Analysis Overview
SHA256
e50eaf87413548b3f85476bcf328fcb55767807b295170913a43bf0451a127e9
Threat Level: Likely malicious
The file Art Year 8 IMG 0658.webp was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Checks for any installed AV software in registry
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
System Time Discovery
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Checks processor information in registry
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Gathers network information
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 09:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 09:59
Reported
2024-11-13 10:04
Platform
win10ltsc2021-20241023-en
Max time kernel
280s
Max time network
278s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe | N/A |
Loads dropped DLL
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast | C:\Windows\system32\DeviceCensus.exe | N/A |
Command and Scripting Interpreter: PowerShell
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val | C:\Windows\system32\DeviceCensus.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache | C:\Windows\system32\DeviceCensus.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241113095951.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7dfdca25-84ea-4afa-b599-beca34cbbe1f.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\Dism.exe | N/A |
Launches sc.exe
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
System Time Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\clipup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\DeviceCensus.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Windows\system32\DeviceCensus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\DeviceCensus.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
Modifies registry key
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Art Year 8 IMG 0658.webp"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Art Year 8 IMG 0658.webp
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff88fe246f8,0x7ff88fe24708,0x7ff88fe24718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7cb575460,0x7ff7cb575470,0x7ff7cb575480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,18299880982939307608,14133114244066722536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd" "
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
C:\Windows\System32\find.exe
find /i "ARM64"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\cmd.exe
cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
C:\Windows\System32\find.exe
find /i "FullLanguage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
C:\Windows\System32\find.exe
find /i "True"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd""" -el -qedit'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd" -el -qedit"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
C:\Windows\System32\find.exe
find /i "ARM64"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\cmd.exe
cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
C:\Windows\System32\find.exe
find /i "FullLanguage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
C:\Windows\System32\find.exe
find /i "True"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
C:\Windows\System32\find.exe
find "127.69"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "
C:\Windows\System32\find.exe
find "127.69.2.8"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/S"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\mode.com
mode 76, 33
C:\Windows\System32\choice.exe
choice /C:123456789H0 /N
C:\Windows\System32\mode.com
mode 110, 34
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "AutoPico"
C:\Windows\System32\find.exe
find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
C:\Windows\System32\findstr.exe
findstr "577 225"
C:\Windows\System32\cmd.exe
cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
C:\Windows\System32\find.exe
find /i "Subscription_is_activated"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "AutoPico"
C:\Windows\System32\find.exe
find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
C:\Windows\System32\findstr.exe
findstr "577 225"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':wpatest\:.*';iex ($f[1])"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "13" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440 0x80131501"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "
C:\Windows\System32\find.exe
find /i "Ready"
C:\Windows\System32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
C:\Windows\System32\find.exe
find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
C:\Windows\System32\find.exe
find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
C:\Windows\System32\find.exe
find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "
C:\Windows\System32\find.exe
find /i "ed655016-a9e8-4434-95d9-4345352c2552"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
C:\Windows\System32\find.exe
find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="QPM6N-7J2WJ-P88HH-P3YRH-YY74H"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\usoclient.exe
"C:\Windows\system32\usoclient.exe" StartScan
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Name
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Nation
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgAxADkAMQAuAFgAMgAxAC0AOQA5ADYAOAAyAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA7AFAASwBlAHkASQBJAEQAPQA0ADYANQAxADQANQAyADEANwAxADMAMQAzADEANAAzADAANAAyADYANAAzADMAOQA0ADgAMQAxADEANwA4ADYAMgAyADYANgAyADQAMgAwADMAMwA0ADUANwAyADYAMAAzADEAMQA4ADEAOQA2ADYANAA3ADMANQAyADgAMAA7AAAA" "
C:\Windows\System32\find.exe
find "AAAA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem78EF.tmp
C:\Windows\System32\timeout.exe
timeout /t 2
C:\Windows\System32\ClipUp.exe
clipup -v -o
C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem7F77.tmp
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b -1073740956
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\reg.exe
reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b -1073740956
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\ipconfig.exe
ipconfig /flushdns
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
C:\Windows\System32\findstr.exe
findstr /i "PurchaseFD DeviceAddResponse"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
C:\Windows\System32\findstr.exe
findstr /i "PurchaseFD DeviceAddResponse"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"
C:\Windows\System32\find.exe
find /i "traceId"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\choice.exe
choice /C:10 /N
C:\Windows\System32\mode.com
mode 76, 33
C:\Windows\System32\choice.exe
choice /C:123456789H0 /N
C:\Windows\System32\mode.com
mode 98, 30
C:\Windows\System32\cmd.exe
cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c DISM /English /Online /Get-CurrentEdition 2>nul | find /i "Current Edition :"
C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
C:\Windows\System32\find.exe
find /i "Current Edition :"
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\dismhost.exe {7B9E0A07-13C0-4F6B-8F44-9C8CEE0C06C6}
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildBranch 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildBranch
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c dism /online /english /Get-TargetEditions | findstr /i /c:"Target Edition : "
C:\Windows\System32\Dism.exe
dism /online /english /Get-TargetEditions
C:\Windows\System32\findstr.exe
findstr /i /c:"Target Edition : "
C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\E4A28A19-2810-4EFC-852D-92E1588D1B18\dismhost.exe {2B41A1B6-1482-434F-97DC-AE5A93D5791F}
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL) get LicenseFamily /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL) get LicenseFamily /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "" "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo " EnterpriseS " "
C:\Windows\System32\find.exe
find /i " EnterpriseS "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo EnterpriseS "
C:\Windows\System32\findstr.exe
findstr /i "CountrySpecific CloudEdition"
C:\Windows\System32\mode.com
mode 98, 30
C:\Windows\System32\mode.com
mode con cols=105 lines=32
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('GetEditionIdFromName', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $out = 0; [void]$TypeBuilder.CreateType()::GetEditionIdFromName('EnterpriseS', [ref]$out); $out"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('GetEditionIdFromName', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $out = 0; [void]$TypeBuilder.CreateType()::GetEditionIdFromName('EnterpriseS', [ref]$out); $out"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SkuGetProductKeyForEdition', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([int], [String], [String].MakeByRefType(), [String].MakeByRefType()), 1, 3); $out = ''; [void]$TypeBuilder.CreateType()::SkuGetProductKeyForEdition(125, 'Retail', [ref]$out, [ref]$null); $out"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SkuGetProductKeyForEdition', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([int], [String], [String].MakeByRefType(), [String].MakeByRefType()), 1, 3); $out = ''; [void]$TypeBuilder.CreateType()::SkuGetProductKeyForEdition(125, 'Retail', [ref]$out, [ref]$null); $out"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('KCNVH-YKWX8-GJJB9-H9FDT-6F7W2', 'C:\Windows\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('KCNVH-YKWX8-GJJB9-H9FDT-6F7W2', 'C:\Windows\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SkuGetProductKeyForEdition', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([int], [String], [String].MakeByRefType(), [String].MakeByRefType()), 1, 3); $out = ''; [void]$TypeBuilder.CreateType()::SkuGetProductKeyForEdition(125, 'Volume:GVLK', [ref]$out, [ref]$null); $out"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SkuGetProductKeyForEdition', 'pkeyhelper.dll', 'Public, Static', 1, [int], @([int], [String], [String].MakeByRefType(), [String].MakeByRefType()), 1, 3); $out = ''; [void]$TypeBuilder.CreateType()::SkuGetProductKeyForEdition(125, 'Volume:GVLK', [ref]$out, [ref]$null); $out"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('M7XTQ-FN8P6-TTKYV-9D4CC-J462D', 'C:\Windows\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('M7XTQ-FN8P6-TTKYV-9D4CC-J462D', 'C:\Windows\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="M7XTQ-FN8P6-TTKYV-9D4CC-J462D"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\usoclient.exe
"C:\Windows\system32\usoclient.exe" StartScan
C:\Windows\System32\mode.com
mode 76, 33
C:\Windows\System32\choice.exe
choice /C:123456789H0 /N
C:\Windows\System32\mode.com
mode 110, 34
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "AutoPico"
C:\Windows\System32\find.exe
find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
C:\Windows\System32\findstr.exe
findstr "577 225"
C:\Windows\System32\cmd.exe
cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
C:\Windows\System32\find.exe
find /i "Subscription_is_activated"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ver
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
C:\Windows\System32\find.exe
find /i "AutoPico"
C:\Windows\System32\find.exe
find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\find.exe
find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
C:\Windows\System32\findstr.exe
findstr "577 225"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd') -split ':wpatest\:.*';iex ($f[1])"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "14" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440 0x80131501"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "
C:\Windows\System32\find.exe
find /i "Ready"
C:\Windows\System32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
C:\Windows\System32\find.exe
find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
C:\Windows\System32\find.exe
find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
C:\Windows\System32\find.exe
find /i "cce9d2de-98ee-4ce2-8113-222620c64a27"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "
C:\Windows\System32\find.exe
find /i "ed655016-a9e8-4434-95d9-4345352c2552"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "
C:\Windows\System32\find.exe
find /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="QPM6N-7J2WJ-P88HH-P3YRH-YY74H"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\usoclient.exe
"C:\Windows\system32\usoclient.exe" StartScan
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Name
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Nation
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgAxADkAMQAuAFgAMgAxAC0AOQA5ADYAOAAyAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA7AFAASwBlAHkASQBJAEQAPQA0ADYANQAxADQANQAyADEANwAxADMAMQAzADEANAAzADAANAAyADYANAAzADMAOQA0ADgAMQAxADEANwA4ADYAMgAyADYANgAyADQAMgAwADMAMwA0ADUANwAyADYAMAAzADEAMQA4ADEAOQA2ADYANAA3ADMANQAyADgAMAA7AAAA" "
C:\Windows\System32\find.exe
find "AAAA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temDAF0.tmp
C:\Windows\System32\ClipUp.exe
clipup -v -o
C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temDBCB.tmp
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b -1073740956
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\reg.exe
reg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b -1073740956
C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\ipconfig.exe
ipconfig /flushdns
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
C:\Windows\System32\findstr.exe
findstr /i "PurchaseFD DeviceAddResponse"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"
C:\Windows\System32\findstr.exe
findstr /i "PurchaseFD DeviceAddResponse"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"
C:\Windows\System32\find.exe
find /i "traceId"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 20 | Out-Null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\choice.exe
choice /C:10 /N
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://massgrave.dev/troubleshoot
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff88fe246f8,0x7ff88fe24708,0x7ff88fe24718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11748435106770308920,9970311961902068986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 13.87.96.169:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.96.87.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.242.104:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.activated.win | udp |
| US | 104.21.24.156:443 | get.activated.win | tcp |
| US | 8.8.8.8:53 | git.activated.win | udp |
| US | 104.21.24.156:443 | git.activated.win | tcp |
| US | 8.8.8.8:53 | 156.24.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updatecheck.massgrave.dev | udp |
| US | 8.8.8.8:53 | l.root-servers.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | purchase.mp.microsoft.com | udp |
| GB | 95.100.104.23:443 | purchase.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.104.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | l.root-servers.net | udp |
| US | 8.8.8.8:53 | purchase.mp.microsoft.com | udp |
| GB | 95.100.104.27:443 | purchase.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.104.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | massgrave.dev | udp |
| US | 172.67.201.171:443 | massgrave.dev | tcp |
| GB | 51.140.242.104:443 | checkappexec.microsoft.com | tcp |
| GB | 51.140.242.104:443 | checkappexec.microsoft.com | tcp |
| US | 172.67.201.171:443 | massgrave.dev | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | img.shields.io | udp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| US | 172.67.173.89:443 | img.shields.io | tcp |
| US | 8.8.8.8:53 | cloudflareinsights.com | udp |
| US | 104.16.80.73:443 | cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | 171.201.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.80.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.173.67.172.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0f09e1f1a17ea290d00ebb4d78791730 |
| SHA1 | 5a2e0a3a1d0611cba8c10c1c35ada221c65df720 |
| SHA256 | 9f4c5a43f0998edeee742671e199555ae77c5bf7e0d4e0eb5f37a93a3122e167 |
| SHA512 | 3a2a6c612efc21792e519374c989abec467c02e3f4deb2996c840fe14e5b50d997b446ff8311bf1819fbd0be20a3f9843ce7c9a0151a6712003201853638f09d |
\??\pipe\LOCAL\crashpad_4756_MOBFTUXNNEWOHVVZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 63716c70d402b580d244ae24bf099add |
| SHA1 | 98a3babcd3a2ba832fe3acb311cd30a029606835 |
| SHA256 | 464f0f2ca24510abc5b8d6ca8240336c2ed1ddf5018fbadb092e18b5bf209233 |
| SHA512 | dfe1a5831df6fa962b2be0a099afba87b1d7f78ce007d5a5f5d1c132104fdb0d4820220eb93267e0511bc61b77502f185f924022a5066f92137a7bb895249db2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | aa10f656cc16d036a580048ba0bdac0b |
| SHA1 | 52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c |
| SHA256 | 166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d |
| SHA512 | 748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e83dbaca5ed291f8d502d0b1f03cc2e9 |
| SHA1 | 5f19d80986871a9f6ecd1670d21741c9a4acfa61 |
| SHA256 | 00d3f4cc39bced9bf4c7c46fda06c5e2b1676248d9185e5857b617481e3adf97 |
| SHA512 | b482dad7cb60c462c6829e9d501312cdeb493a92c1517d06805816ebdde4f34551a58a3cd4e498b7ecbb6b7d099de125f955915e55d55e650575b7a73c41769d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 311fdf529564bbc9a1706971c4491a05 |
| SHA1 | 1936f7199ea99c2960917bd920beca5931232187 |
| SHA256 | b83cecbafdec42da9ee69903fd01fc9ba36fe6cd1f33d90faf1f307c3344874a |
| SHA512 | 6010a1ca9de99bfee5d0da3acaa494d16a9114ed63ef60620e328e0cec0da22591d8629c045a09f06d6c4db52245565c3a4c4555f4b347dd7d09f523ba4409fb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 46beb1833073c89375df9846b0e070f1 |
| SHA1 | 7a7d5b58e797ed384fa68289d65dae4c78c3ecd6 |
| SHA256 | e5b0e7efe3a9b6546602c47403ad88a7e48ddf3df8e8f2bc1b0acb816ee7b456 |
| SHA512 | f981d8f25e096812a8039f731abaee0ef569845cfa61a07199907cd433c75139ffd1d6ace255a4e5f0ef8c09a655fd3abc63cc4c5729e53786395336a29252fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b9912da6c91632693879fddfc07fd2d0 |
| SHA1 | d055f464d349e08b34483de75ab602792f499387 |
| SHA256 | a205251f7bf94ee39d86cd9c27516b24fb8f5de804476c43781bfc4f50670ba7 |
| SHA512 | 9adcbf85ed2ccef478752120efe80a67750a43bde2b54cd6db89cbca393a5e539f2db7605dd07e1abc366495106a89f55b2c184e87dd848a2221ea08f3f69459 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | dc74f07718b16ee09f41da8367831e4e |
| SHA1 | 4622da56df4f7d66df29a9013742ab69aa057c31 |
| SHA256 | 65107e8006d99418b275615b670c51945bba86978605a693d8dc6e9add298237 |
| SHA512 | b0562ed6d469107ee258ffcb3489d533e42369434edaa3d661d9189bf34212838a198acd904f4cd47c6c3e0e12ba7022983a15086b008f82c88e27ba33478fac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | ee8e616a03201ab31e032c60a6d81b15 |
| SHA1 | 4fa72ee1a3ed74f7798b3b58cabe174c675adc12 |
| SHA256 | 2d77f4c62538359ca9c795a3be97c3817adb7954e004fe4b85cfffbf216f64c7 |
| SHA512 | 97640f1aec0c917ca0bdda6f0228eff1d4274d2d681c73206be660697d3a7fefbdeeda23d6e3fa853228be633b4988e543a41f84bd027493c7d633089c863151 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7d2aa4c721a1ea581e7938c57d22edf4 |
| SHA1 | d6f8b00c3340bc527fde62ef74cd868efd8759fc |
| SHA256 | 29060355368f5ce66ee00e8547fecebbca7ac1bb8ccd2a747237255abbb057a0 |
| SHA512 | 423ed7be995a97733352611dbf8139a51fc657c4c23ba6a730ceb082909828e62c0948c06584aeda28cc077c3de55937197e19896b215e5527bae58949f0327e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ec29f58908360743251f6ca67c99e4c3 |
| SHA1 | 922df42ae861e54aa8ec1c013827d8fb9484e6ec |
| SHA256 | da12f2a6889392b4e09537fc7cd7b9a10a3256680984f6d9ece0c7a8a48636c8 |
| SHA512 | 04ecea6b3abe85564ac68ad0395af9df1c253664ea2eb00ada27f493944fe3603a737ec0cdc7195384532cde2f17952ffb626b0b286006e63d817e79c8e978ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe57b71b.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
memory/5984-326-0x0000019EBF3A0000-0x0000019EBF3C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u42wgzwk.put.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5984-327-0x0000019EBF8F0000-0x0000019EBF934000-memory.dmp
memory/5984-328-0x0000019EBF9C0000-0x0000019EBFA36000-memory.dmp
memory/5984-332-0x0000019EBFC10000-0x0000019EBFDD2000-memory.dmp
C:\Windows\Temp\MAS_7877525d-de7d-4f0b-8c7d-e575b14b7427.cmd
| MD5 | 725cc0d8fc938832c19dff2b529ba0b1 |
| SHA1 | e48dad4850d07763f9127dd3bfe6ed8dcd62588d |
| SHA256 | 64f59cc74de6732700a0dcca7ea9fb7315b82797644264c6deea5d00e9dc263d |
| SHA512 | 8498445efb715b7effe19e256617529990273d3608aec9bbfd71e5424bff292aa269f442d3ec2cdc2f3deb30981bc9e338ae4f5a9fa12217e9889b317e69298f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | f1e518cedf7506f68ca57e6d8359022b |
| SHA1 | 47a59f4fb45872b24444a79b1f0e1bde037f8d11 |
| SHA256 | 830b9b11b8587d947b14989669afdc4d0c0e6c0d2f65eb92e07558f168ae3bfb |
| SHA512 | c8f827ef3776bab1b0fea08ea267b3379bf73a82e9022bd1d4389e92134e1a008fa31aa261aa63224d26ad1ec7500272ee8044dccfe7e22f1eb205ef4e2e8910 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ed30ca9187bf5593affb3dc9276309a6 |
| SHA1 | c63757897a6c43a44102b221fe8dc36355e99359 |
| SHA256 | 81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122 |
| SHA512 | 1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa1b22941ad0ec24a2b63dd9a043e85b |
| SHA1 | ba92b36b71a74f16261913dfb2fccdbe984a4d31 |
| SHA256 | 1d288a199c43928307beedbb402776c5592c79664d25d9a4da7125f99db9a1f5 |
| SHA512 | 2ba24e81087af3379821fb669b77b1401c80b2fc56a6c9f1916dde42c59f7340f0a20658e313cf7113e36c37708ebf0f7d1768dc7375907992b3c180dc36e4cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbac284df5d085bf52e00cb6ec219bfd |
| SHA1 | bdaceda191a7f0a646d3866102a25b3fb7a6f45c |
| SHA256 | 1a2cc170a183db403c7de5187c33aa6ffaf434804bdf88a410da2633d288d535 |
| SHA512 | 03675d30e3dc8502a577778aa74a25528e897b516cc8aceb890c4043108666e4135a0624cf074f74bda15dcc4f14f639ad355d9d5c4551f0fa43d7dcd78548c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 642610e02505cb6fee570c0d786e6901 |
| SHA1 | f6bc047d34670430ae30bec9aebb8bd37adc6d66 |
| SHA256 | 44b4c7dc246558da04fa562b6ea8d73f4c76be0bc3b180bcb0963a46044ec3cc |
| SHA512 | 58dd463a8a611c6f1efa5dbcf8da525177106f853e0478e3ff236da4314ab66a1948f2613e45158b240c5aa0bcda35f384fdad4a07600ec86dad86cdbd0d2943 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4358cc43baf609e48ac91365fc13e8df |
| SHA1 | 48072ea18937b879100efa1805741af0d3f035b5 |
| SHA256 | d109661abe6eb45e485ff9b2441dcd62abf6ccf6d2efcfad44369295720a339f |
| SHA512 | 49f33371758032d0ef48bb8987b8277450279218b6b263eb80fd91c68fc8268261c2a32ac26f11ca79b67cf4165a716129effb7809746ed0a173453125812590 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0e889e3fb350f37e279de4d6c352888f |
| SHA1 | eae5f2084f62652f17c77c010ac6da4c0f043367 |
| SHA256 | 4e00cc5b1e653364f156dd0694eb4b46ade2495d010f4e792ae917da0b04bfc6 |
| SHA512 | 0c8c01cc39ed4b4f14fb5053bcb62bd1d6f5536d88565ff4955ae95a870c8f3f227ba32bb4698a06f763a7a1340ba7048ad7eae2a81e9ddc73b164cc996756a4 |
memory/5212-433-0x0000026CC9A80000-0x0000026CC9BF6000-memory.dmp
memory/5212-434-0x0000026CC9E10000-0x0000026CCA01A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 39329ac610edda1fbc5c1da1304eb4b1 |
| SHA1 | 294987ee15e12289511c84caf771868384ea2a9e |
| SHA256 | b30528817e2fbfc358b75adb373f259a7727fb9ebcdc14e8b628c02eeaebf145 |
| SHA512 | 03988fe0729bc9a72b488591f578df68eae4a00bc13ac100b5f33e38236db7b29f8d96c32af42f5f63472087b76292a381a1fc744db29e7414adfdd1b9a08727 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd67bac2c8300839d0f639840ca07b60 |
| SHA1 | 25215e741e30edd8176b3097c4e3e772328e0a7a |
| SHA256 | 993aaf987d59b5db329b28c0cbb6456850234f48fce4552f93ceb63312ae9d7b |
| SHA512 | 8f9665deaa25ae36fba47f037f1eb3a8da566cde8d5b0a839aeacca62f081c3792d78f04cf08bd6a0b2687de8d690f0db3e45dbe6bafe83299d8f88f196f1a5e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 06866ec52e37821c95b1e747c16f245c |
| SHA1 | 9b68db7b9b248508e511663c59d95664f832b1f3 |
| SHA256 | 3c0e88651fbd26b0e6cfec09cf64e945609f467e95b2f5e48b0f9fcfc33fd798 |
| SHA512 | 739422e394e08bb1355bab96ab0264b447a0dc3283f415f8fe2266df4ee453e2e7c5abff131947729b28c541fcbb6768f8e9805112553e3768bb13c5eca644d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba9b62db2c5a672a3bcb30a7b92a89bc |
| SHA1 | d147ca957ac6e8467bb7bfbdae384f8fca0234f7 |
| SHA256 | 400ed8f32218fa218c821fb65a19a3866c3f1b6923409a1ea1cd4e9a295c6135 |
| SHA512 | 77e370ffc3ab3f2eb3af574ceae03052b023c883b232e455cf3e3bfba8dfc9f223d294aa8172a6e81980ad9b639ff60dcbf06a6e47bcc9129b7764cfcb8ac4ea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 932d0d26287ef68fad4e4c9f87224441 |
| SHA1 | 8c9fabe625d8ac70f1066b414ca78f9cb083ecfa |
| SHA256 | d75e5f08aabc75dd6bff42876b7e053f8fd55dfac027df0790d111fe745b4e87 |
| SHA512 | 78d4709309880bbbdf8c2af0df7709656ec6853ae35b9229ccc07bf07040a5650d7290e3565e27b3495e803481aa29a7f18a76ad35ca77852b5d78d18c6175d0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7c02e49f2a5d5aa59ec1846af116ac3e |
| SHA1 | fc59714ddb520533d040d21e56024dbeca7e0e33 |
| SHA256 | 0e2f194061b63c03ebbe36587ff17cf56b19e894295cb43b62a69a74aee53792 |
| SHA512 | 429c89deddf4c740efb7b1e6a0a22e6cfc040c5287f7f99552b33235ff749401297a71e780f48a3a3414c05419ad7b813b8ef77f4e344c21c8ce2c9a50544b8c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 24fdc43ba8d8b3a7b7c11bc00b43dfd9 |
| SHA1 | eed810fb5b59663df7e09c7b30f03bb391cfc6d8 |
| SHA256 | c0a684c00832c1d3177b4ef2f4262808a86363d9284ed5bf42de741720cef946 |
| SHA512 | e610a629b1a4924822037b1ae7cbd2ccad2595b8209ec9b1699778896215ea4084a7edc177f916551d95ad4122efc2b2ce26ec27ecee3ec354922dedd8cbed77 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | af428a941548144ee7daf4ad9f7d9432 |
| SHA1 | fb85cafbba12b2466f69215daa612c1f6a698406 |
| SHA256 | e8b38f8b83e3eecefe00dcd444fc3d6a3e796f551c33a84772f33d3e932fc33f |
| SHA512 | 971560b85e8deed891d1c592bc689f358d0345a4a2ca400fb717f87ea8d0e35fe8fe0dc16f69185ed713eb687fa8fb1ff338b96932c7d9603458d7c5e7886d00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f9d789478516396187c30a5ace633d9 |
| SHA1 | 151ba29c113dd31d9cbbab38ca1af3df0ca1be67 |
| SHA256 | b154dd059608746bc0f5229c861c0eb40d553f670314efa60af7cc7af15d48f0 |
| SHA512 | db0ef29d93996409c0a5ec5de52864a3b760cea78d33347002391f1561a4fe9439cf251e0c70ea856023f3e83fe4cef4b17bde823ac9276066f00a31fb446601 |
memory/1484-558-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-557-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-556-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-560-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-566-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-565-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-564-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-563-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-562-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/1484-561-0x0000021AAE6A0000-0x0000021AAE6A1000-memory.dmp
memory/5824-578-0x00000164FEA80000-0x00000164FEA90000-memory.dmp
memory/5824-579-0x00000164FEA80000-0x00000164FEA90000-memory.dmp
memory/3508-580-0x000001EC45260000-0x000001EC45270000-memory.dmp
memory/3508-581-0x000001EC45260000-0x000001EC45270000-memory.dmp
memory/3508-585-0x000001EC45260000-0x000001EC45270000-memory.dmp
C:\Windows\TEMP\tem78EF.tmp
| MD5 | b13af738aa8be55154b2752979d76827 |
| SHA1 | 64a5f927720af02a367c105c65c1f5da639b7a93 |
| SHA256 | 663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b |
| SHA512 | cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4 |
memory/5824-587-0x00000164FEA80000-0x00000164FEA90000-memory.dmp
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket
| MD5 | 997c02c58d08084dc3add213a1423bea |
| SHA1 | bdebad616f5973c24bee81f28ff3d7977f6df586 |
| SHA256 | fac11bfc9d31501b72fb52424cb32d99aa57087f6ff8bf077edcf308e3948215 |
| SHA512 | 291101ad29d84d4f51eed691454ba65d7b2df1b2a07e28bea7a48ccd3433675fa0c10cfab06aae9ec2bccfdbcaf3749deb30e6a1a9f4dce902e6a0c450cf5f61 |
memory/5444-591-0x0000018D70BC0000-0x0000018D70BD0000-memory.dmp
memory/5444-592-0x0000018D70BC0000-0x0000018D70BD0000-memory.dmp
memory/5692-593-0x0000021BBA540000-0x0000021BBA550000-memory.dmp
memory/5692-594-0x0000021BBA540000-0x0000021BBA550000-memory.dmp
memory/5692-597-0x0000021BBA540000-0x0000021BBA550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tem7F77.tmp
| MD5 | 92cbcd3ffb7c0bf0625d609c9a1d5bae |
| SHA1 | 2441171951dfcdf629ceb0dcaaff3327f1d24d57 |
| SHA256 | 62387ab052e3c4a5c4ff28d9d57cefcec9c98a8a1f321f55fba472795e25e5f7 |
| SHA512 | 7f33787ddd909b127e96a6fef362bd95891bcdbf90d12892aa394d482fafb1dde8f5592516467d800499e434fba1c6b1ba99398ce485cb2027fa47449d2fd323 |
memory/5444-599-0x0000018D70BC0000-0x0000018D70BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c7086483a50704a7f0f49ba1499ddb8 |
| SHA1 | cb8abb397f089cb92610844bb8dc8309ef00a263 |
| SHA256 | 60974ff6498c1ddb11f297fec828b59fd6436b6472cd6482e0f15aba0a908b3c |
| SHA512 | c7d3d7c688f407ebdc025d31ece8da284f4aa05656fed87055cc1bb6d199cfff1f152b598964647794b1e66ebe3bffa698230f92158676da56f415b520aae11a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 45f14d7c4d37c9ae964828b378442d56 |
| SHA1 | 5a2c7a3f3f3ea71b0015ea6cfcf2c3f9ab7cea9e |
| SHA256 | 88b0b1d7bd53507114a83351217ca4f253983066734f8982b6061fa76598999b |
| SHA512 | 2290c6c6b927435d987ca61c33db65a61c44f1d5d799d2d757fc0988666655dc913f9c8b5738138fc368444d983a8e0214353dbc9e12dfbfe31848ed434f1503 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | af1a90cffca209f1746013a816a3838d |
| SHA1 | f171422e10457f25db8ef8626ee0b8ebe46ae78c |
| SHA256 | bf7162606243d18731c213dba90e62f847e947dc717487a8f32b64089feb8f6b |
| SHA512 | 092c0366f8de1600c3df0a1b22f151b3fe5a1750f5f0a50b0f163560c1b787fb798ed8230c76397ba332b5320319ce3abdf4f88fa4896444dd7c206f83310daa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d3ef3c33ee4a817c753b3e9b67944115 |
| SHA1 | c1d46babdd3d5a51baccfe0ed32c6fd4f6fe2c51 |
| SHA256 | bc71fbec97387f6e555cae2ea9822a1b6236ce985b9bbf2b6f790f743269689b |
| SHA512 | f43aed7625ac1a2d917ed6925b4894ede583f7f2fa53f6f339684e222dd4240f0ac991b8cb3a7f97553489919b4eeacb3bcec9f1ae754f935b213b6bb468a6c0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2d24f9830de86e00fc6649cb269ccce |
| SHA1 | cecfe1506beccf1f3e19a4e9a71dae1493e9dc9f |
| SHA256 | f337c17166085d53a4029f3fd0f09b29cb524aef98279710f7dd5406a2fdc3ec |
| SHA512 | 836a5909ef2f68b4974737b1d7eff4171fcfe9b20f06b7146134c53e20531a96a8c68c518c82bf5082e647e2675124c8f98a8ab2d9e27e07f47a667c3e18c8e0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 55c8068c0072a7be04da296108cf4b2b |
| SHA1 | d7db9aad58cfc1dbf099e618e90c9a9f9d6fcf31 |
| SHA256 | 6b60b4d8068679065493422f5e57114ebe5af4a6257a89b7e5578e3509c1a8aa |
| SHA512 | 0466ed56ce66e971a9a9bd75248db835953a6442aee1fa93153a29091811dc89c360d94c6aea72e51836a491e70aa237d7a9d7e504241f109395c150dba358ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f9501b14862b1e3e89277027bae4b067 |
| SHA1 | 38c5048c214f2bcd3ff2597f0048b86d05aad0e0 |
| SHA256 | e37bcb654657ed09c4bd1974a9bf2bebbb5a58004bb6cd52d423127262d9b649 |
| SHA512 | 042faf0255f1a3d043f372e4b4a7d4992f47ab5eadb91af898957cce93cc5fb82acc2f4c2b10245ef3c4e2526d89724cd37a3d140b99bb454eeed303c22e04a9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c9d156a2d0f37470a5eaabd7755cfb2 |
| SHA1 | ec054eaa0c8a66b720c9724b74a0256bcf70ebe4 |
| SHA256 | 0e677df9a6e2da72beaceacd0f2dba199b7e40f9c3785451421a1d297ec767e8 |
| SHA512 | e9d6e0b2ac22af97fc970558b75c1edf9584cf918851256ef675150e1369fb2b543933b26dbc428adafe4cc2672bcf7596e3ca5c480f1e7ea9b30d05835de76c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 48453691abc99ef5025fe38fefe0e6bd |
| SHA1 | d48a471c537c9ee339a29f117fb67e471f270cf2 |
| SHA256 | bdcd2d00fbbbba2afc974c3e23977c52fc8d9617c93a8fe8362ace97261154fc |
| SHA512 | 4c7866ed25a8ef241044cc5288aadfdd7ca7077174d645e6e5395f782df9d9afa5cd2fcbb99836ad6472a60f04eee9d63a6dcbd5243402605d9739ceb880f03a |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\DismHost.exe
| MD5 | 97cb1e2fcab378421c4b91df0c9f8310 |
| SHA1 | 1227ce5f3a75bbbcba54708fcf73a131b0887a29 |
| SHA256 | e36bcf02bc11f560761e943d0fad37417078f6cbb473f85c72fcbc89e2600c58 |
| SHA512 | 1b4668daacbebbe79bedc508f81f0e5ff0545c5823f05c7a403f4e8eb58bbf866f975b8e41a9148f6455243fe180c1afa32cd6b337f7d73ba0cbdf00f7e32de6 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\DismCorePS.dll
| MD5 | 35a07968ec37231249f3f072ae555e3a |
| SHA1 | a6b5be5daff384d24e68c7d3d540e9edd1e95ce8 |
| SHA256 | e5f25e5a170cb3d165c3d143eae967b96ab80f88fb09176da8591b0b68c77e00 |
| SHA512 | 4806377c40eb0604410bf4760a3bf3ed99a1506af023977f6ad04090d790818034f8ffaeb6f51cf3a16a2109e0f567ddf5d182a50468481a2ed9adb2fe899261 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\DismProv.dll
| MD5 | ab0dbc4f05b33eaaa447e31accab8d21 |
| SHA1 | 7064962fbc7e1fdf0cbb13a44e587e28168cd299 |
| SHA256 | 6a3c3f07bddbc3079873f8799f2c19adddc59f15d6b2dba6e9314e5626bfd2a0 |
| SHA512 | a4fea2a0d5a9da86cc1f3868882a4ac661581a77f57251ea073259e0421d6f047b9da7b19e3916a970d7ecda652b4d51d0e64c7ef5d59338eb209b580be85b24 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\OSProvider.dll
| MD5 | 684fca651758ba405144d5fcab6ab7fe |
| SHA1 | da595c60fbc4336fd2c61b45384dc0dbc3bf599a |
| SHA256 | ae9b66a6e0b1949890241c67037cef2c59d4f4faef84849789e0fee9184f41c6 |
| SHA512 | 4f8a9c524dd4e0f2a2f6f67a1ce42a7e9590fc5715f9538d8e0c7ff0c67d4bcbe10318bebd6328ee29c6c3b9842d0e176da7e663a88d9ecdec8c6404571c3756 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\LogProvider.dll
| MD5 | 1176e91f4f663b03515b4d944dcdd72b |
| SHA1 | fa341a412720fd79fe1e1f6e11d850a4e103871d |
| SHA256 | a4ae8aac8660aaa255cc8318c7971273201e62954d6d36ac5d7ec738fb218258 |
| SHA512 | c31f3bbff71ebc3f29813cf55754593262884fc71327db58622da62daa92062b1e8e2f6877a71ca832f40e7127c478d931661527485e801b74dcfdfaf6670874 |
C:\Windows\Logs\DISM\dism.log
| MD5 | c174edce1cdae5c12a57d3bc65c23fb1 |
| SHA1 | 2c08f85935e202a7aafbfa3bf9a6a9685abc5a88 |
| SHA256 | c8cb38968072d9f46dfc8f88f0f30ddfbbbdfdc0f6a64368720e990da0c39020 |
| SHA512 | 95834754a913f9639f9ddcae6f4ce75c76aad36be544c344ff9bdfb9c71e6e7e9117987c07a85a87c5a989654c7eff25dfaf10a05e09718fd93762b034174b82 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\CbsProvider.dll
| MD5 | 57a9a702d5f51b625a869cb6ac0ede0f |
| SHA1 | e5db4003f5a82ea666bbd70083edcb9ca38446b4 |
| SHA256 | b19a6d57b76593369e7e06cbcc5bcfd03e18adaa3934fd59c8705213fb5779ee |
| SHA512 | 818420f8196f964a2998b1176e87399f3d473237112b877c4e5662b3f601f8492fec3ec2ecd39822bfa12134cc2dd85ddc9e1409ea15ae6b58d8021c69840a85 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\MsiProvider.dll
| MD5 | 0655a77306506895e5d3b5e7dbc833e0 |
| SHA1 | 51087449d02fb42c948a1f53735bed1ccedd1ad8 |
| SHA256 | bfac469b3bfe0dc5419059d889eabb2ab1bdf1a6298a6de743cf0f189a48c679 |
| SHA512 | dab8ce18208670e720927f3d6bc317cb81b72c6ca95a92e637d9e19bec4666b3607747bbb3f0ef7285a41c49a26c2a52fb225224ece22aff391f89df2f9df61d |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\IntlProvider.dll
| MD5 | 18d4bd2bc601dbd4ca32e46f052fd152 |
| SHA1 | c0c04c30b9248c06a4f488d7921e1067518f2a2f |
| SHA256 | 207c51a4acfb244f05804b54c4d4f71fd5de4745434e40c969d888a4109677df |
| SHA512 | 583993ab11f59a4f0a3ff00382323f2ecec735ad8ed55d4ba388ea4e661edec99f4f7f9914b826dfd5ed21a24af719a4e0bdff6b5fc10dd08be21fcbab627394 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\IBSProvider.dll
| MD5 | b5b8c30b6eadc678f37d865061684219 |
| SHA1 | c78dc8160d7f0d794d6a156d9194f16314a0a361 |
| SHA256 | f1bcba5928da73db1a78355afd4cedb8d66e09d28fcfa6ae75112c5e10b0d841 |
| SHA512 | de2b7c5a03298a467152a8adc308c4355ca420438b96035083d524b2058daec9d2434eb62d329f747eb9768af8324a306d1e257005df7ddc2ff093a73068e06f |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\DmiProvider.dll
| MD5 | 0c2e5696f987350b0ae36e692d10ffb2 |
| SHA1 | 31b0eb2cca497dc532a61bcefe1813641049a0e6 |
| SHA256 | 52fd26a88d386b906cd1034df69618195e98a3a2743fe4aa185c461b24d5eba3 |
| SHA512 | 1f20c7002fec8cd7395a93e204f6b3bd33ea4b2d693cd0b04554ab6ffe6458505289c92914bfb56850f5ba43bc60be3a436f6a7b0268dcd8542ca767b2d5cf31 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\UnattendProvider.dll
| MD5 | 4fa1ca63b1f8fe59d6074ca92fad82d2 |
| SHA1 | 9da8e65c3196984544db3197cf0b554a8e800a8d |
| SHA256 | 201ea386a50b5d4317a66c1889c669ffd2e545a2531e33806aa00605f8852a52 |
| SHA512 | 9d1a44b1f09a28c91edd7b727abbabbc57b7b72cc2e00973eda8d1af2861d1128be09fd8ffa43dd5a0d163010bba7da58285384e889259121dc772d8bf3b464b |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\SmiProvider.dll
| MD5 | 97e089eec3c6898bd4159c39853f0dc2 |
| SHA1 | ffd3d226ba179abac9d2b24d9081aae1f9c42326 |
| SHA256 | bea12ec326503df121ea00e2ab05235d5c89f7040e7481f723acd62feb92f319 |
| SHA512 | 1ddc5fc98ed3daa5e279693e850e99c14f04b216bbec3460422b29b30085ef2003d0519add06ced7640ff6e14ee3aa0000ebe093bb6da4e40ae34b0fba676f73 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\AppxProvider.dll
| MD5 | eb9cbac1aa278b6a8afdb95a9feb4dcc |
| SHA1 | 9f12442d4cab56ab451d3954783632f77be7f8e4 |
| SHA256 | 1bf704107250f4c08fdf2c450d4ab402ba5317a8c026cddf98c0ce225f487d4c |
| SHA512 | ea86c2360622401aa61c8932571df2dbf6c5fcc438d5b1048d61cfe9542cba0b74c1454dced6a13a7cd20fbbe5cbaa0b1432b8e4a6feb6702fd0b7cc37b436f4 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\ProvProvider.dll
| MD5 | 5d7572a7a3724966cf940465ac6e4fbe |
| SHA1 | cab0fdc627744e0f3d99dcc1ca8e8c1b9309301a |
| SHA256 | 2d3af1a4c4733d01c46ab82cb7e8ff0392db91db207ca9437a956c9bc5e2186a |
| SHA512 | fc8fe42a23f1c4dca3205c63b22e8717f03c51307267367e0334e1326e47055abbb4738d003bf3340d3a15365c2625c2b791b3a083128e15d37398aaaa969e6d |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\OfflineSetupProvider.dll
| MD5 | db1c840507ea36d04d8f8f503804daad |
| SHA1 | 990152a67191059ac486074f0a50b97b840bd8e3 |
| SHA256 | 23fac2578e222a023c7b67186d67070518c17f08a6c39644fbef76293751efc4 |
| SHA512 | 90da4d328c27f1379f7f9e65019aa242e1899b1a2a5f9626f08aeea020b8f46583878891b8a73b4c555e381f1e8f8c5be5c54dce2d7a2498c2e3a40c8abcb5a3 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\GenericProvider.dll
| MD5 | 972025e2a66cb9a86173223c70ef5421 |
| SHA1 | aea2430707dd822904b5762d3e3d9dcc4ca0bab0 |
| SHA256 | ba683e9cf490d59aa1092e9f29196d6b48702ce8913d19f167870907ff50c424 |
| SHA512 | 27e45bda0e699b0cd660b1ccd5873238ab2137067dc3b595a67e8632812642edc6f06da9169f5e38152b921cef47924e75226655adf9b71f64e509a91879a1f8 |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\AssocProvider.dll
| MD5 | b7db592706d3eefbcf0d5a166d462e56 |
| SHA1 | 935123fda68594f0c52a765c4bbf468e4458189f |
| SHA256 | de21321272862e7c332e1724dc315f06f3abe7a0340e61d351cab208d6bbf059 |
| SHA512 | 91a1529db5816695c4424eaf71923ec63430b872cb1e179b6fa63c84acf0ac94baf71f39217f6c28818cd74fcad954a29f1e2efe655c5a0353f7aafdf8740f0c |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\SetupPlatformProvider.dll
| MD5 | c35697a1ce80b310b670c2aec0c0234f |
| SHA1 | 0b4c0bf45f008c09aa51d0152390b4d198df2eb4 |
| SHA256 | 1467d5059e367ca56a80fc7f169d8f562026f7020e64f12b97a6ee94f92f086d |
| SHA512 | 17d8c5ddc72dc7eadd6ece79f432b03fec38e6f494f65318326fc1aef64b52ad2658c29583f7f5b15a11c45102917cec57e8f08828d3a7a97aab508f53e3c5cc |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\TransmogProvider.dll
| MD5 | e60476d1585d1388e6e1761ad1fde0b4 |
| SHA1 | 18422195c4ffca0e8ba54d81fbe8500096acacd1 |
| SHA256 | d9bb6d4e87c1d869a2a8e03d2b0e5ddfeb086207f10d6c559a939f644d31af88 |
| SHA512 | 0ee8a343b37c0b61a9f112689d9428978db997a217b8057a6932fab806968ccd63c5560f19895b50c9a01d57588e574a5308ed06d7f57ca37c2f8d51fed2a8bb |
C:\Users\Admin\AppData\Local\Temp\D0973D70-3F0C-4F88-A363-8DD8BF5B34E8\SysprepProvider.dll
| MD5 | d2b254097ee4c8d3d87e6b450e38e8a6 |
| SHA1 | 2fb26e509ca4261e660ee8f1da1a0e9db12925bd |
| SHA256 | 663d8e04f20c8ff6256e680e57cdc738cfc3cf7564ec5f507493dd5ddc72b27c |
| SHA512 | 6fbdbc93fc565f1882ad1ba4996eec35510d67330330e2421c86df41284d97293a0d25034c228e0f2430e727125499522be6572adaef1ff31ee3499f9f573654 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 6bea84c3d0b3706ca1b134c164757a73 |
| SHA1 | d847eadd4bfc08ae5fd14c06962341873ec44a06 |
| SHA256 | 658e4c12e1dd59d81dd7d244054ebb0d82060f151e30699bb72477fdf943203c |
| SHA512 | 6129892978ac779e92614b8bedf68364d486618fe3108ecec76f4b267ee01dbc947e4a54e57d87e77a176eb725e96c30f545eff84b4d333289c83a065ae0f231 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 6e6e45a51b6f2e249802dcba577af76a |
| SHA1 | b2ce869f898fbf3b4cea4e94d78b88c6d24c7fc6 |
| SHA256 | 3a9a98302e3ce1b8fdc0c5255c6f31537e1ee19b95eec47c9456dcf03e9699a5 |
| SHA512 | 721229645a62934628af9fbd4cdb66e7691335054e76b9fcfeaa8e1c7212a5a359f1e00e4c0c533ba2db4398a3a9808ef7a949306b0310a3c6bd35128890efff |
memory/4444-818-0x00000218EB3B0000-0x00000218EB3C0000-memory.dmp
memory/4444-817-0x00000218EB3B0000-0x00000218EB3C0000-memory.dmp
memory/4444-820-0x00000218EB3B0000-0x00000218EB3C0000-memory.dmp
memory/4504-840-0x00000297FE5E0000-0x00000297FE5F0000-memory.dmp
memory/4504-841-0x00000297FE5E0000-0x00000297FE5F0000-memory.dmp
memory/4504-843-0x00000297FE5E0000-0x00000297FE5F0000-memory.dmp
memory/4000-844-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/4000-846-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/4000-845-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/4000-851-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/4000-853-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/4000-850-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/4000-848-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/4000-849-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/4000-852-0x00000296AFB30000-0x00000296AFB31000-memory.dmp
memory/1068-987-0x0000026D77460000-0x0000026D77461000-memory.dmp
memory/1068-986-0x0000026D77460000-0x0000026D77461000-memory.dmp
memory/1068-985-0x0000026D77460000-0x0000026D77461000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
memory/1068-991-0x0000026D77460000-0x0000026D77461000-memory.dmp
memory/1068-990-0x0000026D77460000-0x0000026D77461000-memory.dmp
memory/1068-989-0x0000026D77460000-0x0000026D77461000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8c9827cf078a6275541477ea4206cf3d |
| SHA1 | 2e31ca2931ad53d271b5551d814074169cb66aa0 |
| SHA256 | c99a43d9688755a0bd310e4b4d04841a79b3e95b8246e77bba3dae1044a9991c |
| SHA512 | 0be1cc67373280c4177ec559fe4ee2a6319c62b9a81e009c34748f6685d123515968b22ac28811856329d3877b8c7ffbb0716ae5800f41f585ce310d42d1cfbc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ae0fe8c5c3fa1892790674583938de9b |
| SHA1 | 02cde0eb30d4acf8c899f2fa9931f40873f74716 |
| SHA256 | 2a86315e898bf22f263bf06bb1fdb50b6fa0a64b1579cafc1195dd8e159886d6 |
| SHA512 | 7d7f0027d7797049f5360b5160da6013667ed7702af8f45c5bd20c78d4189b038a3594e1015d4a675595dd51109ed84c0f82de505b97c432beeff2c82dfd8713 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e7b90da81836667f8f4cea770980d0cb |
| SHA1 | a4dad82965b664a7f2990b80e8d6ea40cd92b3c3 |
| SHA256 | 8e11f2adc62928ebf48fd56882bfb7dc36215e0f845e59f889724b3646748084 |
| SHA512 | 4e8bbaaf654de7a9a011a862a5c6aa8cc4d5e37dee267e89fc1301456e973cdad65fdadc9d3e6bbcc9b72ca688b05c0819b900d6e02a14df9028ff2cfe47a1fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a7118be111a9a18284b87b5a226ce3f4 |
| SHA1 | 8f224e8e7798e9d8ad517cf527e83dee70ccdf4e |
| SHA256 | a901ed948a308c3f4d344c900b74f00b6c1dd11621a7561ba7c4ab8bc5a2c55b |
| SHA512 | 70c6e25fe791f9e152d8bcf4044896c5eb31d31391c04405470f8c15991e52e3ce41de4d1f617e7e81ca3895a7be1fa96fd94f3c53e22b9ec298ec9ced381ff8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 408ab2b405ffc33ca2c3b7f2d958c077 |
| SHA1 | fc174a40a60417be66d7998ec50966c6505a037f |
| SHA256 | 3d9fa1b77a9b4a78cbfc3e8fedd782e0b03b72457a3b45e931029e8ab0b1d2a2 |
| SHA512 | 3c5df1708f5a69d42447db0ce5e9576cc8166ba623e6eff95d241b55890e2748f788043a60959a9496973c1cda88e65172e91cf506b48f7da5905a52d802081b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 546fe228f9367872b56cbb2b2b9477ae |
| SHA1 | 9a89255b7914ba96d6452edd98e587a92f256fdb |
| SHA256 | 431959240767d358951547eea5652cb4f37871a0f7cde0a0f3c587f9ff0e5813 |
| SHA512 | 62f76edf3eb4a9656727070e6981830ca63a6ec90be9b9a42922d1458bee696cb872d6518327bc0e65700cb00b91f53fab5782ce93c693b0cde09e2b4cd2b03a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d22a602b652bff79ef6601049fce0680 |
| SHA1 | a73d36a1484dd9a435a6653f8aa7508a847cb611 |
| SHA256 | d8de2fcc2ff097e69e157cc586f902a207d632880188db3f1eeba1ae1edbcff3 |
| SHA512 | 8a8eb36a2f9c164f00b3f7da67bc5e3144e78a3990cdc855668157d37049a8e9e3d44f810bc054db60c305bd6d583b14f589eb1550ed37d4ce1f65db9f541fe2 |