Malware Analysis Report

2024-12-07 16:49

Sample ID 241113-lz2avazenk
Target Art Year 8 IMG 0658.webp
SHA256 e50eaf87413548b3f85476bcf328fcb55767807b295170913a43bf0451a127e9
Tags
defense_evasion discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e50eaf87413548b3f85476bcf328fcb55767807b295170913a43bf0451a127e9

Threat Level: Likely malicious

The file Art Year 8 IMG 0658.webp was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery execution

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Checks for any installed AV software in registry

Obfuscated Files or Information: Command Obfuscation

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

System Time Discovery

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Checks processor information in registry

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Gathers network information

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 09:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 09:59

Reported

2024-11-13 10:04

Platform

win10ltsc2021-20241023-en

Max time kernel

280s

Max time network

278s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Art Year 8 IMG 0658.webp"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast C:\Windows\system32\DeviceCensus.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val C:\Windows\system32\DeviceCensus.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache C:\Windows\system32\DeviceCensus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241113095951.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7dfdca25-84ea-4afa-b599-beca34cbbe1f.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\System32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\System32\Dism.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\clipup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\DeviceCensus.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\DeviceCensus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Windows\system32\DeviceCensus.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\DeviceCensus.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\System32\ipconfig.exe N/A
N/A N/A C:\Windows\System32\ipconfig.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3420 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 2128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 2128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 1400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 1400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4756 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Art Year 8 IMG 0658.webp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Art Year 8 IMG 0658.webp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff88fe246f8,0x7ff88fe24708,0x7ff88fe24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7cb575460,0x7ff7cb575470,0x7ff7cb575480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd" "

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "

C:\Windows\System32\find.exe

find /i "ARM64"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"

C:\Windows\System32\find.exe

find /i "True"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd""" -el -qedit'"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd" -el -qedit"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "

C:\Windows\System32\find.exe

find /i "ARM64"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\cmd.exe

cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"

C:\Windows\System32\find.exe

find /i "True"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\PING.EXE

ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "

C:\Windows\System32\find.exe

find "127.69"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "

C:\Windows\System32\find.exe

find "127.69.2.8"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/S"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\mode.com

mode 76, 33

C:\Windows\System32\choice.exe

choice /C:123456789H0 /N

C:\Windows\System32\mode.com

mode 110, 34

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\cmd.exe

cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':winsubstatus\:.*';iex ($f[1])"

C:\Windows\System32\find.exe

find /i "Subscription_is_activated"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net

C:\Windows\System32\PING.EXE

ping -n 1 l.root-servers.net

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':wpatest\:.*';iex ($f[1])"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "13" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440 0x80131501"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "

C:\Windows\System32\find.exe

find /i "Ready"

C:\Windows\System32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "

C:\Windows\System32\find.exe

find /i "ed655016-a9e8-4434-95d9-4345352c2552"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="QPM6N-7J2WJ-P88HH-P3YRH-YY74H"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\system32\DeviceCensus.exe

C:\Windows\system32\DeviceCensus.exe

C:\Windows\system32\usoclient.exe

"C:\Windows\system32\usoclient.exe" StartScan

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Name

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Nation

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgAxADkAMQAuAFgAMgAxAC0AOQA5ADYAOAAyAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA7AFAASwBlAHkASQBJAEQAPQA0ADYANQAxADQANQAyADEANwAxADMAMQAzADEANAAzADAANAAyADYANAAzADMAOQA0ADgAMQAxADEANwA4ADYAMgAyADYANgAyADQAMgAwADMAMwA0ADUANwAyADYAMAAzADEAMQA4ADEAOQA2ADYANAA3ADMANQAyADgAMAA7AAAA" "

C:\Windows\System32\find.exe

find "AAAA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem78EF.tmp

C:\Windows\System32\timeout.exe

timeout /t 2

C:\Windows\System32\ClipUp.exe

clipup -v -o

C:\Windows\System32\clipup.exe

clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem7F77.tmp

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b -1073740956

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\reg.exe

reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b -1073740956

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\ipconfig.exe

ipconfig /flushdns

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"

C:\Windows\System32\findstr.exe

findstr /i "PurchaseFD DeviceAddResponse"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"

C:\Windows\System32\findstr.exe

findstr /i "PurchaseFD DeviceAddResponse"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"

C:\Windows\System32\find.exe

find /i "traceId"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\sc.exe

sc query wuauserv

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\choice.exe

choice /C:10 /N

C:\Windows\System32\mode.com

mode 76, 33

C:\Windows\System32\choice.exe

choice /C:123456789H0 /N

C:\Windows\System32\mode.com

mode 98, 30

C:\Windows\System32\cmd.exe

cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c DISM /English /Online /Get-CurrentEdition 2>nul | find /i "Current Edition :"

C:\Windows\System32\Dism.exe

DISM /English /Online /Get-CurrentEdition

C:\Windows\System32\find.exe

find /i "Current Edition :"

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe {7B9E0A07-13C0-4F6B-8F44-9C8CEE0C06C6}

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildBranch 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildBranch

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c dism /online /english /Get-TargetEditions | findstr /i /c:"Target Edition : "

C:\Windows\System32\Dism.exe

dism /online /english /Get-TargetEditions

C:\Windows\System32\findstr.exe

findstr /i /c:"Target Edition : "

C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe {2B41A1B6-1482-434F-97DC-AE5A93D5791F}

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL) get LicenseFamily /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL) get LicenseFamily /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "" "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "

C:\Windows\System32\find.exe

find /i " EnterpriseS "

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo EnterpriseS "

C:\Windows\System32\findstr.exe

findstr /i "CountrySpecific CloudEdition"

C:\Windows\System32\mode.com

mode 98, 30

C:\Windows\System32\mode.com

mode con cols=105 lines=32

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('GetEditionIdFromName', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $out = 0; [void]$TypeBuilder.CreateType()::GetEditionIdFromName('EnterpriseS', [ref]$out); $out"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('GetEditionIdFromName', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $out = 0; [void]$TypeBuilder.CreateType()::GetEditionIdFromName('EnterpriseS', [ref]$out); $out"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SkuGetProductKeyForEdition', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([int], [String], [String].MakeByRefType(), [String].MakeByRefType()), 1, 3); $out = ''; [void]$TypeBuilder.CreateType()::SkuGetProductKeyForEdition(125, 'Retail', [ref]$out, [ref]$null); $out"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SkuGetProductKeyForEdition', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([int], [String], [String].MakeByRefType(), [String].MakeByRefType()), 1, 3); $out = ''; [void]$TypeBuilder.CreateType()::SkuGetProductKeyForEdition(125, 'Retail', [ref]$out, [ref]$null); $out"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('KCNVH-YKWX8-GJJB9-H9FDT-6F7W2', 'C:\Windows\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('KCNVH-YKWX8-GJJB9-H9FDT-6F7W2', 'C:\Windows\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SkuGetProductKeyForEdition', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([int], [String], [String].MakeByRefType(), [String].MakeByRefType()), 1, 3); $out = ''; [void]$TypeBuilder.CreateType()::SkuGetProductKeyForEdition(125, 'Volume:GVLK', [ref]$out, [ref]$null); $out"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SkuGetProductKeyForEdition', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([int], [String], [String].MakeByRefType(), [String].MakeByRefType()), 1, 3); $out = ''; [void]$TypeBuilder.CreateType()::SkuGetProductKeyForEdition(125, 'Volume:GVLK', [ref]$out, [ref]$null); $out"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('M7XTQ-FN8P6-TTKYV-9D4CC-J462D', 'C:\Windows\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('M7XTQ-FN8P6-TTKYV-9D4CC-J462D', 'C:\Windows\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="M7XTQ-FN8P6-TTKYV-9D4CC-J462D"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\system32\DeviceCensus.exe

C:\Windows\system32\DeviceCensus.exe

C:\Windows\system32\usoclient.exe

"C:\Windows\system32\usoclient.exe" StartScan

C:\Windows\System32\mode.com

mode 76, 33

C:\Windows\System32\choice.exe

choice /C:123456789H0 /N

C:\Windows\System32\mode.com

mode 110, 34

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\cmd.exe

cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':winsubstatus\:.*';iex ($f[1])"

C:\Windows\System32\find.exe

find /i "Subscription_is_activated"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ver

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net

C:\Windows\System32\PING.EXE

ping -n 1 l.root-servers.net

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s

C:\Windows\System32\find.exe

find /i "AutoPico"

C:\Windows\System32\find.exe

find /i "avira.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\find.exe

find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "

C:\Windows\System32\findstr.exe

findstr "577 225"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':wpatest\:.*';iex ($f[1])"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "14" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440 0x80131501"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "

C:\Windows\System32\find.exe

find /i "Ready"

C:\Windows\System32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "

C:\Windows\System32\find.exe

find /i "ed655016-a9e8-4434-95d9-4345352c2552"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "

C:\Windows\System32\find.exe

find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="QPM6N-7J2WJ-P88HH-P3YRH-YY74H"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\system32\DeviceCensus.exe

C:\Windows\system32\DeviceCensus.exe

C:\Windows\system32\usoclient.exe

"C:\Windows\system32\usoclient.exe" StartScan

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Name

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Nation

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgAxADkAMQAuAFgAMgAxAC0AOQA5ADYAOAAyAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA7AFAASwBlAHkASQBJAEQAPQA0ADYANQAxADQANQAyADEANwAxADMAMQAzADEANAAzADAANAAyADYANAAzADMAOQA0ADgAMQAxADEANwA4ADYAMgAyADYANgAyADQAMgAwADMAMwA0ADUANwAyADYAMAAzADEAMQA4ADEAOQA2ADYANAA3ADMANQAyADgAMAA7AAAA" "

C:\Windows\System32\find.exe

find "AAAA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temDAF0.tmp

C:\Windows\System32\ClipUp.exe

clipup -v -o

C:\Windows\System32\clipup.exe

clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temDBCB.tmp

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b -1073740956

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\reg.exe

reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b -1073740956

C:\Windows\System32\Wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\ipconfig.exe

ipconfig /flushdns

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"

C:\Windows\System32\findstr.exe

findstr /i "PurchaseFD DeviceAddResponse"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"

C:\Windows\System32\findstr.exe

findstr /i "PurchaseFD DeviceAddResponse"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"

C:\Windows\System32\find.exe

find /i "traceId"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 20 | Out-Null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\sc.exe

sc query wuauserv

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\choice.exe

choice /C:10 /N

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://massgrave.dev/troubleshoot

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff88fe246f8,0x7ff88fe24708,0x7ff88fe24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 13.87.96.169:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.242.104:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 get.activated.win udp
US 104.21.24.156:443 get.activated.win tcp
US 8.8.8.8:53 git.activated.win udp
US 104.21.24.156:443 git.activated.win tcp
US 8.8.8.8:53 156.24.21.104.in-addr.arpa udp
US 8.8.8.8:53 updatecheck.massgrave.dev udp
US 8.8.8.8:53 l.root-servers.net udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 purchase.mp.microsoft.com udp
GB 95.100.104.23:443 purchase.mp.microsoft.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 23.104.100.95.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 l.root-servers.net udp
US 8.8.8.8:53 purchase.mp.microsoft.com udp
GB 95.100.104.27:443 purchase.mp.microsoft.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 27.104.100.95.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 massgrave.dev udp
US 172.67.201.171:443 massgrave.dev tcp
GB 51.140.242.104:443 checkappexec.microsoft.com tcp
GB 51.140.242.104:443 checkappexec.microsoft.com tcp
US 172.67.201.171:443 massgrave.dev udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 img.shields.io udp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 172.67.173.89:443 img.shields.io tcp
US 8.8.8.8:53 cloudflareinsights.com udp
US 104.16.80.73:443 cloudflareinsights.com tcp
US 8.8.8.8:53 171.201.67.172.in-addr.arpa udp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
US 8.8.8.8:53 89.173.67.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0f09e1f1a17ea290d00ebb4d78791730
SHA1 5a2e0a3a1d0611cba8c10c1c35ada221c65df720
SHA256 9f4c5a43f0998edeee742671e199555ae77c5bf7e0d4e0eb5f37a93a3122e167
SHA512 3a2a6c612efc21792e519374c989abec467c02e3f4deb2996c840fe14e5b50d997b446ff8311bf1819fbd0be20a3f9843ce7c9a0151a6712003201853638f09d

\??\pipe\LOCAL\crashpad_4756_MOBFTUXNNEWOHVVZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 63716c70d402b580d244ae24bf099add
SHA1 98a3babcd3a2ba832fe3acb311cd30a029606835
SHA256 464f0f2ca24510abc5b8d6ca8240336c2ed1ddf5018fbadb092e18b5bf209233
SHA512 dfe1a5831df6fa962b2be0a099afba87b1d7f78ce007d5a5f5d1c132104fdb0d4820220eb93267e0511bc61b77502f185f924022a5066f92137a7bb895249db2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 aa10f656cc16d036a580048ba0bdac0b
SHA1 52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c
SHA256 166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d
SHA512 748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e83dbaca5ed291f8d502d0b1f03cc2e9
SHA1 5f19d80986871a9f6ecd1670d21741c9a4acfa61
SHA256 00d3f4cc39bced9bf4c7c46fda06c5e2b1676248d9185e5857b617481e3adf97
SHA512 b482dad7cb60c462c6829e9d501312cdeb493a92c1517d06805816ebdde4f34551a58a3cd4e498b7ecbb6b7d099de125f955915e55d55e650575b7a73c41769d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 311fdf529564bbc9a1706971c4491a05
SHA1 1936f7199ea99c2960917bd920beca5931232187
SHA256 b83cecbafdec42da9ee69903fd01fc9ba36fe6cd1f33d90faf1f307c3344874a
SHA512 6010a1ca9de99bfee5d0da3acaa494d16a9114ed63ef60620e328e0cec0da22591d8629c045a09f06d6c4db52245565c3a4c4555f4b347dd7d09f523ba4409fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 46beb1833073c89375df9846b0e070f1
SHA1 7a7d5b58e797ed384fa68289d65dae4c78c3ecd6
SHA256 e5b0e7efe3a9b6546602c47403ad88a7e48ddf3df8e8f2bc1b0acb816ee7b456
SHA512 f981d8f25e096812a8039f731abaee0ef569845cfa61a07199907cd433c75139ffd1d6ace255a4e5f0ef8c09a655fd3abc63cc4c5729e53786395336a29252fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b9912da6c91632693879fddfc07fd2d0
SHA1 d055f464d349e08b34483de75ab602792f499387
SHA256 a205251f7bf94ee39d86cd9c27516b24fb8f5de804476c43781bfc4f50670ba7
SHA512 9adcbf85ed2ccef478752120efe80a67750a43bde2b54cd6db89cbca393a5e539f2db7605dd07e1abc366495106a89f55b2c184e87dd848a2221ea08f3f69459

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dc74f07718b16ee09f41da8367831e4e
SHA1 4622da56df4f7d66df29a9013742ab69aa057c31
SHA256 65107e8006d99418b275615b670c51945bba86978605a693d8dc6e9add298237
SHA512 b0562ed6d469107ee258ffcb3489d533e42369434edaa3d661d9189bf34212838a198acd904f4cd47c6c3e0e12ba7022983a15086b008f82c88e27ba33478fac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 ee8e616a03201ab31e032c60a6d81b15
SHA1 4fa72ee1a3ed74f7798b3b58cabe174c675adc12
SHA256 2d77f4c62538359ca9c795a3be97c3817adb7954e004fe4b85cfffbf216f64c7
SHA512 97640f1aec0c917ca0bdda6f0228eff1d4274d2d681c73206be660697d3a7fefbdeeda23d6e3fa853228be633b4988e543a41f84bd027493c7d633089c863151

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7d2aa4c721a1ea581e7938c57d22edf4
SHA1 d6f8b00c3340bc527fde62ef74cd868efd8759fc
SHA256 29060355368f5ce66ee00e8547fecebbca7ac1bb8ccd2a747237255abbb057a0
SHA512 423ed7be995a97733352611dbf8139a51fc657c4c23ba6a730ceb082909828e62c0948c06584aeda28cc077c3de55937197e19896b215e5527bae58949f0327e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ec29f58908360743251f6ca67c99e4c3
SHA1 922df42ae861e54aa8ec1c013827d8fb9484e6ec
SHA256 da12f2a6889392b4e09537fc7cd7b9a10a3256680984f6d9ece0c7a8a48636c8
SHA512 04ecea6b3abe85564ac68ad0395af9df1c253664ea2eb00ada27f493944fe3603a737ec0cdc7195384532cde2f17952ffb626b0b286006e63d817e79c8e978ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe57b71b.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

memory/5984-326-0x0000019EBF3A0000-0x0000019EBF3C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u42wgzwk.put.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5984-327-0x0000019EBF8F0000-0x0000019EBF934000-memory.dmp

memory/5984-328-0x0000019EBF9C0000-0x0000019EBFA36000-memory.dmp

memory/5984-332-0x0000019EBFC10000-0x0000019EBFDD2000-memory.dmp

C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd

MD5 725cc0d8fc938832c19dff2b529ba0b1
SHA1 e48dad4850d07763f9127dd3bfe6ed8dcd62588d
SHA256 64f59cc74de6732700a0dcca7ea9fb7315b82797644264c6deea5d00e9dc263d
SHA512 8498445efb715b7effe19e256617529990273d3608aec9bbfd71e5424bff292aa269f442d3ec2cdc2f3deb30981bc9e338ae4f5a9fa12217e9889b317e69298f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 f1e518cedf7506f68ca57e6d8359022b
SHA1 47a59f4fb45872b24444a79b1f0e1bde037f8d11
SHA256 830b9b11b8587d947b14989669afdc4d0c0e6c0d2f65eb92e07558f168ae3bfb
SHA512 c8f827ef3776bab1b0fea08ea267b3379bf73a82e9022bd1d4389e92134e1a008fa31aa261aa63224d26ad1ec7500272ee8044dccfe7e22f1eb205ef4e2e8910

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ed30ca9187bf5593affb3dc9276309a6
SHA1 c63757897a6c43a44102b221fe8dc36355e99359
SHA256 81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122
SHA512 1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa1b22941ad0ec24a2b63dd9a043e85b
SHA1 ba92b36b71a74f16261913dfb2fccdbe984a4d31
SHA256 1d288a199c43928307beedbb402776c5592c79664d25d9a4da7125f99db9a1f5
SHA512 2ba24e81087af3379821fb669b77b1401c80b2fc56a6c9f1916dde42c59f7340f0a20658e313cf7113e36c37708ebf0f7d1768dc7375907992b3c180dc36e4cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbac284df5d085bf52e00cb6ec219bfd
SHA1 bdaceda191a7f0a646d3866102a25b3fb7a6f45c
SHA256 1a2cc170a183db403c7de5187c33aa6ffaf434804bdf88a410da2633d288d535
SHA512 03675d30e3dc8502a577778aa74a25528e897b516cc8aceb890c4043108666e4135a0624cf074f74bda15dcc4f14f639ad355d9d5c4551f0fa43d7dcd78548c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 642610e02505cb6fee570c0d786e6901
SHA1 f6bc047d34670430ae30bec9aebb8bd37adc6d66
SHA256 44b4c7dc246558da04fa562b6ea8d73f4c76be0bc3b180bcb0963a46044ec3cc
SHA512 58dd463a8a611c6f1efa5dbcf8da525177106f853e0478e3ff236da4314ab66a1948f2613e45158b240c5aa0bcda35f384fdad4a07600ec86dad86cdbd0d2943

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4358cc43baf609e48ac91365fc13e8df
SHA1 48072ea18937b879100efa1805741af0d3f035b5
SHA256 d109661abe6eb45e485ff9b2441dcd62abf6ccf6d2efcfad44369295720a339f
SHA512 49f33371758032d0ef48bb8987b8277450279218b6b263eb80fd91c68fc8268261c2a32ac26f11ca79b67cf4165a716129effb7809746ed0a173453125812590

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e889e3fb350f37e279de4d6c352888f
SHA1 eae5f2084f62652f17c77c010ac6da4c0f043367
SHA256 4e00cc5b1e653364f156dd0694eb4b46ade2495d010f4e792ae917da0b04bfc6
SHA512 0c8c01cc39ed4b4f14fb5053bcb62bd1d6f5536d88565ff4955ae95a870c8f3f227ba32bb4698a06f763a7a1340ba7048ad7eae2a81e9ddc73b164cc996756a4

memory/5212-433-0x0000026CC9A80000-0x0000026CC9BF6000-memory.dmp

memory/5212-434-0x0000026CC9E10000-0x0000026CCA01A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39329ac610edda1fbc5c1da1304eb4b1
SHA1 294987ee15e12289511c84caf771868384ea2a9e
SHA256 b30528817e2fbfc358b75adb373f259a7727fb9ebcdc14e8b628c02eeaebf145
SHA512 03988fe0729bc9a72b488591f578df68eae4a00bc13ac100b5f33e38236db7b29f8d96c32af42f5f63472087b76292a381a1fc744db29e7414adfdd1b9a08727

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fd67bac2c8300839d0f639840ca07b60
SHA1 25215e741e30edd8176b3097c4e3e772328e0a7a
SHA256 993aaf987d59b5db329b28c0cbb6456850234f48fce4552f93ceb63312ae9d7b
SHA512 8f9665deaa25ae36fba47f037f1eb3a8da566cde8d5b0a839aeacca62f081c3792d78f04cf08bd6a0b2687de8d690f0db3e45dbe6bafe83299d8f88f196f1a5e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 06866ec52e37821c95b1e747c16f245c
SHA1 9b68db7b9b248508e511663c59d95664f832b1f3
SHA256 3c0e88651fbd26b0e6cfec09cf64e945609f467e95b2f5e48b0f9fcfc33fd798
SHA512 739422e394e08bb1355bab96ab0264b447a0dc3283f415f8fe2266df4ee453e2e7c5abff131947729b28c541fcbb6768f8e9805112553e3768bb13c5eca644d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba9b62db2c5a672a3bcb30a7b92a89bc
SHA1 d147ca957ac6e8467bb7bfbdae384f8fca0234f7
SHA256 400ed8f32218fa218c821fb65a19a3866c3f1b6923409a1ea1cd4e9a295c6135
SHA512 77e370ffc3ab3f2eb3af574ceae03052b023c883b232e455cf3e3bfba8dfc9f223d294aa8172a6e81980ad9b639ff60dcbf06a6e47bcc9129b7764cfcb8ac4ea

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 932d0d26287ef68fad4e4c9f87224441
SHA1 8c9fabe625d8ac70f1066b414ca78f9cb083ecfa
SHA256 d75e5f08aabc75dd6bff42876b7e053f8fd55dfac027df0790d111fe745b4e87
SHA512 78d4709309880bbbdf8c2af0df7709656ec6853ae35b9229ccc07bf07040a5650d7290e3565e27b3495e803481aa29a7f18a76ad35ca77852b5d78d18c6175d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7c02e49f2a5d5aa59ec1846af116ac3e
SHA1 fc59714ddb520533d040d21e56024dbeca7e0e33
SHA256 0e2f194061b63c03ebbe36587ff17cf56b19e894295cb43b62a69a74aee53792
SHA512 429c89deddf4c740efb7b1e6a0a22e6cfc040c5287f7f99552b33235ff749401297a71e780f48a3a3414c05419ad7b813b8ef77f4e344c21c8ce2c9a50544b8c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 24fdc43ba8d8b3a7b7c11bc00b43dfd9
SHA1 eed810fb5b59663df7e09c7b30f03bb391cfc6d8
SHA256 c0a684c00832c1d3177b4ef2f4262808a86363d9284ed5bf42de741720cef946
SHA512 e610a629b1a4924822037b1ae7cbd2ccad2595b8209ec9b1699778896215ea4084a7edc177f916551d95ad4122efc2b2ce26ec27ecee3ec354922dedd8cbed77

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 af428a941548144ee7daf4ad9f7d9432
SHA1 fb85cafbba12b2466f69215daa612c1f6a698406
SHA256 e8b38f8b83e3eecefe00dcd444fc3d6a3e796f551c33a84772f33d3e932fc33f
SHA512 971560b85e8deed891d1c592bc689f358d0345a4a2ca400fb717f87ea8d0e35fe8fe0dc16f69185ed713eb687fa8fb1ff338b96932c7d9603458d7c5e7886d00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f9d789478516396187c30a5ace633d9
SHA1 151ba29c113dd31d9cbbab38ca1af3df0ca1be67
SHA256 b154dd059608746bc0f5229c861c0eb40d553f670314efa60af7cc7af15d48f0
SHA512 db0ef29d93996409c0a5ec5de52864a3b760cea78d33347002391f1561a4fe9439cf251e0c70ea856023f3e83fe4cef4b17bde823ac9276066f00a31fb446601

memory/1484-558-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-557-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-556-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-560-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-566-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-565-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-564-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-563-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-562-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/1484-561-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp

memory/5824-578-0x00000164FEA80000-0x00000164FEA90000-memory.dmp

memory/5824-579-0x00000164FEA80000-0x00000164FEA90000-memory.dmp

memory/3508-580-0x000001EC45260000-0x000001EC45270000-memory.dmp

memory/3508-581-0x000001EC45260000-0x000001EC45270000-memory.dmp

memory/3508-585-0x000001EC45260000-0x000001EC45270000-memory.dmp

C:\Windows\TEMP\tem78EF.tmp

MD5 b13af738aa8be55154b2752979d76827
SHA1 64a5f927720af02a367c105c65c1f5da639b7a93
SHA256 663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b
SHA512 cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

memory/5824-587-0x00000164FEA80000-0x00000164FEA90000-memory.dmp

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

MD5 997c02c58d08084dc3add213a1423bea
SHA1 bdebad616f5973c24bee81f28ff3d7977f6df586
SHA256 fac11bfc9d31501b72fb52424cb32d99aa57087f6ff8bf077edcf308e3948215
SHA512 291101ad29d84d4f51eed691454ba65d7b2df1b2a07e28bea7a48ccd3433675fa0c10cfab06aae9ec2bccfdbcaf3749deb30e6a1a9f4dce902e6a0c450cf5f61

memory/5444-591-0x0000018D70BC0000-0x0000018D70BD0000-memory.dmp

memory/5444-592-0x0000018D70BC0000-0x0000018D70BD0000-memory.dmp

memory/5692-593-0x0000021BBA540000-0x0000021BBA550000-memory.dmp

memory/5692-594-0x0000021BBA540000-0x0000021BBA550000-memory.dmp

memory/5692-597-0x0000021BBA540000-0x0000021BBA550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tem7F77.tmp

MD5 92cbcd3ffb7c0bf0625d609c9a1d5bae
SHA1 2441171951dfcdf629ceb0dcaaff3327f1d24d57
SHA256 62387ab052e3c4a5c4ff28d9d57cefcec9c98a8a1f321f55fba472795e25e5f7
SHA512 7f33787ddd909b127e96a6fef362bd95891bcdbf90d12892aa394d482fafb1dde8f5592516467d800499e434fba1c6b1ba99398ce485cb2027fa47449d2fd323

memory/5444-599-0x0000018D70BC0000-0x0000018D70BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c7086483a50704a7f0f49ba1499ddb8
SHA1 cb8abb397f089cb92610844bb8dc8309ef00a263
SHA256 60974ff6498c1ddb11f297fec828b59fd6436b6472cd6482e0f15aba0a908b3c
SHA512 c7d3d7c688f407ebdc025d31ece8da284f4aa05656fed87055cc1bb6d199cfff1f152b598964647794b1e66ebe3bffa698230f92158676da56f415b520aae11a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45f14d7c4d37c9ae964828b378442d56
SHA1 5a2c7a3f3f3ea71b0015ea6cfcf2c3f9ab7cea9e
SHA256 88b0b1d7bd53507114a83351217ca4f253983066734f8982b6061fa76598999b
SHA512 2290c6c6b927435d987ca61c33db65a61c44f1d5d799d2d757fc0988666655dc913f9c8b5738138fc368444d983a8e0214353dbc9e12dfbfe31848ed434f1503

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 af1a90cffca209f1746013a816a3838d
SHA1 f171422e10457f25db8ef8626ee0b8ebe46ae78c
SHA256 bf7162606243d18731c213dba90e62f847e947dc717487a8f32b64089feb8f6b
SHA512 092c0366f8de1600c3df0a1b22f151b3fe5a1750f5f0a50b0f163560c1b787fb798ed8230c76397ba332b5320319ce3abdf4f88fa4896444dd7c206f83310daa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3ef3c33ee4a817c753b3e9b67944115
SHA1 c1d46babdd3d5a51baccfe0ed32c6fd4f6fe2c51
SHA256 bc71fbec97387f6e555cae2ea9822a1b6236ce985b9bbf2b6f790f743269689b
SHA512 f43aed7625ac1a2d917ed6925b4894ede583f7f2fa53f6f339684e222dd4240f0ac991b8cb3a7f97553489919b4eeacb3bcec9f1ae754f935b213b6bb468a6c0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2d24f9830de86e00fc6649cb269ccce
SHA1 cecfe1506beccf1f3e19a4e9a71dae1493e9dc9f
SHA256 f337c17166085d53a4029f3fd0f09b29cb524aef98279710f7dd5406a2fdc3ec
SHA512 836a5909ef2f68b4974737b1d7eff4171fcfe9b20f06b7146134c53e20531a96a8c68c518c82bf5082e647e2675124c8f98a8ab2d9e27e07f47a667c3e18c8e0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 55c8068c0072a7be04da296108cf4b2b
SHA1 d7db9aad58cfc1dbf099e618e90c9a9f9d6fcf31
SHA256 6b60b4d8068679065493422f5e57114ebe5af4a6257a89b7e5578e3509c1a8aa
SHA512 0466ed56ce66e971a9a9bd75248db835953a6442aee1fa93153a29091811dc89c360d94c6aea72e51836a491e70aa237d7a9d7e504241f109395c150dba358ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f9501b14862b1e3e89277027bae4b067
SHA1 38c5048c214f2bcd3ff2597f0048b86d05aad0e0
SHA256 e37bcb654657ed09c4bd1974a9bf2bebbb5a58004bb6cd52d423127262d9b649
SHA512 042faf0255f1a3d043f372e4b4a7d4992f47ab5eadb91af898957cce93cc5fb82acc2f4c2b10245ef3c4e2526d89724cd37a3d140b99bb454eeed303c22e04a9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c9d156a2d0f37470a5eaabd7755cfb2
SHA1 ec054eaa0c8a66b720c9724b74a0256bcf70ebe4
SHA256 0e677df9a6e2da72beaceacd0f2dba199b7e40f9c3785451421a1d297ec767e8
SHA512 e9d6e0b2ac22af97fc970558b75c1edf9584cf918851256ef675150e1369fb2b543933b26dbc428adafe4cc2672bcf7596e3ca5c480f1e7ea9b30d05835de76c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 48453691abc99ef5025fe38fefe0e6bd
SHA1 d48a471c537c9ee339a29f117fb67e471f270cf2
SHA256 bdcd2d00fbbbba2afc974c3e23977c52fc8d9617c93a8fe8362ace97261154fc
SHA512 4c7866ed25a8ef241044cc5288aadfdd7ca7077174d645e6e5395f782df9d9afa5cd2fcbb99836ad6472a60f04eee9d63a6dcbd5243402605d9739ceb880f03a

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\DismHost.exe

MD5 97cb1e2fcab378421c4b91df0c9f8310
SHA1 1227ce5f3a75bbbcba54708fcf73a131b0887a29
SHA256 e36bcf02bc11f560761e943d0fad37417078f6cbb473f85c72fcbc89e2600c58
SHA512 1b4668daacbebbe79bedc508f81f0e5ff0545c5823f05c7a403f4e8eb58bbf866f975b8e41a9148f6455243fe180c1afa32cd6b337f7d73ba0cbdf00f7e32de6

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\DismCorePS.dll

MD5 35a07968ec37231249f3f072ae555e3a
SHA1 a6b5be5daff384d24e68c7d3d540e9edd1e95ce8
SHA256 e5f25e5a170cb3d165c3d143eae967b96ab80f88fb09176da8591b0b68c77e00
SHA512 4806377c40eb0604410bf4760a3bf3ed99a1506af023977f6ad04090d790818034f8ffaeb6f51cf3a16a2109e0f567ddf5d182a50468481a2ed9adb2fe899261

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\DismProv.dll

MD5 ab0dbc4f05b33eaaa447e31accab8d21
SHA1 7064962fbc7e1fdf0cbb13a44e587e28168cd299
SHA256 6a3c3f07bddbc3079873f8799f2c19adddc59f15d6b2dba6e9314e5626bfd2a0
SHA512 a4fea2a0d5a9da86cc1f3868882a4ac661581a77f57251ea073259e0421d6f047b9da7b19e3916a970d7ecda652b4d51d0e64c7ef5d59338eb209b580be85b24

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\OSProvider.dll

MD5 684fca651758ba405144d5fcab6ab7fe
SHA1 da595c60fbc4336fd2c61b45384dc0dbc3bf599a
SHA256 ae9b66a6e0b1949890241c67037cef2c59d4f4faef84849789e0fee9184f41c6
SHA512 4f8a9c524dd4e0f2a2f6f67a1ce42a7e9590fc5715f9538d8e0c7ff0c67d4bcbe10318bebd6328ee29c6c3b9842d0e176da7e663a88d9ecdec8c6404571c3756

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\LogProvider.dll

MD5 1176e91f4f663b03515b4d944dcdd72b
SHA1 fa341a412720fd79fe1e1f6e11d850a4e103871d
SHA256 a4ae8aac8660aaa255cc8318c7971273201e62954d6d36ac5d7ec738fb218258
SHA512 c31f3bbff71ebc3f29813cf55754593262884fc71327db58622da62daa92062b1e8e2f6877a71ca832f40e7127c478d931661527485e801b74dcfdfaf6670874

C:\Windows\Logs\DISM\dism.log

MD5 c174edce1cdae5c12a57d3bc65c23fb1
SHA1 2c08f85935e202a7aafbfa3bf9a6a9685abc5a88
SHA256 c8cb38968072d9f46dfc8f88f0f30ddfbbbdfdc0f6a64368720e990da0c39020
SHA512 95834754a913f9639f9ddcae6f4ce75c76aad36be544c344ff9bdfb9c71e6e7e9117987c07a85a87c5a989654c7eff25dfaf10a05e09718fd93762b034174b82

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\CbsProvider.dll

MD5 57a9a702d5f51b625a869cb6ac0ede0f
SHA1 e5db4003f5a82ea666bbd70083edcb9ca38446b4
SHA256 b19a6d57b76593369e7e06cbcc5bcfd03e18adaa3934fd59c8705213fb5779ee
SHA512 818420f8196f964a2998b1176e87399f3d473237112b877c4e5662b3f601f8492fec3ec2ecd39822bfa12134cc2dd85ddc9e1409ea15ae6b58d8021c69840a85

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\MsiProvider.dll

MD5 0655a77306506895e5d3b5e7dbc833e0
SHA1 51087449d02fb42c948a1f53735bed1ccedd1ad8
SHA256 bfac469b3bfe0dc5419059d889eabb2ab1bdf1a6298a6de743cf0f189a48c679
SHA512 dab8ce18208670e720927f3d6bc317cb81b72c6ca95a92e637d9e19bec4666b3607747bbb3f0ef7285a41c49a26c2a52fb225224ece22aff391f89df2f9df61d

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\IntlProvider.dll

MD5 18d4bd2bc601dbd4ca32e46f052fd152
SHA1 c0c04c30b9248c06a4f488d7921e1067518f2a2f
SHA256 207c51a4acfb244f05804b54c4d4f71fd5de4745434e40c969d888a4109677df
SHA512 583993ab11f59a4f0a3ff00382323f2ecec735ad8ed55d4ba388ea4e661edec99f4f7f9914b826dfd5ed21a24af719a4e0bdff6b5fc10dd08be21fcbab627394

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\IBSProvider.dll

MD5 b5b8c30b6eadc678f37d865061684219
SHA1 c78dc8160d7f0d794d6a156d9194f16314a0a361
SHA256 f1bcba5928da73db1a78355afd4cedb8d66e09d28fcfa6ae75112c5e10b0d841
SHA512 de2b7c5a03298a467152a8adc308c4355ca420438b96035083d524b2058daec9d2434eb62d329f747eb9768af8324a306d1e257005df7ddc2ff093a73068e06f

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\DmiProvider.dll

MD5 0c2e5696f987350b0ae36e692d10ffb2
SHA1 31b0eb2cca497dc532a61bcefe1813641049a0e6
SHA256 52fd26a88d386b906cd1034df69618195e98a3a2743fe4aa185c461b24d5eba3
SHA512 1f20c7002fec8cd7395a93e204f6b3bd33ea4b2d693cd0b04554ab6ffe6458505289c92914bfb56850f5ba43bc60be3a436f6a7b0268dcd8542ca767b2d5cf31

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\UnattendProvider.dll

MD5 4fa1ca63b1f8fe59d6074ca92fad82d2
SHA1 9da8e65c3196984544db3197cf0b554a8e800a8d
SHA256 201ea386a50b5d4317a66c1889c669ffd2e545a2531e33806aa00605f8852a52
SHA512 9d1a44b1f09a28c91edd7b727abbabbc57b7b72cc2e00973eda8d1af2861d1128be09fd8ffa43dd5a0d163010bba7da58285384e889259121dc772d8bf3b464b

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\SmiProvider.dll

MD5 97e089eec3c6898bd4159c39853f0dc2
SHA1 ffd3d226ba179abac9d2b24d9081aae1f9c42326
SHA256 bea12ec326503df121ea00e2ab05235d5c89f7040e7481f723acd62feb92f319
SHA512 1ddc5fc98ed3daa5e279693e850e99c14f04b216bbec3460422b29b30085ef2003d0519add06ced7640ff6e14ee3aa0000ebe093bb6da4e40ae34b0fba676f73

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\AppxProvider.dll

MD5 eb9cbac1aa278b6a8afdb95a9feb4dcc
SHA1 9f12442d4cab56ab451d3954783632f77be7f8e4
SHA256 1bf704107250f4c08fdf2c450d4ab402ba5317a8c026cddf98c0ce225f487d4c
SHA512 ea86c2360622401aa61c8932571df2dbf6c5fcc438d5b1048d61cfe9542cba0b74c1454dced6a13a7cd20fbbe5cbaa0b1432b8e4a6feb6702fd0b7cc37b436f4

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\ProvProvider.dll

MD5 5d7572a7a3724966cf940465ac6e4fbe
SHA1 cab0fdc627744e0f3d99dcc1ca8e8c1b9309301a
SHA256 2d3af1a4c4733d01c46ab82cb7e8ff0392db91db207ca9437a956c9bc5e2186a
SHA512 fc8fe42a23f1c4dca3205c63b22e8717f03c51307267367e0334e1326e47055abbb4738d003bf3340d3a15365c2625c2b791b3a083128e15d37398aaaa969e6d

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\OfflineSetupProvider.dll

MD5 db1c840507ea36d04d8f8f503804daad
SHA1 990152a67191059ac486074f0a50b97b840bd8e3
SHA256 23fac2578e222a023c7b67186d67070518c17f08a6c39644fbef76293751efc4
SHA512 90da4d328c27f1379f7f9e65019aa242e1899b1a2a5f9626f08aeea020b8f46583878891b8a73b4c555e381f1e8f8c5be5c54dce2d7a2498c2e3a40c8abcb5a3

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\GenericProvider.dll

MD5 972025e2a66cb9a86173223c70ef5421
SHA1 aea2430707dd822904b5762d3e3d9dcc4ca0bab0
SHA256 ba683e9cf490d59aa1092e9f29196d6b48702ce8913d19f167870907ff50c424
SHA512 27e45bda0e699b0cd660b1ccd5873238ab2137067dc3b595a67e8632812642edc6f06da9169f5e38152b921cef47924e75226655adf9b71f64e509a91879a1f8

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\AssocProvider.dll

MD5 b7db592706d3eefbcf0d5a166d462e56
SHA1 935123fda68594f0c52a765c4bbf468e4458189f
SHA256 de21321272862e7c332e1724dc315f06f3abe7a0340e61d351cab208d6bbf059
SHA512 91a1529db5816695c4424eaf71923ec63430b872cb1e179b6fa63c84acf0ac94baf71f39217f6c28818cd74fcad954a29f1e2efe655c5a0353f7aafdf8740f0c

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\SetupPlatformProvider.dll

MD5 c35697a1ce80b310b670c2aec0c0234f
SHA1 0b4c0bf45f008c09aa51d0152390b4d198df2eb4
SHA256 1467d5059e367ca56a80fc7f169d8f562026f7020e64f12b97a6ee94f92f086d
SHA512 17d8c5ddc72dc7eadd6ece79f432b03fec38e6f494f65318326fc1aef64b52ad2658c29583f7f5b15a11c45102917cec57e8f08828d3a7a97aab508f53e3c5cc

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\TransmogProvider.dll

MD5 e60476d1585d1388e6e1761ad1fde0b4
SHA1 18422195c4ffca0e8ba54d81fbe8500096acacd1
SHA256 d9bb6d4e87c1d869a2a8e03d2b0e5ddfeb086207f10d6c559a939f644d31af88
SHA512 0ee8a343b37c0b61a9f112689d9428978db997a217b8057a6932fab806968ccd63c5560f19895b50c9a01d57588e574a5308ed06d7f57ca37c2f8d51fed2a8bb

C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\SysprepProvider.dll

MD5 d2b254097ee4c8d3d87e6b450e38e8a6
SHA1 2fb26e509ca4261e660ee8f1da1a0e9db12925bd
SHA256 663d8e04f20c8ff6256e680e57cdc738cfc3cf7564ec5f507493dd5ddc72b27c
SHA512 6fbdbc93fc565f1882ad1ba4996eec35510d67330330e2421c86df41284d97293a0d25034c228e0f2430e727125499522be6572adaef1ff31ee3499f9f573654

C:\Windows\Logs\DISM\dism.log

MD5 6bea84c3d0b3706ca1b134c164757a73
SHA1 d847eadd4bfc08ae5fd14c06962341873ec44a06
SHA256 658e4c12e1dd59d81dd7d244054ebb0d82060f151e30699bb72477fdf943203c
SHA512 6129892978ac779e92614b8bedf68364d486618fe3108ecec76f4b267ee01dbc947e4a54e57d87e77a176eb725e96c30f545eff84b4d333289c83a065ae0f231

C:\Windows\Logs\DISM\dism.log

MD5 6e6e45a51b6f2e249802dcba577af76a
SHA1 b2ce869f898fbf3b4cea4e94d78b88c6d24c7fc6
SHA256 3a9a98302e3ce1b8fdc0c5255c6f31537e1ee19b95eec47c9456dcf03e9699a5
SHA512 721229645a62934628af9fbd4cdb66e7691335054e76b9fcfeaa8e1c7212a5a359f1e00e4c0c533ba2db4398a3a9808ef7a949306b0310a3c6bd35128890efff

memory/4444-818-0x00000218EB3B0000-0x00000218EB3C0000-memory.dmp

memory/4444-817-0x00000218EB3B0000-0x00000218EB3C0000-memory.dmp

memory/4444-820-0x00000218EB3B0000-0x00000218EB3C0000-memory.dmp

memory/4504-840-0x00000297FE5E0000-0x00000297FE5F0000-memory.dmp

memory/4504-841-0x00000297FE5E0000-0x00000297FE5F0000-memory.dmp

memory/4504-843-0x00000297FE5E0000-0x00000297FE5F0000-memory.dmp

memory/4000-844-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/4000-846-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/4000-845-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/4000-851-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/4000-853-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/4000-850-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/4000-848-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/4000-849-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/4000-852-0x00000296AFB30000-0x00000296AFB31000-memory.dmp

memory/1068-987-0x0000026D77460000-0x0000026D77461000-memory.dmp

memory/1068-986-0x0000026D77460000-0x0000026D77461000-memory.dmp

memory/1068-985-0x0000026D77460000-0x0000026D77461000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

memory/1068-991-0x0000026D77460000-0x0000026D77461000-memory.dmp

memory/1068-990-0x0000026D77460000-0x0000026D77461000-memory.dmp

memory/1068-989-0x0000026D77460000-0x0000026D77461000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8c9827cf078a6275541477ea4206cf3d
SHA1 2e31ca2931ad53d271b5551d814074169cb66aa0
SHA256 c99a43d9688755a0bd310e4b4d04841a79b3e95b8246e77bba3dae1044a9991c
SHA512 0be1cc67373280c4177ec559fe4ee2a6319c62b9a81e009c34748f6685d123515968b22ac28811856329d3877b8c7ffbb0716ae5800f41f585ce310d42d1cfbc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae0fe8c5c3fa1892790674583938de9b
SHA1 02cde0eb30d4acf8c899f2fa9931f40873f74716
SHA256 2a86315e898bf22f263bf06bb1fdb50b6fa0a64b1579cafc1195dd8e159886d6
SHA512 7d7f0027d7797049f5360b5160da6013667ed7702af8f45c5bd20c78d4189b038a3594e1015d4a675595dd51109ed84c0f82de505b97c432beeff2c82dfd8713

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e7b90da81836667f8f4cea770980d0cb
SHA1 a4dad82965b664a7f2990b80e8d6ea40cd92b3c3
SHA256 8e11f2adc62928ebf48fd56882bfb7dc36215e0f845e59f889724b3646748084
SHA512 4e8bbaaf654de7a9a011a862a5c6aa8cc4d5e37dee267e89fc1301456e973cdad65fdadc9d3e6bbcc9b72ca688b05c0819b900d6e02a14df9028ff2cfe47a1fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a7118be111a9a18284b87b5a226ce3f4
SHA1 8f224e8e7798e9d8ad517cf527e83dee70ccdf4e
SHA256 a901ed948a308c3f4d344c900b74f00b6c1dd11621a7561ba7c4ab8bc5a2c55b
SHA512 70c6e25fe791f9e152d8bcf4044896c5eb31d31391c04405470f8c15991e52e3ce41de4d1f617e7e81ca3895a7be1fa96fd94f3c53e22b9ec298ec9ced381ff8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 408ab2b405ffc33ca2c3b7f2d958c077
SHA1 fc174a40a60417be66d7998ec50966c6505a037f
SHA256 3d9fa1b77a9b4a78cbfc3e8fedd782e0b03b72457a3b45e931029e8ab0b1d2a2
SHA512 3c5df1708f5a69d42447db0ce5e9576cc8166ba623e6eff95d241b55890e2748f788043a60959a9496973c1cda88e65172e91cf506b48f7da5905a52d802081b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 546fe228f9367872b56cbb2b2b9477ae
SHA1 9a89255b7914ba96d6452edd98e587a92f256fdb
SHA256 431959240767d358951547eea5652cb4f37871a0f7cde0a0f3c587f9ff0e5813
SHA512 62f76edf3eb4a9656727070e6981830ca63a6ec90be9b9a42922d1458bee696cb872d6518327bc0e65700cb00b91f53fab5782ce93c693b0cde09e2b4cd2b03a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d22a602b652bff79ef6601049fce0680
SHA1 a73d36a1484dd9a435a6653f8aa7508a847cb611
SHA256 d8de2fcc2ff097e69e157cc586f902a207d632880188db3f1eeba1ae1edbcff3
SHA512 8a8eb36a2f9c164f00b3f7da67bc5e3144e78a3990cdc855668157d37049a8e9e3d44f810bc054db60c305bd6d583b14f589eb1550ed37d4ce1f65db9f541fe2