Malware Analysis Report

2024-12-07 17:07

Sample ID 241113-l4c4tasrdl
Target Screenshot Nov 7 2024 from Remove.bg (2).png
SHA256 fc6fcea9e6541a11089cec9049e3884721799a1305763d7a2623c7f96a10db65
Tags
defense_evasion discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fc6fcea9e6541a11089cec9049e3884721799a1305763d7a2623c7f96a10db65

Threat Level: Likely malicious

The file Screenshot Nov 7 2024 from Remove.bg (2).png was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery execution

Blocklisted process makes network request

Checks computer location settings

Checks for any installed AV software in registry

Obfuscated Files or Information: Command Obfuscation

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Runs ping.exe

Checks SCSI registry key(s)

Checks processor information in registry

Modifies registry key

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Gathers network information

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 10:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 10:04

Reported

2024-11-13 10:10

Platform

win10ltsc2021-20241023-en

Max time kernel

192s

Max time network

220s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot Nov 7 2024 from Remove.bg (2).png"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast C:\Windows\system32\DeviceCensus.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val C:\Windows\system32\DeviceCensus.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\Clipup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\DeviceCensus.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\DeviceCensus.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\System32\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 5048 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 1072 wrote to memory of 3136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 3136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3136 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\sc.exe
PID 3136 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\sc.exe
PID 3136 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\findstr.exe
PID 3136 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\findstr.exe
PID 3136 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3136 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3136 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3172 wrote to memory of 4196 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 3172 wrote to memory of 4196 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 3172 wrote to memory of 3752 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 3172 wrote to memory of 3752 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 4180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 4180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 4180 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fltMC.exe
PID 3136 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fltMC.exe
PID 3136 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 3136 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 2224 wrote to memory of 2928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 1932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2928 wrote to memory of 1932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2928 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 2928 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 2928 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\findstr.exe
PID 2928 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\findstr.exe
PID 2928 wrote to memory of 232 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 232 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 2928 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 2928 wrote to memory of 4244 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 4244 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 3164 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2928 wrote to memory of 3164 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2928 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 2928 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 2928 wrote to memory of 1192 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 1192 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot Nov 7 2024 from Remove.bg (2).png"

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Screenshot Nov 7 2024 from Remove.bg (2).png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd" "

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "

C:\Windows\System32\find.exe

find /i "ARM64"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"

C:\Windows\System32\find.exe

find /i "True"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd""" -el -qedit'"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd" -el -qedit"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "

C:\Windows\System32\find.exe

find /i "ARM64"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"

C:\Windows\System32\find.exe

find /i "True"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\PING.EXE

ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "

C:\Windows\System32\find.exe

find "127.69"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "

C:\Windows\System32\find.exe

find "127.69.2.8"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/S"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\mode.com

mode 76, 33

C:\Windows\System32\choice.exe

choice /C:123456789H0 /N

C:\Windows\System32\mode.com

mode 110, 34

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\cmd.exe

cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd') -split ':winsubstatus\:.*';iex ($f[1])"

C:\Windows\System32\find.exe

find /i "Subscription_is_activated"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net

C:\Windows\System32\PING.EXE

ping -n 1 l.root-servers.net

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd') -split ':wpatest\:.*';iex ($f[1])"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "13" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440 0x80131501"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "

C:\Windows\System32\find.exe

find /i "Ready"

C:\Windows\System32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "

C:\Windows\System32\find.exe

find /i "ed655016-a9e8-4434-95d9-4345352c2552"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="QPM6N-7J2WJ-P88HH-P3YRH-YY74H"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\system32\DeviceCensus.exe

C:\Windows\system32\DeviceCensus.exe

C:\Windows\system32\usoclient.exe

"C:\Windows\system32\usoclient.exe" StartScan

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Name

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Nation

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgAxADkAMQAuAFgAMgAxAC0AOQA5ADYAOAAyAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA7AFAASwBlAHkASQBJAEQAPQA0ADYANQAxADQANQAyADEANwAxADMAMQAzADEANAAzADAANAAyADYANAAzADMAOQA0ADgAMQAxADEANwA4ADYAMgAyADYANgAyADQAMgAwADMAMwA0ADUANwAyADYAMAAzADEAMQA4ADEAOQA2ADYANAA3ADMANQAyADgAMAA7AAAA" "

C:\Windows\System32\find.exe

find "AAAA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem159.tmp

C:\Windows\System32\ClipUp.exe

clipup -v -o

C:\Windows\System32\clipup.exe

clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem263.tmp

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b -1073740956

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\reg.exe

reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b -1073740956

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\ipconfig.exe

ipconfig /flushdns

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"

C:\Windows\System32\findstr.exe

findstr /i "PurchaseFD DeviceAddResponse"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"

C:\Windows\System32\findstr.exe

findstr /i "PurchaseFD DeviceAddResponse"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"

C:\Windows\System32\find.exe

find /i "traceId"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\sc.exe

sc query wuauserv

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\choice.exe

choice /C:10 /N

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 167.205.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 92.123.128.144:443 www.bing.com tcp
US 8.8.8.8:53 144.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.251.213.23.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 massgrave.dev udp
US 104.21.22.3:443 massgrave.dev tcp
US 8.8.8.8:53 dev.azure.com udp
US 13.107.42.20:443 dev.azure.com tcp
US 8.8.8.8:53 3.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 20.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 updatecheck.massgrave.dev udp
US 8.8.8.8:53 l.root-servers.net udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 purchase.mp.microsoft.com udp
GB 95.100.104.23:443 purchase.mp.microsoft.com tcp
US 8.8.8.8:53 23.104.100.95.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pp4fcln2.xy1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1072-6-0x00000256F13E0000-0x00000256F1402000-memory.dmp

memory/1072-16-0x00000256F2590000-0x00000256F25D4000-memory.dmp

memory/1072-17-0x00000256F2660000-0x00000256F26D6000-memory.dmp

memory/1072-21-0x00000256F28B0000-0x00000256F2A72000-memory.dmp

C:\Windows\Temp\MAS_c8454cd3-6bf8-4c22-b937-84fc43dad052.cmd

MD5 9ff6d6dc8e7b206731050531dfa90ba2
SHA1 d10e6a43a41d0732a8c3381b8122884dc3a4f7f9
SHA256 4de38d9b6c2a9ca72b81245721931ff2a2fccb8b1db81296ae779eafb7d91894
SHA512 19e425b6906fe6e54699aea7c85cab2b850148ed7e86117ddf4ee18e879cb65e0b85d0fce523bdf90d6233b12e64513ab624e694cfd5c9087f044144abf05576

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 1421dcc457153c1f6aebe3ce57684e06
SHA1 93dd270f94a37ab8c5f4ebc44cac8e6a6f69a06c
SHA256 918d8571e63149fe4000b3a34c06da09da476afac0a2d3687c0a083da26c2951
SHA512 8c243340c074331d8112bee5ea5a2105212e6ef1724e78947329a897ae628157fa683700d867f7c46abbd14de416ce251b9fbae53ee02650fb4ce71290f1d73a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ed30ca9187bf5593affb3dc9276309a6
SHA1 c63757897a6c43a44102b221fe8dc36355e99359
SHA256 81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122
SHA512 1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 125ce8a20f7b941f87d54fe5a4ef1aab
SHA1 69ef6aed203b340573655707fecd94b91e0d601a
SHA256 bc2d5401a8eecb98c38f5cfb63b54bd05add3e7cd020f0974e762fc6a68676b0
SHA512 c71d02e61c2b9640f275363adfbb65ffb956b0ae203cce90ac0d9865c72ba8a5dc9ef919453f499c33d96cd95ef2e86035a43516a582ff236f331b5186b5c19c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa1b22941ad0ec24a2b63dd9a043e85b
SHA1 ba92b36b71a74f16261913dfb2fccdbe984a4d31
SHA256 1d288a199c43928307beedbb402776c5592c79664d25d9a4da7125f99db9a1f5
SHA512 2ba24e81087af3379821fb669b77b1401c80b2fc56a6c9f1916dde42c59f7340f0a20658e313cf7113e36c37708ebf0f7d1768dc7375907992b3c180dc36e4cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0dd01108d2b67e75e8a68f1705561fcc
SHA1 1ea5364ba358e835543fccd3857ac6c99826d4cb
SHA256 6a5a042b49dfac649821b4a89c64ca6597bb103305bf1451a0b451e7f9a2dc75
SHA512 cd0c498cfbbab3e61c0b7231b69ab69d8ed2fcf7dd1712945410b9723cbfb841c43e9582a5762fbb34c77f2f1bb4cb949fff2fc657704ae5712832b33da68351

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a949ec2508babb7ad0e5f71ae8d0660
SHA1 27b2919a902a4d187e4e694c6d6d14c4a8b9e3dd
SHA256 b833b184026251d07f7819c3ea87f91f9bc53b5b976eb6c642dbd464e644338c
SHA512 22814bbdaba0e42de5d0d4a3410effa3e669e7dd71d71c11883c13ffe5a621d967fcf55fcb11dd647af4356436ca24cc69f1eb97d46a9954cdf22eae25d7fd95

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b17a7451919981f10b9d810970b9b84b
SHA1 dc4f4f65a5f9f1c62e368f0d278364d6b3011ec7
SHA256 945546c5fb3f0b3d65ecbb424414ee7b38d81052e6f538fec521ee4ab918df65
SHA512 51720ee08d820956d2a599fc7eca5aefdc061a97ccb0630f4d0f1c2b722e290b136644c67bef9baacb918b0d424332370149bf97b0fc57ace79f5d851ddf9862

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 719c2f6c733f1de2baf2976b3737a947
SHA1 89c625ef11f32c98fa3dc9a36250cfa62decf5cc
SHA256 5610dcea192c426d288cf8b7ca09ab16e3d9fbc7b466501eea16d2b31aee659d
SHA512 e1f7ab838b1a73400f4d87eebd2fc234e81995af915b06fe089b0d2048d2a47921c3ee5a8aa482dd9fa1bbcfb0b8f884e3d2de9b6917bfe9dbe2dc037b0d35c0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ee31fce117f641b8aa9e8df726463a2
SHA1 89508f3d13d943a4891ea7434c0b59c7d406ee18
SHA256 0810502185df01209385c52b2fd086a3ce5d7c9752ed522aed835a63ca151aed
SHA512 6c18f6dcf262594a5cb0594b5971a2a731db51e4c8932cda486f1386d3786cf5b62c3f283876ef508cca3197594ff5565da5dc5966306b140e19227bec4b3e77

memory/3204-122-0x000001B27E400000-0x000001B27E576000-memory.dmp

memory/3204-123-0x000001B27E790000-0x000001B27E99A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3ef3c33ee4a817c753b3e9b67944115
SHA1 c1d46babdd3d5a51baccfe0ed32c6fd4f6fe2c51
SHA256 bc71fbec97387f6e555cae2ea9822a1b6236ce985b9bbf2b6f790f743269689b
SHA512 f43aed7625ac1a2d917ed6925b4894ede583f7f2fa53f6f339684e222dd4240f0ac991b8cb3a7f97553489919b4eeacb3bcec9f1ae754f935b213b6bb468a6c0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dfb984815a45028d5c44f1b03b04a247
SHA1 cf594d44c899cb340862b8d05a2e92338f353a31
SHA256 a444730cdcba669d46ad04a80aa106c7ccf98192fd80deae28841b5ebc33c8e4
SHA512 445b26ee5258c356cf32e155f6195b772aee191e76da1722dea828e6589b5e5c13f7272c5e0ce330a739b397af109c35bc7e9d2c2b500cc2f1ab393a58d0b229

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 701b94318bf65d2fe406f81ceedcabe0
SHA1 c99cd28a9c48ebcd63d8c51b39809213294c951c
SHA256 78d9cf83955d944b42c5dc364fac6ce83e797dbd8f6e5b140ecc3f47aa4a77e9
SHA512 f213434e7f95e43586007e9b05272649d5b2b0dbfcc9f7df6a02e2b50f8dc6cc6a2af11a7be63b86cbd036ba2bf087a4638f82b3f8b6c2e4b93b58d02ad07caa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e067829ad4c1589b945bd1950e89cd28
SHA1 1015578c079964f801714ca96247ffbf7865572f
SHA256 ab15a012652352fd3705a69e05ebd17b273dfd08d9cc32ab9c03b5976ac34ba1
SHA512 2895db3cba1bd6de564061fa40ad2dfa2fb9aef25819d0370d537922d0f13f1252c31f853bdab29142ab5df5f3ec15c26e59ec92b65a5abe7aba21df069f9064

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 497eb52dad1711392d0388c35c4408ee
SHA1 09d33cb9eeb013dfd03a227495cb7b5231b07095
SHA256 5dc35933c79f0130e24877ca34a09b1ce312f610cbbfeec611ee5530ecfa86b1
SHA512 2e0b1e190b3acfd7f908aeedfbcb67d9b85162592f7746fd14acb845adfd469a7fa4b4b1b6564baed2469a5f2f4c8a4a3dea10cb5bea9cef24e1235205ae8862

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e550294e6fc2835219e96205a6a52ac9
SHA1 41adea62b5c249173aef7ac5ced65d9b4ac565bc
SHA256 efaea30783896b0b4912e032f07985b09d8a862cfc08685e9dcb065ee0165941
SHA512 737b20d77037018f77ce81a51895d600b9933c3ab4b9c23be39119ebc6ce1086efbc1b51951abc45d950ad7f461d0ff7499450761c445e5b4f9e8f2a29c48216

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8eee28b669ba3615bfcb6e64a6fbaada
SHA1 233736732f1ae619960cbf151fdb032456a69169
SHA256 ba681cc94cd9d604e95cd572ef6725b2268e763c887a73a86865f83f2d313f4c
SHA512 00265c6209a02fcc1abd6d3ba196eab264fabe18d021b5321fb0cce308bc9feda8d494865890c24ecd9b78fb1a4cdfc1ae0ac81aebdca13472c958bfbe932cc7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 771bfb5d28b8e1e0bee0b31a0b01f645
SHA1 7f639ca720431f3132e3713dfac506d4b7d654a6
SHA256 be356b762b57e98ecd0896ad2a0cb5cf9931972e713a3e064c1b632508fa6496
SHA512 a1a12dd4d4470d3592a17428e38377159ae6c0325acb233b3c126b52dc3456f1ff0c973fa44c498981a8dc25cf82c453811563bd25c0224e90aa49309596692c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 952c36784458f976cc7a18ba4394b7a5
SHA1 abddbc14625e4dc6499cfece8325c9dadb923a0a
SHA256 9900148291bfb6503fbb3c94a08b8f94f56bbeb037c59e2a87c341692dfd4635
SHA512 9db453b484f2f1a08205e28e987528a630886afe9b4f8ea50657abd46663a17362d26099aea1d686a2a4a89227b308bc32d5d9ec68ab188bbe58960d63d22847

memory/1540-247-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-246-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-245-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-249-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-255-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-254-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-253-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-252-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-251-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/1540-250-0x000002B0D1EF0000-0x000002B0D1EF1000-memory.dmp

memory/4708-268-0x00000207CD620000-0x00000207CD630000-memory.dmp

memory/4708-267-0x00000207CD620000-0x00000207CD630000-memory.dmp

memory/3504-270-0x000002394D360000-0x000002394D370000-memory.dmp

memory/3504-269-0x000002394D360000-0x000002394D370000-memory.dmp

memory/3504-273-0x000002394D360000-0x000002394D370000-memory.dmp

C:\Windows\TEMP\tem159.tmp

MD5 b13af738aa8be55154b2752979d76827
SHA1 64a5f927720af02a367c105c65c1f5da639b7a93
SHA256 663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b
SHA512 cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

memory/4708-275-0x00000207CD620000-0x00000207CD630000-memory.dmp

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

MD5 997c02c58d08084dc3add213a1423bea
SHA1 bdebad616f5973c24bee81f28ff3d7977f6df586
SHA256 fac11bfc9d31501b72fb52424cb32d99aa57087f6ff8bf077edcf308e3948215
SHA512 291101ad29d84d4f51eed691454ba65d7b2df1b2a07e28bea7a48ccd3433675fa0c10cfab06aae9ec2bccfdbcaf3749deb30e6a1a9f4dce902e6a0c450cf5f61

memory/4408-281-0x0000014D15640000-0x0000014D15650000-memory.dmp

memory/4408-280-0x0000014D15640000-0x0000014D15650000-memory.dmp

memory/2084-283-0x00000229B6120000-0x00000229B6130000-memory.dmp

memory/2084-282-0x00000229B6120000-0x00000229B6130000-memory.dmp

memory/2084-286-0x00000229B6120000-0x00000229B6130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tem263.tmp

MD5 366bddb78202134240b54df02bf1e8d1
SHA1 1d8eb8d38385271eb06ce1f31b164e4a28fba992
SHA256 6c8ab8bca67914a792d169f61d35b3adefd4006e581c3c3110a6053aa355429f
SHA512 b3609ef633d9d499ba20a381acd01136d024638f810c7e9c934e5ebc98cf8151209d21d0a15d2f668fdddc73224ae552f35535abd586c146abf07bc2c8c354a9

memory/4408-288-0x0000014D15640000-0x0000014D15650000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2d24f9830de86e00fc6649cb269ccce
SHA1 cecfe1506beccf1f3e19a4e9a71dae1493e9dc9f
SHA256 f337c17166085d53a4029f3fd0f09b29cb524aef98279710f7dd5406a2fdc3ec
SHA512 836a5909ef2f68b4974737b1d7eff4171fcfe9b20f06b7146134c53e20531a96a8c68c518c82bf5082e647e2675124c8f98a8ab2d9e27e07f47a667c3e18c8e0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4e5650544adf74eea98a92c2c4d8f329
SHA1 b5116f19553b7f845f88716d9d5f9d6c978b7550
SHA256 fd693c190492b9a364d6736d083391d907de8e2c2caf66ad2b262d1842098022
SHA512 0a9db1fbf7ee29666681b2affabb6c1684cf4ca5c8a1f470f62178228908a4a77b05be644924574e4d2fa71c52b444b03930bfae1726860b03bff7a99c477506

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39329ac610edda1fbc5c1da1304eb4b1
SHA1 294987ee15e12289511c84caf771868384ea2a9e
SHA256 b30528817e2fbfc358b75adb373f259a7727fb9ebcdc14e8b628c02eeaebf145
SHA512 03988fe0729bc9a72b488591f578df68eae4a00bc13ac100b5f33e38236db7b29f8d96c32af42f5f63472087b76292a381a1fc744db29e7414adfdd1b9a08727

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c7086483a50704a7f0f49ba1499ddb8
SHA1 cb8abb397f089cb92610844bb8dc8309ef00a263
SHA256 60974ff6498c1ddb11f297fec828b59fd6436b6472cd6482e0f15aba0a908b3c
SHA512 c7d3d7c688f407ebdc025d31ece8da284f4aa05656fed87055cc1bb6d199cfff1f152b598964647794b1e66ebe3bffa698230f92158676da56f415b520aae11a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3b06c309d3291a0503ae3a71d1009c3e
SHA1 6d1f1eb02b3552475fb45575fda77bc554523655
SHA256 06d4dd936924594d94f030133846aed789756f59d3ab6068f0ed2937f05f375b
SHA512 967c102c8064369f2515c4e87e0619b8a8811d5ace26fe1260903a8b5214d3d6238fcf277fd26b101f7176e4e6aae46e3643c31b0b7beabf6f2d119e17030c12

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fecd5bc980122afe425809b51028b7ed
SHA1 dffc399bad145816bb4eb39339985b0e1ed7f618
SHA256 fe99a431ccd2282561b9174c0c39bcb704319a5d61e49dcc4cd98de4b8b77799
SHA512 6a4ac78d1ca0889f781fb4a72806c98405471a9f577f9c928c197d789128229bf723fa14395115ab715ee1f6100871fae433e0c53ed8b090d28caeed28dfa799

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 977bad5c0a37b63a675076e9d440ab73
SHA1 da4b6ec6edd5e3514bcfebd7230e9cc36c4dc053
SHA256 c9ad7797afdf5d128641900afd2c2a04cfb80d3e498662f1099b57997e713eb6
SHA512 031564672e3ee7d832ec05fe5bff88d3b987fb3b121eb914e7a4c008f70be10dabd0a7a841c6dfde29d98e57c8341767d647e577934faf6ed52298ec46b07767