/2220-1908-0x0000000003C40000-0x0000000003C4E000-memory.dmp

Filesize
56KB

Download
memory/2220-1907-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/4468-1712-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4468-1687-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4652-417-0x000002950F230000-0x000002950F240000-memory.dmp

Filesize
64KB

Download
memory/4652-422-0x000002950F230000-0x000002950F240000-memory.dmp

Filesize
64KB

Download
memory/4652-418-0x000002950F230000-0x000002950F240000-memory.dmp

Filesize
64KB

Download
memory/5356-438-0x000002700F960000-0x000002700F970000-memory.dmp

Filesize
64KB

Download
memory/5356-434-0x000002700F960000-0x000002700F970000-memory.dmp

Filesize
64KB

Download
memory/5356-433-0x000002700F960000-0x000002700F970000-memory.dmp

Filesize
64KB

Download
memory/5620-175-0x000001AF7F8B0000-0x000001AF7FA26000-memory.dmp

Filesize
1.5MB

Download
memory/5620-176-0x000001AF7FC40000-0x000001AF7FE4A000-memory.dmp

Filesize
2.0MB

Download
memory/5728-440-0x000001F84EE80000-0x000001F84EE90000-memory.dmp

Filesize
64KB

Download
memory/5728-431-0x000001F84EE80000-0x000001F84EE90000-memory.dmp

Filesize
64KB

Download
memory/5728-432-0x000001F84EE80000-0x000001F84EE90000-memory.dmp

Filesize
64KB

Download