Resubmissions
04-12-2024 18:25
241204-w2tc5avlex 8Analysis
-
max time kernel
1199s -
max time network
1192s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04-12-2024 18:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1DqYJ5h_YtGypvjTWkM6XnyvSLZPOEb7O/view?usp=drive_link, https://drive.google.com/file/d/1DTi19ol3pdgKI9lNzh6tyAaCW0Z83lbk/view?usp=drive_link
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
https://drive.google.com/file/d/1DqYJ5h_YtGypvjTWkM6XnyvSLZPOEb7O/view?usp=drive_link, https://drive.google.com/file/d/1DTi19ol3pdgKI9lNzh6tyAaCW0Z83lbk/view?usp=drive_link
Resource
win11-20241007-en
Errors
General
-
Target
https://drive.google.com/file/d/1DqYJ5h_YtGypvjTWkM6XnyvSLZPOEb7O/view?usp=drive_link, https://drive.google.com/file/d/1DTi19ol3pdgKI9lNzh6tyAaCW0Z83lbk/view?usp=drive_link
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 255 1552 PowerShell.exe 257 1552 PowerShell.exe 270 5500 powershell.exe 273 5696 powershell.exe 275 5860 powershell.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 19 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 6044 explorer.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 5516 takeown.exe 5828 takeown.exe 5448 takeown.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast DeviceCensus.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast DeviceCensus.exe -
pid Process 5892 powershell.exe 460 powershell.exe 4964 powershell.exe 2044 powershell.exe 6068 powershell.exe 2056 PowerShell.exe 1100 powershell.exe 5892 powershell.exe 4528 powershell.exe 4872 powershell.exe 5752 powershell.exe 3012 powershell.exe 644 powershell.exe 1524 powershell.exe 4896 powershell.exe 5524 powershell.exe 6124 powershell.exe 1700 powershell.exe 5924 powershell.exe 5160 powershell.exe 3144 powershell.exe 5440 powershell.exe 3092 powershell.exe 2468 powershell.exe 5240 powershell.exe 5632 powershell.exe -
Enumerates connected drives 3 TTPs 38 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Explorer.EXE File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: Explorer.EXE File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 256 raw.githubusercontent.com 257 raw.githubusercontent.com 3 drive.google.com 7 drive.google.com 12 drive.google.com 242 drive.google.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin LogonUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock DeviceCensus.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db LogonUI.exe File opened for modification C:\Windows\system32\Recovery\ReAgent.xml bootim.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\explorer.exe cmd.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log bootim.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log bootim.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\explorer.exe xcopy.exe File created C:\Windows\explorer.exe xcopy.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml bootim.exe File created C:\Windows\explorer.exe xcopy.exe File opened for modification C:\Windows\explorer.exe cmd.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml bootim.exe -
Launches sc.exe 62 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2032 sc.exe 5380 sc.exe 1628 sc.exe 1464 sc.exe 3144 sc.exe 5808 sc.exe 2524 sc.exe 2140 sc.exe 4100 sc.exe 4148 sc.exe 2584 sc.exe 4808 sc.exe 2100 sc.exe 5976 sc.exe 2384 sc.exe 2648 sc.exe 4648 sc.exe 632 sc.exe 4516 sc.exe 5348 sc.exe 5436 sc.exe 5332 sc.exe 2672 sc.exe 1464 sc.exe 1720 sc.exe 3720 sc.exe 4692 sc.exe 4292 sc.exe 4884 sc.exe 5864 sc.exe 5960 sc.exe 3972 sc.exe 5828 sc.exe 5992 sc.exe 6048 sc.exe 4060 sc.exe 1524 sc.exe 1144 sc.exe 3848 sc.exe 5640 sc.exe 5588 sc.exe 5432 sc.exe 4120 sc.exe 5616 sc.exe 5040 sc.exe 2144 sc.exe 1632 sc.exe 2100 sc.exe 1512 sc.exe 5776 sc.exe 4048 sc.exe 2788 sc.exe 1228 sc.exe 3092 sc.exe 1504 sc.exe 5820 sc.exe 5408 sc.exe 5768 sc.exe 5956 sc.exe 320 sc.exe 644 sc.exe 2384 sc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2492 PING.EXE 2560 cmd.exe 3032 PING.EXE 1064 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Explorer.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Explorer.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status DeviceCensus.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz DeviceCensus.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5316 timeout.exe -
Enumerates system info in registry 2 TTPs 13 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU DeviceCensus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion DeviceCensus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS DeviceCensus.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5376 ipconfig.exe -
Kills process with taskkill 4 IoCs
pid Process 4704 taskkill.exe 5812 taskkill.exe 1384 taskkill.exe 3832 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "245" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133778103381003506" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "1033" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Zira" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-641261377-2215826147-608237349-1000\{976C0548-2F4E-41C1-A945-E04E0F192B7A} explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-641261377-2215826147-608237349-1000\{780AD8BC-9C43-42C5-B7FF-4E094B9746BD} explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "5248260" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "CC" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Laura - Spanish (Spain)" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Mark - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat" SearchApp.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2032 reg.exe 384 reg.exe 5820 reg.exe 5936 reg.exe 1476 reg.exe 388 reg.exe 4348 reg.exe 5576 reg.exe 5620 reg.exe 5728 reg.exe 4012 reg.exe 4012 reg.exe 3416 reg.exe 3148 reg.exe 5300 reg.exe 5276 reg.exe 2216 reg.exe 1200 reg.exe 4516 reg.exe 4112 reg.exe 5920 reg.exe 3004 reg.exe 2140 reg.exe 5732 reg.exe 4776 reg.exe 1524 reg.exe 1700 reg.exe 5296 reg.exe 1100 reg.exe 4408 reg.exe 2140 reg.exe 4940 reg.exe 2672 reg.exe 5704 reg.exe 6020 reg.exe 2584 reg.exe 5504 reg.exe 1348 reg.exe 1876 reg.exe 2824 reg.exe 2592 reg.exe 2384 reg.exe 5764 reg.exe 5788 reg.exe 5940 reg.exe 4020 reg.exe 3416 reg.exe 424 reg.exe 5612 reg.exe 740 reg.exe 1552 reg.exe 3704 reg.exe 5108 reg.exe 5668 reg.exe 1636 reg.exe 1252 reg.exe 1636 reg.exe 3012 reg.exe 3032 reg.exe 2236 reg.exe 2736 reg.exe 5376 reg.exe 1476 reg.exe 4416 reg.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2492 PING.EXE 3032 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4008 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3932 chrome.exe 3932 chrome.exe 3136 chrome.exe 3136 chrome.exe 3136 chrome.exe 3136 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 880 chrome.exe 880 chrome.exe 880 chrome.exe 880 chrome.exe 2056 PowerShell.exe 2056 PowerShell.exe 2056 PowerShell.exe 1552 PowerShell.exe 1552 PowerShell.exe 1552 PowerShell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 4528 powershell.exe 4528 powershell.exe 4528 powershell.exe 460 powershell.exe 460 powershell.exe 460 powershell.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 4964 powershell.exe 4964 powershell.exe 4964 powershell.exe 1900 WMIC.exe 1900 WMIC.exe 1900 WMIC.exe 1900 WMIC.exe 2788 powershell.exe 2788 powershell.exe 2788 powershell.exe 3704 WMIC.exe 3704 WMIC.exe 3704 WMIC.exe 3704 WMIC.exe 4872 powershell.exe 4872 powershell.exe 4872 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 4152 powershell.exe 4152 powershell.exe 4152 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 4516 WMIC.exe 4516 WMIC.exe 4516 WMIC.exe 4516 WMIC.exe 1524 powershell.exe 1524 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4008 explorer.exe 3892 explorer.exe 1048 bootim.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe Token: SeShutdownPrivilege 3932 chrome.exe Token: SeCreatePagefilePrivilege 3932 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 3932 chrome.exe 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5840 Explorer.EXE 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe 5088 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1524 StartMenuExperienceHost.exe 5296 TextInputHost.exe 5296 TextInputHost.exe 1812 StartMenuExperienceHost.exe 1656 SearchApp.exe 6120 TextInputHost.exe 6120 TextInputHost.exe 4700 StartMenuExperienceHost.exe 4792 SearchApp.exe 4224 TextInputHost.exe 4224 TextInputHost.exe 4908 StartMenuExperienceHost.exe 1908 SearchApp.exe 2312 TextInputHost.exe 2312 TextInputHost.exe 3052 StartMenuExperienceHost.exe 1600 SearchApp.exe 4136 TextInputHost.exe 4136 TextInputHost.exe 2320 StartMenuExperienceHost.exe 4704 SearchApp.exe 5744 TextInputHost.exe 5744 TextInputHost.exe 3796 StartMenuExperienceHost.exe 1104 SearchApp.exe 4264 TextInputHost.exe 4264 TextInputHost.exe 1612 StartMenuExperienceHost.exe 3888 SearchApp.exe 2808 TextInputHost.exe 2808 TextInputHost.exe 6024 StartMenuExperienceHost.exe 1112 SearchApp.exe 3080 TextInputHost.exe 3080 TextInputHost.exe 3068 StartMenuExperienceHost.exe 988 SearchApp.exe 3652 TextInputHost.exe 3652 TextInputHost.exe 232 StartMenuExperienceHost.exe 4332 SearchApp.exe 1076 TextInputHost.exe 1076 TextInputHost.exe 3668 StartMenuExperienceHost.exe 2020 SearchApp.exe 5444 TextInputHost.exe 5444 TextInputHost.exe 5708 StartMenuExperienceHost.exe 5288 SearchApp.exe 3196 TextInputHost.exe 3196 TextInputHost.exe 1600 StartMenuExperienceHost.exe 4624 SearchApp.exe 5840 TextInputHost.exe 5840 TextInputHost.exe 5012 StartMenuExperienceHost.exe 424 SearchApp.exe 4008 explorer.exe 4008 explorer.exe 4008 explorer.exe 4008 explorer.exe 4008 explorer.exe 1928 StartMenuExperienceHost.exe 5640 TextInputHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3932 wrote to memory of 2148 3932 chrome.exe 82 PID 3932 wrote to memory of 2148 3932 chrome.exe 82 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 4536 3932 chrome.exe 83 PID 3932 wrote to memory of 1880 3932 chrome.exe 84 PID 3932 wrote to memory of 1880 3932 chrome.exe 84 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 PID 3932 wrote to memory of 2616 3932 chrome.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1DqYJ5h_YtGypvjTWkM6XnyvSLZPOEb7O/view?usp=drive_link, https://drive.google.com/file/d/1DTi19ol3pdgKI9lNzh6tyAaCW0Z83lbk/view?usp=drive_link1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc848fcc40,0x7ffc848fcc4c,0x7ffc848fcc582⤵PID:2148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1880 /prefetch:22⤵PID:4536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2176 /prefetch:32⤵PID:1880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2228 /prefetch:82⤵PID:2616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3156 /prefetch:12⤵PID:4932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4512 /prefetch:12⤵PID:3544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4696,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4676 /prefetch:82⤵PID:3656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4700,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4824 /prefetch:82⤵PID:3972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5424,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5432 /prefetch:82⤵PID:1552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5612,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5700,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5760,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6068 /prefetch:82⤵PID:1928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6044,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6092 /prefetch:82⤵PID:2284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6048,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6024 /prefetch:82⤵PID:2128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6092,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5488,i,2064635614501167763,2048684461485057993,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:880
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4048
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:4316
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" irm https://get.activated.win | iex && exit1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" irm https://get.activated.win | iex1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1552 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd" "2⤵PID:2700
-
C:\Windows\System32\sc.exesc query Null3⤵
- Launches sc.exe
PID:4060
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵PID:4416
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd"3⤵PID:3972
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver3⤵PID:4288
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:1804
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:1076
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "3⤵PID:4012
-
-
C:\Windows\System32\find.exefind /i "ARM64"3⤵PID:4876
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd3⤵PID:1900
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "4⤵PID:2380
-
-
C:\Windows\System32\cmd.execmd4⤵PID:320
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd" "3⤵PID:2056
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵PID:1252
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""3⤵PID:932
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1100
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"3⤵PID:3020
-
-
C:\Windows\System32\fltMC.exefltmc3⤵PID:3904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4528
-
-
C:\Windows\System32\find.exefind /i "True"3⤵PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd""" -el -qedit'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd" -el -qedit"4⤵PID:1540
-
C:\Windows\System32\sc.exesc query Null5⤵
- Launches sc.exe
PID:2524
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:4012
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd"5⤵PID:2648
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵PID:4052
-
-
C:\Windows\System32\find.exefind /i "/"5⤵PID:4744
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver5⤵PID:1064
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV25⤵PID:2056
-
-
C:\Windows\System32\find.exefind /i "0x0"5⤵PID:1252
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "5⤵PID:2144
-
-
C:\Windows\System32\find.exefind /i "ARM64"5⤵PID:3848
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd5⤵PID:1160
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "6⤵PID:2936
-
-
C:\Windows\System32\cmd.execmd6⤵PID:1040
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd" "5⤵PID:4340
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"5⤵PID:4996
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""5⤵PID:2488
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:644
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"5⤵PID:2140
-
-
C:\Windows\System32\fltMC.exefltmc5⤵PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4964
-
-
C:\Windows\System32\find.exefind /i "True"5⤵PID:2412
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1064 -
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck.massgrave.dev6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2492
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "5⤵PID:3032
-
-
C:\Windows\System32\find.exefind "127.69"5⤵PID:4112
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.8" "5⤵PID:4800
-
-
C:\Windows\System32\find.exefind "127.69.2.8"5⤵PID:2936
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵PID:1040
-
-
C:\Windows\System32\find.exefind /i "/S"5⤵PID:1160
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵PID:2584
-
-
C:\Windows\System32\find.exefind /i "/"5⤵PID:4996
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop5⤵PID:4808
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop6⤵PID:3720
-
-
-
C:\Windows\System32\mode.commode 76, 335⤵PID:4620
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N5⤵PID:2824
-
-
C:\Windows\System32\mode.commode 110, 345⤵PID:2796
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s5⤵PID:4048
-
-
C:\Windows\System32\find.exefind /i "AutoPico"5⤵PID:4940
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:2488
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:2140
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:2264
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:4384
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:320
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "5⤵PID:4052
-
-
C:\Windows\System32\findstr.exefindstr "577 225"5⤵PID:4728
-
-
C:\Windows\System32\cmd.execmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"5⤵PID:3972
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
-
-
C:\Windows\System32\find.exefind /i "computersystem"5⤵PID:4528
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"5⤵PID:3320
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul5⤵PID:4884
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn6⤵PID:1728
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul5⤵PID:4292
-
C:\Windows\System32\Wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':winsubstatus\:.*';iex ($f[1])"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4872
-
-
C:\Windows\System32\find.exefind /i "Subscription_is_activated"5⤵PID:2448
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"5⤵PID:1012
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Enterprise LTSC" "5⤵PID:1040
-
-
C:\Windows\System32\find.exefind /i "Windows"5⤵PID:4112
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"5⤵PID:3144
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE5⤵PID:5072
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE6⤵PID:2044
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver5⤵PID:4780
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2560 -
C:\Windows\System32\PING.EXEping -n 1 l.root-servers.net6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3032
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s5⤵PID:5036
-
-
C:\Windows\System32\find.exefind /i "AutoPico"5⤵PID:4884
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:4808
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:3076
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:2492
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:4776
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:1632
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "5⤵PID:1440
-
-
C:\Windows\System32\findstr.exefindstr "577 225"5⤵PID:4872
-
-
C:\Windows\System32\sc.exesc query Null5⤵
- Launches sc.exe
PID:2672
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
PID:1524
-
-
C:\Windows\System32\sc.exesc query ClipSVC5⤵
- Launches sc.exe
PID:3972
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService5⤵
- Modifies registry key
PID:1100
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description5⤵
- Modifies registry key
PID:1200
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName5⤵PID:2796
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl5⤵
- Modifies registry key
PID:1636
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath5⤵PID:3320
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName5⤵PID:3092
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start5⤵
- Modifies registry key
PID:4012
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type5⤵PID:4152
-
-
C:\Windows\System32\sc.exesc start wlidsvc5⤵
- Launches sc.exe
PID:2384
-
-
C:\Windows\System32\sc.exesc query wlidsvc5⤵
- Launches sc.exe
PID:1464
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService5⤵
- Modifies registry key
PID:4516
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description5⤵
- Modifies registry key
PID:1476
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName5⤵
- Modifies registry key
PID:4416
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl5⤵PID:3148
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath5⤵
- Modifies registry key
PID:4408
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName5⤵
- Modifies registry key
PID:4112
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start5⤵PID:1900
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type5⤵PID:5036
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:3720
-
-
C:\Windows\System32\sc.exesc query sppsvc5⤵
- Launches sc.exe
PID:2100
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService5⤵
- Modifies registry key
PID:2140
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description5⤵
- Modifies registry key
PID:4020
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName5⤵
- Modifies registry key
PID:2032
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl5⤵
- Modifies registry key
PID:3004
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath5⤵
- Modifies registry key
PID:1876
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName5⤵
- Modifies registry key
PID:384
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start5⤵
- Modifies registry key
PID:2824
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type5⤵
- Modifies registry key
PID:4940
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
PID:1628
-
-
C:\Windows\System32\sc.exesc query KeyIso5⤵
- Launches sc.exe
PID:1720
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService5⤵
- Modifies registry key
PID:1252
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description5⤵
- Modifies registry key
PID:2592
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName5⤵
- Modifies registry key
PID:1636
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl5⤵PID:3320
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath5⤵PID:3092
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName5⤵
- Modifies registry key
PID:4012
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start5⤵PID:4152
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type5⤵
- Modifies registry key
PID:2384
-
-
C:\Windows\System32\sc.exesc start LicenseManager5⤵
- Launches sc.exe
PID:1464
-
-
C:\Windows\System32\sc.exesc query LicenseManager5⤵
- Launches sc.exe
PID:3144
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService5⤵
- Modifies registry key
PID:1476
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description5⤵PID:4416
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName5⤵PID:1504
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl5⤵
- Modifies registry key
PID:2584
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath5⤵
- Modifies registry key
PID:3032
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName5⤵
- Modifies registry key
PID:3012
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start5⤵PID:2660
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type5⤵
- Modifies registry key
PID:3704
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
PID:4292
-
-
C:\Windows\System32\sc.exesc query Winmgmt5⤵
- Launches sc.exe
PID:644
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService5⤵
- Modifies registry key
PID:4776
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description5⤵PID:3392
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName5⤵
- Modifies registry key
PID:3416
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl5⤵PID:4872
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath5⤵PID:2672
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName5⤵
- Modifies registry key
PID:1524
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start5⤵
- Modifies registry key
PID:388
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type5⤵
- Modifies registry key
PID:1700
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
PID:4148
-
-
C:\Windows\System32\sc.exesc start wlidsvc5⤵
- Launches sc.exe
PID:2648
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:632
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
PID:2788
-
-
C:\Windows\System32\sc.exesc start LicenseManager5⤵
- Launches sc.exe
PID:1144
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
PID:1228
-
-
C:\Windows\System32\sc.exesc query ClipSVC5⤵
- Launches sc.exe
PID:4648
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:4012
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
PID:3092
-
-
C:\Windows\System32\sc.exesc query wlidsvc5⤵
- Launches sc.exe
PID:2384
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:1012
-
-
C:\Windows\System32\sc.exesc start wlidsvc5⤵
- Launches sc.exe
PID:3848
-
-
C:\Windows\System32\sc.exesc query sppsvc5⤵
- Launches sc.exe
PID:4516
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:4780
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:1504
-
-
C:\Windows\System32\sc.exesc query KeyIso5⤵
- Launches sc.exe
PID:2584
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:3248
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
PID:4884
-
-
C:\Windows\System32\sc.exesc query LicenseManager5⤵
- Launches sc.exe
PID:4808
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:3720
-
-
C:\Windows\System32\sc.exesc start LicenseManager5⤵
- Launches sc.exe
PID:2100
-
-
C:\Windows\System32\sc.exesc query Winmgmt5⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:644
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
PID:2032
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState5⤵PID:3004
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState6⤵PID:2264
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot5⤵PID:1800
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul5⤵PID:2672
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':wpatest\:.*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "13" "5⤵PID:1228
-
-
C:\Windows\System32\find.exefind /i "Error Found"5⤵PID:4728
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul5⤵PID:2488
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE6⤵PID:4052
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"5⤵PID:5072
-
-
C:\Windows\System32\cmd.execmd /c exit /b 05⤵PID:1508
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value5⤵PID:1632
-
-
C:\Windows\System32\find.exefind /i "computersystem"5⤵PID:2140
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0" "5⤵PID:1876
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440 0x80131501"5⤵PID:4020
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"5⤵PID:1800
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"5⤵PID:2592
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"5⤵PID:1728
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"5⤵PID:2468
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"5⤵PID:1628
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"5⤵PID:388
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul5⤵PID:1252
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"6⤵PID:3320
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d5⤵PID:2380
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul5⤵PID:2672
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore6⤵PID:1892
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul5⤵PID:4728
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE6⤵PID:2384
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul5⤵PID:4052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"6⤵PID:3736
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "5⤵PID:2100
-
-
C:\Windows\System32\find.exefind /i "Ready"5⤵PID:5072
-
-
C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f5⤵PID:4776
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"5⤵PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵PID:3416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵
- Command and Scripting Interpreter: PowerShell
PID:4896
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"5⤵PID:4884
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"5⤵PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"5⤵PID:2448
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul5⤵PID:1628
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE6⤵PID:1876
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "5⤵PID:3164
-
-
C:\Windows\System32\find.exefind /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"5⤵PID:1464
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "5⤵PID:3320
-
-
C:\Windows\System32\find.exefind /i "cce9d2de-98ee-4ce2-8113-222620c64a27"5⤵PID:4620
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "5⤵PID:4648
-
-
C:\Windows\System32\find.exefind /i "cce9d2de-98ee-4ce2-8113-222620c64a27"5⤵PID:1012
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "5⤵PID:4292
-
-
C:\Windows\System32\find.exefind /i "ed655016-a9e8-4434-95d9-4345352c2552"5⤵PID:5036
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552 " "5⤵PID:4752
-
-
C:\Windows\System32\find.exefind /i "f6e29426-a256-4316-88bf-cc5b0f95ec0c"5⤵PID:4808
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="QPM6N-7J2WJ-P88HH-P3YRH-YY74H"5⤵PID:3428
-
-
C:\Windows\System32\cmd.execmd /c exit /b 05⤵PID:1064
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus5⤵PID:4416
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul5⤵PID:632
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Name6⤵PID:2936
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul5⤵PID:4940
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Nation6⤵PID:4872
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))5⤵PID:3004
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.191.X21-99682_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))6⤵PID:4776
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgAxADkAMQAuAFgAMgAxAC0AOQA5ADYAOAAyAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA7AFAASwBlAHkASQBJAEQAPQA0ADYANQAxADQANQAyADEANwAxADMAMQAzADEANAAzADAANAAyADYANAAzADMAOQA0ADgAMQAxADEANwA4ADYAMgAyADYANgAyADQAMgAwADMAMwA0ADUANwAyADYAMAAzADEAMQA4ADEAOQA2ADYANAA3ADMANQAyADgAMAA7AAAA" "5⤵PID:3320
-
-
C:\Windows\System32\find.exefind "AAAA"5⤵PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"5⤵PID:4292
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:3092
-
-
-
C:\Windows\System32\timeout.exetimeout /t 25⤵
- Delays execution with timeout.exe
PID:5316
-
-
C:\Windows\System32\ClipUp.execlipup -v -o5⤵PID:5376
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temCE1B.tmp6⤵
- Checks SCSI registry key(s)
PID:5400
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"5⤵PID:5508
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')6⤵
- Command and Scripting Interpreter: PowerShell
PID:5524
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "5⤵PID:5644
-
-
C:\Windows\System32\find.exefind /i "Windows"5⤵PID:5652
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate5⤵PID:5676
-
-
C:\Windows\System32\cmd.execmd /c exit /b -10737409565⤵PID:5708
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value5⤵PID:5724
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"5⤵PID:5732
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL" /f5⤵PID:5772
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"5⤵PID:5788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service wlidsvc } | Wait-Job -Timeout 20 | Out-Null"5⤵PID:5804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:5924
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service LicenseManager } | Wait-Job -Timeout 20 | Out-Null"5⤵PID:6116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:2468
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service sppsvc } | Wait-Job -Timeout 20 | Out-Null"5⤵PID:3148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:5240
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus5⤵PID:1120
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate5⤵PID:4448
-
-
C:\Windows\System32\cmd.execmd /c exit /b -10737409565⤵PID:5476
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value5⤵PID:2216
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"5⤵PID:5492
-
-
C:\Windows\System32\ipconfig.exeipconfig /flushdns5⤵
- Gathers network information
PID:5376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://login.live.com/ppsecure/deviceaddcredential.srf').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"5⤵
- Blocklisted process makes network request
PID:5500
-
-
C:\Windows\System32\findstr.exefindstr /i "PurchaseFD DeviceAddResponse"5⤵PID:5584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; Add-Type -AssemblyName System.Net.Http; $client = [System.Net.Http.HttpClient]::new(); $response = $client.GetAsync('https://purchase.mp.microsoft.com/v7.0/users/me/orders').GetAwaiter().GetResult(); $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()"5⤵
- Blocklisted process makes network request
PID:5696
-
-
C:\Windows\System32\findstr.exefindstr /i "PurchaseFD DeviceAddResponse"5⤵PID:5676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; irm https://licensing.mp.microsoft.com/v7.0/licenses/content -Method POST"5⤵
- Blocklisted process makes network request
PID:5860
-
-
C:\Windows\System32\find.exefind /i "traceId"5⤵PID:5868
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL"5⤵PID:860
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess5⤵PID:5972
-
-
C:\Windows\System32\find.exefind /i "0x1"5⤵PID:5980
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DoNotConnectToWindowsUpdateInternetLocations5⤵PID:6052
-
-
C:\Windows\System32\find.exefind /i "0x1"5⤵PID:6004
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps5⤵PID:5968
-
-
C:\Windows\System32\find.exefind /i "0x1"5⤵PID:5960
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService5⤵
- Modifies registry key
PID:5820
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description5⤵PID:5848
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName5⤵PID:5904
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl5⤵
- Modifies registry key
PID:5920
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath5⤵
- Modifies registry key
PID:5936
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName5⤵
- Modifies registry key
PID:4348
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start5⤵
- Modifies registry key
PID:2236
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type5⤵
- Modifies registry key
PID:3416
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ServiceSidType5⤵PID:4144
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v RequiredPrivileges5⤵
- Modifies registry key
PID:5108
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v FailureActions5⤵
- Modifies registry key
PID:5296
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters5⤵PID:5248
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security5⤵
- Modifies registry key
PID:2672
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo5⤵
- Modifies registry key
PID:5300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Start-Service wuauserv } | Wait-Job -Timeout 20 | Out-Null"5⤵PID:960
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:5160
-
-
-
C:\Windows\System32\sc.exesc query wuauserv5⤵
- Launches sc.exe
PID:5348
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:5236
-
-
C:\Windows\System32\choice.exechoice /C:10 /N5⤵PID:5444
-
-
C:\Windows\System32\mode.commode 76, 335⤵PID:4308
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N5⤵PID:2936
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver5⤵PID:5200
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV25⤵PID:5404
-
-
C:\Windows\System32\find.exefind /i "0x0"5⤵PID:4876
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "5⤵PID:2736
-
-
C:\Windows\System32\find.exefind /i "ARM64"5⤵PID:1216
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd5⤵PID:2472
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "6⤵PID:1976
-
-
C:\Windows\System32\cmd.execmd6⤵PID:5408
-
-
-
C:\Windows\System32\mode.commode 76, 255⤵PID:5472
-
-
C:\Windows\System32\choice.exechoice /C:120 /N5⤵PID:5384
-
-
C:\Windows\System32\mode.commode 110, 345⤵PID:5492
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s5⤵PID:5376
-
-
C:\Windows\System32\find.exefind /i "AutoPico"5⤵PID:5540
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:5632
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:5636
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:5508
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:5648
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:5616
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "5⤵PID:5608
-
-
C:\Windows\System32\findstr.exefindstr "577 225"5⤵PID:5624
-
-
C:\Windows\System32\cmd.execmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"5⤵PID:5672
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value6⤵PID:5536
-
-
-
C:\Windows\System32\find.exefind /i "computersystem"5⤵PID:5652
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"5⤵PID:5728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku6⤵PID:5500
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul5⤵PID:5940
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn6⤵PID:6024
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul5⤵PID:6048
-
C:\Windows\System32\Wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST6⤵PID:4204
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':winsubstatus\:.*';iex ($f[1])"5⤵
- Command and Scripting Interpreter: PowerShell
PID:5892
-
-
C:\Windows\System32\find.exefind /i "Subscription_is_activated"5⤵PID:2972
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"5⤵PID:5952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')6⤵
- Command and Scripting Interpreter: PowerShell
PID:6068
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "5⤵PID:2412
-
-
C:\Windows\System32\find.exefind /i "Windows"5⤵PID:4348
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"5⤵PID:5860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:3144
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value5⤵PID:3908
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"5⤵PID:4956
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE5⤵PID:1440
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE6⤵PID:4384
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver5⤵PID:1040
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s5⤵PID:6128
-
-
C:\Windows\System32\find.exefind /i "AutoPico"5⤵PID:5368
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:5256
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:5316
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:5348
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts5⤵PID:60
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:1512
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "5⤵PID:2816
-
-
C:\Windows\System32\findstr.exefindstr "577 225"5⤵PID:5424
-
-
C:\Windows\System32\sc.exesc query Null5⤵
- Launches sc.exe
PID:5436
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
PID:4100
-
-
C:\Windows\System32\sc.exesc query ClipSVC5⤵
- Launches sc.exe
PID:5332
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService5⤵
- Modifies registry key
PID:424
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description5⤵
- Modifies registry key
PID:5276
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName5⤵PID:5216
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl5⤵
- Modifies registry key
PID:3148
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath5⤵PID:4492
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName5⤵PID:4768
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start5⤵
- Modifies registry key
PID:2736
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type5⤵PID:4448
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:5432
-
-
C:\Windows\System32\sc.exesc query sppsvc5⤵
- Launches sc.exe
PID:5408
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService5⤵
- Modifies registry key
PID:740
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description5⤵
- Modifies registry key
PID:2216
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName5⤵
- Modifies registry key
PID:5504
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl5⤵
- Modifies registry key
PID:5576
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath5⤵
- Modifies registry key
PID:5376
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName5⤵
- Modifies registry key
PID:5620
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start5⤵PID:5516
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type5⤵
- Modifies registry key
PID:5668
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
PID:5640
-
-
C:\Windows\System32\sc.exesc query KeyIso5⤵
- Launches sc.exe
PID:5588
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService5⤵
- Modifies registry key
PID:5612
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description5⤵PID:5608
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName5⤵
- Modifies registry key
PID:5764
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl5⤵PID:5756
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath5⤵
- Modifies registry key
PID:1552
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName5⤵
- Modifies registry key
PID:5704
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start5⤵
- Modifies registry key
PID:2140
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type5⤵PID:4728
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
PID:5776
-
-
C:\Windows\System32\sc.exesc query Winmgmt5⤵
- Launches sc.exe
PID:5768
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService5⤵
- Modifies registry key
PID:5788
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description5⤵
- Modifies registry key
PID:1348
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName5⤵PID:5684
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl5⤵
- Modifies registry key
PID:5732
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath5⤵
- Modifies registry key
PID:5728
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName5⤵
- Modifies registry key
PID:6020
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start5⤵
- Modifies registry key
PID:5940
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type5⤵PID:3920
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
PID:5040
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:6048
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
PID:5864
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
PID:5976
-
-
C:\Windows\System32\sc.exesc query ClipSVC5⤵
- Launches sc.exe
PID:5828
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:1544
-
-
C:\Windows\System32\sc.exesc start ClipSVC5⤵
- Launches sc.exe
PID:4692
-
-
C:\Windows\System32\sc.exesc query sppsvc5⤵
- Launches sc.exe
PID:5992
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:5980
-
-
C:\Windows\System32\sc.exesc start sppsvc5⤵
- Launches sc.exe
PID:4120
-
-
C:\Windows\System32\sc.exesc query KeyIso5⤵
- Launches sc.exe
PID:5820
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:5848
-
-
C:\Windows\System32\sc.exesc start KeyIso5⤵
- Launches sc.exe
PID:5956
-
-
C:\Windows\System32\sc.exesc query Winmgmt5⤵
- Launches sc.exe
PID:5808
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:6112
-
-
C:\Windows\System32\sc.exesc start Winmgmt5⤵
- Launches sc.exe
PID:5960
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState5⤵PID:5832
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState6⤵PID:5936
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot5⤵PID:6068
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul5⤵PID:3596
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':wpatest\:.*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
PID:3012
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "15" "5⤵PID:2648
-
-
C:\Windows\System32\find.exefind /i "Error Found"5⤵PID:2660
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul5⤵PID:5196
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE6⤵PID:5340
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"5⤵PID:5300
-
-
C:\Windows\System32\cmd.execmd /c exit /b 05⤵PID:5352
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value5⤵PID:6120
-
-
C:\Windows\System32\find.exefind /i "computersystem"5⤵PID:2592
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0" "5⤵PID:5160
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440 0x80131501"5⤵PID:4292
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"5⤵PID:5184
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"5⤵PID:2024
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"5⤵PID:5364
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"5⤵PID:3608
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"5⤵PID:448
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"5⤵PID:4964
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul5⤵PID:4528
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"6⤵PID:5204
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d5⤵PID:2500
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul5⤵PID:4308
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore6⤵PID:3068
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul5⤵PID:2936
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE6⤵PID:5240
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul5⤵PID:4876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"6⤵PID:1020
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "5⤵PID:5576
-
-
C:\Windows\System32\find.exefind /i "Ready"5⤵PID:5568
-
-
C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f5⤵PID:5620
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"5⤵PID:5516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵PID:5668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵PID:5548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"5⤵
- Command and Scripting Interpreter: PowerShell
PID:5752
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"5⤵PID:5972
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"5⤵PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"5⤵PID:5896
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value 2>nul5⤵PID:5848
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL and Description like '%KMSCLIENT%'" Get Name /value6⤵PID:5956
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul5⤵PID:5808
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE6⤵PID:5840
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0724cb7d-3437-4cb7-93cb-830375d0079d 16e50fa1-a5a0-479f-aa81-90756738b4f1 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 32d2fab3-e4a8-42c2-923b-4bf4fd13e6ee 357eb3d2-42c6-4731-ac66-df185cdd3683 59eb965c-9150-42b7-a0ec-22151b9897c5 60b3ec1b-9545-4921-821f-311b129dd6f6 632ffa10-3b75-4180-aed9-4e799a44563b 685e4f86-7690-4334-bf9f-2074335811bf 6c4de1b8-24bb-4c17-9a77-7b939414c298 7a802526-4c94-4bd1-ba14-835a1aca2120 90da7373-1c51-430b-bf26-c97e9c5cdc31 cce9d2de-98ee-4ce2-8113-222620c64a27 d552befb-48cc-4327-8f39-47d2d94f987c e923d769-e71d-4c2a-925a-93547cbe6547 ed655016-a9e8-4434-95d9-4345352c2552" "5⤵PID:5812
-
-
C:\Windows\System32\find.exefind /i "59eb965c-9150-42b7-a0ec-22151b9897c5"5⤵PID:2416
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="KBN8V-HFGQ4-MGXVD-347P6-PDQGT"5⤵PID:6136
-
-
C:\Windows\System32\cmd.execmd /c exit /b 05⤵PID:5320
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus5⤵PID:1072
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE" 2>nul5⤵PID:5296
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get ID /VALUE6⤵PID:5464
-
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f5⤵PID:2796
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f5⤵PID:2648
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"5⤵PID:5132
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\59eb965c-9150-42b7-a0ec-22151b9897c5" /f /v KeyManagementServiceName /t REG_SZ /d "127.0.0.2"5⤵PID:3144
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\59eb965c-9150-42b7-a0ec-22151b9897c5" /f /v KeyManagementServicePort /t REG_SZ /d "1688"5⤵PID:5452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null"5⤵PID:4620
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:6124
-
-
-
C:\Windows\System32\sc.exesc query sppsvc5⤵
- Launches sc.exe
PID:5380
-
-
C:\Windows\System32\find.exefind /i "STOPPED"5⤵PID:5384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"5⤵PID:2736
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:5632
-
-
-
C:\Windows\System32\ClipUp.execlipup -v -o5⤵PID:6024
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem7A88.tmp6⤵PID:6028
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"5⤵PID:5992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')6⤵
- Command and Scripting Interpreter: PowerShell
PID:5892
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 IoT Enterprise LTSC" "5⤵PID:5816
-
-
C:\Windows\System32\find.exefind /i "Windows"5⤵PID:2732
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE" 2>nul5⤵PID:5936
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get GracePeriodRemaining /VALUE6⤵PID:5960
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$([DateTime]::Now.addMinutes(6902440)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul5⤵PID:5952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$([DateTime]::Now.addMinutes(6902440)).ToString('yyyy-MM-dd HH:mm:ss')"6⤵PID:5292
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_7c784eb4-e5db-49d3-9ca4-8ca3d9cd5fc9.cmd') -split ':regdel\:.*';& ([ScriptBlock]::Create($f[1])) -protect"5⤵PID:3012
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f5⤵PID:2672
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"5⤵PID:1464
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f5⤵PID:5272
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f5⤵PID:5128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"5⤵PID:6140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Command and Scripting Interpreter: PowerShell
PID:5440
-
-
-
C:\Windows\System32\mode.commode 76, 335⤵PID:3472
-
-
C:\Windows\System32\choice.exechoice /C:123456789H0 /N5⤵PID:5628
-
-
-
-
-
C:\Windows\system32\usoclient.exe"C:\Windows\system32\usoclient.exe" StartScan1⤵PID:2412
-
C:\Windows\system32\DeviceCensus.exeC:\Windows\system32\DeviceCensus.exe1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1440
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵PID:5196
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temC542.tmp2⤵PID:5252
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4808
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵PID:5716
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem795F.tmp2⤵PID:5792
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Drops file in Windows directory
PID:5212 -
C:\Windows\system32\xcopy.exexcopy Win11Explorer.exe C:\explorer.exe2⤵PID:3476
-
-
C:\Windows\system32\takeown.exetakeown -f C:\Windows\explorer.exe2⤵
- Modifies file permissions
PID:5516
-
-
C:\Windows\system32\xcopy.exexcopy explorer.exe C:\Windows\explorer.exe2⤵
- Drops file in Windows directory
PID:6084
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
PID:4704
-
-
C:\Windows\system32\xcopy.exexcopy explorer.exe C:\Windows\explorer.exe2⤵
- Drops file in Windows directory
PID:5984
-
-
C:\Windows\system32\takeown.exetakeown -f C:\explorer.exe2⤵
- Modifies file permissions
PID:5828
-
-
C:\Windows\system32\xcopy.exexcopy explorer.exe C:\Windows\explorer.exe2⤵
- Drops file in Windows directory
PID:5632
-
-
C:\explorer.exeexplorer2⤵
- Executes dropped EXE
PID:6044
-
-
C:\Windows\system32\userinit.exeuserinit2⤵PID:5816
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE3⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5840
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im Userinit.exe2⤵
- Kills process with taskkill
PID:5812
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im Userinit.exe2⤵
- Kills process with taskkill
PID:1384
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
PID:3832
-
-
C:\Windows\system32\takeown.exetakeown /?2⤵
- Modifies file permissions
PID:5448
-
-
C:\Windows\system32\net.exenet user administrator active:yes2⤵PID:708
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator active:yes3⤵PID:2140
-
-
-
C:\Windows\explorer.exeexplorer2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:632
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1524
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5296
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5088 -
C:\Windows\System32\efyliz.exe"C:\Windows\System32\efyliz.exe"2⤵PID:5232
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1812
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1656
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:6120
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5180
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4700
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4792
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4224
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:2184
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1908
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2312
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:5164
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3052
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1600
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4136
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4916
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2320
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4704
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5744
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:644
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3796
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4264
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1880
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1612
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3888
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2808
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:2108
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:6024
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1112
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3080
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4216
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3068
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:988
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3652
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3800
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:232
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4332
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1076
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5272
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3668
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2020
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5444
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:5448
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5708
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5288
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3196
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1600
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4624
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5840
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5012
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:424
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:388
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1928
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5640
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2224
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4792
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:3540
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:3892
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1228
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5748
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:3096
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4000
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3fd9855 /state1:0x41c64e6d1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5272
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4776
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:888
-
C:\Windows\system32\bootim.exebootim.exe /startpage:11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1048
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
2Query Registry
5Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
5System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5997c02c58d08084dc3add213a1423bea
SHA1bdebad616f5973c24bee81f28ff3d7977f6df586
SHA256fac11bfc9d31501b72fb52424cb32d99aa57087f6ff8bf077edcf308e3948215
SHA512291101ad29d84d4f51eed691454ba65d7b2df1b2a07e28bea7a48ccd3433675fa0c10cfab06aae9ec2bccfdbcaf3749deb30e6a1a9f4dce902e6a0c450cf5f61
-
Filesize
899B
MD5923ce4120dffd5255bfccd38b53d9403
SHA149a6ee78cc1616864e2e35b76396add0452ee09c
SHA256f7a53c5a32dd9fbd55a36bdb756f33ecf0f42f25eca8b6fafabd1fc516659e24
SHA5125338a2425a753c1438447c1715443d3be21013e0a665a5b1c0ac1f1ecf474368bff9ad131ac7e8f94b4a75cfaa74fb976661d90181ca6ada109492efefdc1568
-
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1920_1080_notdimmed.jpg
Filesize311KB
MD5f340d41c8ea1b5281dd140df793e799d
SHA1e0c7935925cb0743f0fc728a0a039fa86f25df10
SHA25606c77541e7f08656c332be679c1b26b05c6e29af82ba5ed38b9c0457d64fbe2a
SHA51267e37a647a76e232bf9134686c003a1a4667101d7392df91a6720d73380e3b829f781abd6b88031a3be76728b214d2d0ff99419d7e6efe4877c7ff8f2083a034
-
Filesize
64KB
MD56f68f3ffb1dadefc96d1de1c1d440acf
SHA193abcf8fdcd282debdd613bcf41ced6c773cdf9b
SHA25628d04b9d08d447ac0be9dd4cb06480e452d106575bde529e4d6c1f033e4cf4fd
SHA5128c39f9efc73e3df517ceca202a6ef9cf38a35be10aeefff95fd9eb3c912174ba89f3c42e356434c3ac77ab342ac5a4d2af2e5e4c8247c8b413d2b7ae3bbabcc1
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
992B
MD5ff9615348bafab70a615c61fd851b1ad
SHA14a42b22af709709fb9e23911cc2290aae99ccd8a
SHA256896ac590c141fe0109068f3a3d4059fd0a888c0202574e3c4326f9fcec62c38f
SHA512a0fc04d882774717cd8aa4967b2ac8b0bd401a960f7d318c3864bf347c424412047fe4c18c8854c03920d376601adbd784a8808ef9e9c6ca6276a466dd3e0be1
-
Filesize
649B
MD51f67be9c2b71d622a9941078b572b727
SHA19cd654149fcf592e82ed7fb4c6b35005bc18d82c
SHA256eb76a36f20b6e0c1a827c5778470fd699a122add1f3d4293060028c91f923397
SHA512a847156bbd46e7221156636222b4a492231577612bc3d0e04bfd7969fb5b5c67cad0fdb1fe3dcdef356049aac3d75cee5ed12a7ba29261c1ef97ae322b48fbf8
-
Filesize
51KB
MD5f61f0d4d0f968d5bba39a84c76277e1a
SHA1aa3693ea140eca418b4b2a30f6a68f6f43b4beb2
SHA25657147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc
SHA5126c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487
-
Filesize
25KB
MD5ab77c85aab42e61d0557bfe285bcafc0
SHA1ac4241859bef658513fee5ae997b08543b8029e8
SHA25632a74d447d992c99982a6c6979935c3eeffc358bcbcf7b1843ccb8021523f398
SHA51241aaeb6c514f1ec1e97e213739ee2f4cd731cfa17fc1bd2c0c2d6197eaa487ed4b57c8d359ddaabc8764db4e12d3000eb2e23f884aa5dad0962ee9e0ae1d02b2
-
Filesize
43KB
MD5dbe709cd454a295bfa758f6df2915e16
SHA1e68cec61f6df06a4dbcd57d3c805d1e307fd3749
SHA25612da5e16473f270e2744790e39f95fbd06aece6e1a2a5d2968823119912de798
SHA5122b65aff85759cf38be300b7d6715334d2f34f12d4af078f3f42e253b5fcd1fd0237d4134ff1127c9646728e7263035a7561e22691da460fe4178fde677f65b5f
-
Filesize
840B
MD514c66d7156347eb652c9a214c74c6ee5
SHA1179ab91501ac5c8794c3e9dd7eb6453734459678
SHA2568a16950a0d2929fa79877b2a16f5b1aa919a2cfa5272da588d9f0f2d509ef386
SHA51284b4c3e68d6e87eded9f634f916a632dc6de04954f2a1d7516ba6043ed7d37a2a93726d79928882f5779cf44a8a426bb15426cdb435e2a66551f1f45f8d8b543
-
Filesize
2KB
MD549a081893be2c561308a648595484426
SHA1973a33b992261d95852bde3d832e4f5fedeed53d
SHA2565f3108df070a0c2f8f0545d109556bcdcc6beb4815b7355438ed94ac686f50fc
SHA512be4a92659cd5290229d61d79d652bb1ad8a64d29596f6d75bfebe8d0b1562b69e88e64d1c60edc2a71ce79a81380ce094b0a1f262c2bc7335e01fd698c789380
-
Filesize
384B
MD52c1de374a39d6384bde84f69f24557ec
SHA153229ecef3902c14640f77fef37a881977ad30f2
SHA256a43c34c6487f2fc239c1273d7b3b7a4b1bd28d7f92947b533c6a92b33bc2e9e7
SHA512ddf1642dfcd633d55383367a92de770545726f9c57b805cece088fe9959cbbbe2a36a9c144e0f0fc43b5c81a226963bab17acd43dcaafc92251625ff676fb636
-
Filesize
264KB
MD5893d2ca007a2bfbc9c8aeb985a5b1012
SHA180b0218889bd02eee07b25f850a199c26caf6534
SHA2567bc6ecd09314f9b819ac9c92c5da5413ea3b6af02e9d351022914e591a33a47d
SHA512dd2f3544a45835e49ef08cce5e64d60439353c482086805e975e1ca36e9202e773c9b50350f11fae73c21b853fd14d6e63ac517d1db4a4b56cfb1277be050efb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_docs.google.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_drive.google.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
8KB
MD59946c6ec31ac2418540bf557ea6d48ef
SHA122d8cb65a1491c06953516ae5581d2a5572d0c5a
SHA256a596a7412529f22adc382b8c29fffcd0d3bb532f1f6a3df01f916f1a5f8c7bf8
SHA5126ce34a4c144ed4b865c4d36af175b867e36e6dabc402d07270e49720d50d60f447213b81f41f0f9ae6399a02da87a2e88bfcc9270f88e898a23e90960413a487
-
Filesize
10KB
MD571f36bd29eb3d795caaa916772bb10c4
SHA16ed04540303192f7293a236a9c08d074ae3af2e2
SHA256a359ee24475d87a5c4f94b4c612b794e5feef9560d4709d4bf83b199bc982e48
SHA512af79b81d9184ecc07c7a80ab64c2395e2d1b98c783d6d569f5422e7c8016fdce70675f3e338de9d4eca0a23cac4951c40bcf842eece496dc31901073cdafeb0d
-
Filesize
6KB
MD5c25d6625a739e4de2211d00acd721d2c
SHA11da73331b6752688cd945e18b5f4d1cd994818fc
SHA256f85c4d24794088dd1f0dee0e27c1c7c648c876d6896c1f77a5929269876e64cc
SHA512daff1b3eb0982c10397fe8d1e2723eaac5c02ef8b50e7dbd39d9bcbaa466389041e82fff301e12b0ade8efb922b7366623cc9bc35094351056d3890604a220fa
-
Filesize
10KB
MD516146aa05fb086c5f22ce1218c9fa090
SHA1449fb882c4dc9bacc607a5e224f201ffa1d2aaca
SHA256dbce22910bce204dfaad8ed6dfed79faa54d30911a16319fb858f392dc7499c9
SHA512f6a6686c11118617cf24c6703272839cbbe40eb9127e5251140d5fa0215ed8722e220e392b575c2e40315a39bfab9b4c73526e19b1c8dc0b3409dee3c82d2ef8
-
Filesize
11KB
MD543b6ed676eed19b47e39183fb24e8e0c
SHA177c25c4e2c0ab7059b8e65d566e0e7ccbe052a1f
SHA2563118ce182b9fb6eb16ef5b55fc20a5fa4ca397f735def0cf0fd616f31a2be2ff
SHA51208acb9c2f0d79dfe0992d577b2d4af271efae3532856775a26fa470043cb17ce54d3c6ac456f73a7ef8acebfa404fb95082fd82631b2269064f441e8c2b1f016
-
Filesize
10KB
MD59e882138872825fbf53b13ba4a7accce
SHA10ba2468fd117dd0f6e6c214539fb49e1d82226f5
SHA25614672920f13213dcd948fffb3f1e8813a5ab691d64680692ee8221aebd9d6915
SHA51209e74d9a0388960ec19088ae22feb6904fcf1e3b8bfe844be4673d2ae662ea9f53c3ffa66dce46219673c1ca5cb3236aea7e1d24c155c4c045859531d0f115a1
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD59d29396a22ccb64ff2c3a108dd6980ec
SHA12ab6633209e895dd63f5d1bd3c4ba4d2ad900ee3
SHA2561e9c0caff5848ca5e2c22eb0353e53cae73d789868ce9a70ef7e02758ad4c5c3
SHA512fd0ea43e14bc01188b0a09f66a0550c4c42c44a2f6a5ab369b102df525d671ca35fd618f2abbd0e6ce4a1e982f3f1e31cb7c8d6448554cd9001256b99a894252
-
Filesize
1KB
MD52a23a296e1240598e9fd2fd708b2fd49
SHA128323e796869f41c49d1f9bd5feddf386c17412f
SHA2569fb4af4b2b3ab52be6bd51955a1f1e22b579e8cf6ea0bdeb44841137ebaaac78
SHA5125b8640884428130b91483986713390ce2e467c6e82471840d192eb130840cf0345ebdf3984abef115dbd115094bdb908505ca04327bfe3d16fb70140aaf12717
-
Filesize
2KB
MD5b31163a5126e12e7b0702a520123f736
SHA15558e2f8dc31fbeaad39f0c49ae97b45c3b9e27a
SHA256278025560898ea9321310ede2cb065be4173e5f1b3327cb950af61ce78a3297f
SHA51253c9f8e59ea313599627ed6eff8801064877d27fbf48d2ce59bea31a820048c11bfa5a32712e946bbd8532e6f62efdb7bdc88f5af51c527d9d94fcef9006f596
-
Filesize
2KB
MD5c8717cfca3b6f9d180c1a98166f9fb15
SHA14a91819e74f748fd2cb7db16742de2e88c6b1c27
SHA25691b9009360981e9a24608dec7f9dbf2b7b3c910329140d40323386480f71e541
SHA5129df7017d6660e61fd66ce8a645dbc1bbe3e192e269b7696618a5762010091bfe0bf64b4a22290513be4d1ff762c546730ea03861b4e9fc06a06c1c2e498f757f
-
Filesize
2KB
MD511a7b5dd5d7e0525cb5b4f174f430764
SHA1ceedb971c90197dbdbd539bd894bd7530c26d047
SHA256a7f8670fb975c212d06a15216e37ee7c3a8c67f648fd309edc774a5ab94bb739
SHA512410b2d84756b94fd80faef9ead8be1816c8c299cee1d29de29d90d8ff55f06a5b570e8fd3ca60cf6a95aaec4f54059ec974918c182cf69062af0047e2082eea2
-
Filesize
2KB
MD537f09ad5322077178c034a24e816a132
SHA137fc6ed9b98c158c5ab5a9b14ded72efd0497a72
SHA2560c64be4024dc898a8e4e1693c888b63903958b46df7ebb4f33c7f641a608105b
SHA512d10c1214d3e1a41630a5f0670abd6757a4d4557d545b1f678510a7f5b69a66affe87f71c25cc8319df331d7cfbcb73b2e4d21863ed82db10aa88fbcc54932e80
-
Filesize
2KB
MD5fc736061180f48dd9660824c831311d1
SHA16906009a88af10e89b176d8411f1119050a03421
SHA2566153b5ffc802d2e882b5be74e17885ca870f366ff1e550ffb964dafbadd42965
SHA512e614500a14295f1229effa2b3877c18c9ea6316066f20593798565a261e61a8c596c93f2cab1ba353a52399756e3c4969d2a8cb588257ee3b911f0d81c1a7516
-
Filesize
354B
MD5f0caaf57fd861feb9a03417cf8461a8c
SHA1ad69f5d220963ef38df6f503155c5ed06a29edcf
SHA256bfe14ac0a5d06c55089f4219700e4c33dc34516a0373ebcc89bcfec4028244cc
SHA5125969f1c059620c4a54aa936b7504589eb8c83eb8f71e7a38671faff5b201ebcb62fefb6437701ba2b30bc9f846363946dc8bca0f7f7dd03f4b3897755f42eb1a
-
Filesize
1KB
MD51e402c1f8e411e0405744e14501697a1
SHA11d3e5e3104a24b18ad415cd4547abb052b2f2d63
SHA25619b8c0f5c06ae6c15693e9b69d6c6d78a638403dc0eb857c763ca0b524ef0777
SHA5129e974487e763ee2e4800139c66c7dcde75e8c719db85c7218c0e4eae9a1b5892c475a2a4b3699584dac27f24960c7b9a64d1246b5f9fb9e53fe24680dfe334f5
-
Filesize
2KB
MD575e609cf474ec2eeac74b0474780c7a8
SHA1cef682dfbe4e52c7a2b305f8750349b8c0668abf
SHA256216f627927f7f4d3827eadc2d835295cb6ac46b9632aee8c0c49a97f58e2cee9
SHA512b8e9cbd3be6254c403667443de03e01af7bc17286949f6107abf3d96ee6da87b27a2966bbd846ac5136718d7dbfec388c166bf55521fd2aafa9b8e1ffcacb201
-
Filesize
2KB
MD5f3898be3b16f90816f2ded38fea3171c
SHA1a873f98a2d54012734f3a26d297af773698b3e7f
SHA256b64595ae24fd1d7704effb799ea5da5d5b124a8c414da730a3851746f184b46a
SHA5120acfda57625992aa27e51adcd3e202dc871f0afaf8bb7ad63b07db21d652bd79f6589dbd6ba0940acbc6cde8d03cb148e7a633dec5b88a9b01d12027aada4006
-
Filesize
2KB
MD5a3507a225199ce3a0f9b2cbe44ed8823
SHA125ad5239adf004ee2144d00dc1aa36aed1ea8147
SHA256ef8acd01279ab710a00387717210f58acb4d0826ff3bcc4a833befe49fba39bc
SHA512d9b17a5eb42fe0167020f615230e53524a38b44b01db811754ba7cb941009c7063317eedb332face06cd98ac9919db13bdc78f4c770e8243288b0482267b471c
-
Filesize
9KB
MD5225e70ca813bf0bc9e6e576b22921003
SHA1eb897a3d501da0b80815015a6090aadffd349d8e
SHA25692491d620db2e44f0cb16dc601098c05cd3ff87f00034c78aeb6e1e4e8ad0bd3
SHA51288e5bcddfcf29a45ec1c13485411949bf10876cbf46d33c6c94f1da25eee93322fd7fad5e6dbb6ccd4d389dc93c22f62942277b69aa8eb1f36800a5ff1611928
-
Filesize
10KB
MD50824febb847b7d5e0e38d8fcddbeef2b
SHA175fcb6450719f0ea651072f9fb20cc22e54fbfb7
SHA256eaa86f05a9efc8ba2c99121d9d9a0ed9cb49ab7be5288fa80651595bca2c8e70
SHA5120582a6e2bf5f03148b9c73ec850e1b218ab1c7fe718e21df2a1ef2af4f3add5ef7fa4abfccdd7a87a46455657e0c667e561efd27fa3966f118623814e689da9d
-
Filesize
10KB
MD51d8becbb0bbf095abe7a6f9685b09002
SHA1ba37bb7f9d86adbf1df75f8d0457dcee62bf8936
SHA25692e63cd8e123f516741b75e68b13b92c69ed0cbb55ef9f2cb93d433ab78972a1
SHA5126230e2a20fbec4bbbfde54a6240a6dadaff51b79406ff62a4d153039898a9fdccabc264bacc2b9332bb7bc56f3a1cc347780ccf48ea9d60a3a5f738c76565591
-
Filesize
10KB
MD5a3d09d3c777946772873ead6774ccc33
SHA1ed13067be8a39ccd2843d38b81464c73b7e9e717
SHA2569cefc10a6e30262f7ad4e120fe2d5c2a61650f17ba33334cb415086202f5c0d2
SHA5120be6671f0a1fc163c7db3e79b8be6d60a9ea6f2cd322257a81c33aa1c9514f24f0acb1ae6c236fda2e85e55c954634f1fbae436ea517040aa873adabaa73e433
-
Filesize
10KB
MD55f1fda920dfac20f27ff84faa7361eac
SHA13b3590c9f75cc5815de6b31b1fc3ec3e8319fb7c
SHA256b5ab58392f32d6cf6c4bd97d78407b25e494b84ac7f9a0cba9ec6406f882c227
SHA5127985c599885b4cbac47d90893d80931b5ec3e5ab733952f00d239eb760a10a356334007a170cf9b29095531d6e93c6527569830b905c24c2cc0b78b95b7a0ce4
-
Filesize
10KB
MD5957187d1f073b265e5ca2dbcafdcbe85
SHA197de0f371e35d2ec3c0e836069e8c8826e21edfb
SHA256b5c242d610a054bee79bc748b3495805a0d9752b6224b3ab2b6e806a246fe99c
SHA5122f43b350832410abcdd495f502b793a2634ffeec321c251b6be3d5830174572fb3d2f810ca7cc7eeff7e7d6deb439779df15b4ed5a1c5c2bfa47a7fa721b9189
-
Filesize
11KB
MD5e9828e36f084076e5bbe0d04fdd544af
SHA1cfeb8c36e16177a0b3b1591dcc1a3aab7e3fb4f4
SHA25684ca34a82644e61b08287970c5ce2dd0e038f538bbd0daee7e84709e63a4829d
SHA5121c3ffe4c90398d7798fef78d115eedd6093c56ee73c0c0ab1ba5e12358565b8c0aee19268a59e271d93c905b7167cb2158802fbdf25569c9f60bef8098b539d5
-
Filesize
11KB
MD5ced02cee3a7b322dc738b575877003c7
SHA1ad75cd8ca6e05d6d242e3c69eb60ab233e1d5c9c
SHA2566b397d87820be10e7e13f26a3cb642441fdfc0dfa3065d9c9eba7f72634c362b
SHA5126c9078a4cd80b633166676c971609e0c47f822cdacbba3296f3341f2af97bf12cbe74fdafad018401a0d41b20aa045a584df134a684575ebdb2f1819cddfd433
-
Filesize
9KB
MD55ff41849d0864c30b95ea83602447d28
SHA1c6c8e5188ddf0fb64698b7a77a3431e0e294e195
SHA25670a4aa6f5d224f37bf941785a745f6276ed64458110200b0beb0d81f2ea715ad
SHA51240f7d33e13755782c56886057b390ba04a1fd4289f4754ccbf86ec922b925df9766adfdd2d4e75422e4f7cb7486bb4efa18f93899acc64280744a0d035371cf1
-
Filesize
11KB
MD54dcd95dd1f9c8893a9bb634858ec9728
SHA12a949540df31351ec60b17cf78ae6eddbc2a859c
SHA25686c5bdf503d215ea28f90f2998fe7a0b578731688360f4ffa2254aea0ed7f200
SHA512dca1c559b1a9d1f323ad7ace8ad35fac10e6d7bc9a5202991cc06b6b4f5fd8abea819934fee99e7b4f56a90184578c7fa5087f3ee5866a3bdabe83e73838e19b
-
Filesize
11KB
MD5776a38e0eadf66b5dc745b5ffe6ca48c
SHA14898703d2a68d8a03e46bc3af3ca49a81f1d090c
SHA256c63a134cc55de8d256dbce24f49ed7bf5b5a13685be16bbff2f59f39ea296b25
SHA51201fbc18f554bf286b0dd45098db6248988cca81768924d437c324e9c90f97b69cc8abca68a21972e91f823e7bba86d364e5c9bdda2eadac192286e3f870460b7
-
Filesize
11KB
MD52fc45f2dfa5fb085551e7041827fb8f7
SHA1a75d4dac65194afdf5d1e3aaab6677173e938b77
SHA256adab4d0b9770f9de0645848562aa52048a9a9490d8c5316caecef9657bfc38cd
SHA51228e17eeef43513d9e2bee0b11d3a67d489075805d0c7a1770b059318888d1250b879c2308fc54496ca9db61396773135edcae2b25f5eeeabaa193b9be4eaeb3c
-
Filesize
11KB
MD59dd8a27b18aeee48c1958bc22292d23b
SHA17f7e7541d2672686a1c7fa037c701bca1dc85ff4
SHA2561fe0eafb6a19b2cb591c3ae70013750b3a867f2b5054498f7418321c852af599
SHA5128f28f6dc49bce30ea83d91993bbec72dfd07c8cdcca827e5ec009e93a8ccfddb9edad25460b1d93add8dbaad8bba5a8b8aa021dc4963f0df7d10c7790851d8dd
-
Filesize
11KB
MD58aba91334a89d1ff15beb961064672d7
SHA17f7702b88ee129430fd703bc62f83e29a61214b3
SHA2560caacf8ccb35b24b10c6c5ce3ebf451ac8c43f4c57181115ebd2d0eb315100b5
SHA512d95875498984c2701275a66c286505250a4a369d322f3ebbe6480fc61d611f6a6a47d6e63fae12bb4006aa210092d3e36b908156f0dd0caba51b3157360ea235
-
Filesize
10KB
MD5d87ec48f3b33d6cf1500155bbc1fbce3
SHA13895021e23a8c901425e45cf1ead43b975352094
SHA256db9733a7c01766a8a96acf5cf3f8262c30e4017a76cedd507527a289ccc0e3c3
SHA5127b969d9beb40f9edaf673a0646efbf99e64f3a6a8259bf32174a315ccd48b077a2fc747fa69f057649873f19f24ac8804f12585c5f6fe9f3712b6591b8e39cfe
-
Filesize
11KB
MD5c6fe388bf68fe395976dfe493f81a140
SHA17fbd41e46403777b2830ba54435ed8dc270c0741
SHA256f5487b0c46dd1d5652128c34fb4b426635cdce3ca6fc9419bcc4a216378df6cf
SHA5128e15de26b9b17022697a721ef130e4fc1dbcbebcb4e1d5289cd9cadc8b297988d5f5def727b39cb22a4073b2763a15aa16696c8851f6f0da76d71b5fed1026e4
-
Filesize
10KB
MD5d602805abdcdfb2aee8ce562bea82654
SHA1c6b074b32d946e99afe206eb8305a0ce916e7f0c
SHA256c8e72fadbdb728e87e91308be368eafebe9fadc8713f51e236b3d580620ef63c
SHA5125e5713224e7edee86ab456290668159fa417bee6d7877ab347a849719d8a831906f101adc47ca76c202fcfe4303be2af90a764c5189619a3681333b60cbc1477
-
Filesize
11KB
MD5391e93875e895ee2af47f07d290cac06
SHA1d4a756187352e25f7067b56b9fab56b922f9d524
SHA2563218ec87aa784daf1c4028f41d7c488e7445b1eccfc5f7d1a50f3f9e38d98462
SHA512dc3d3afc35c444c1a34c0ed8061550990d41e6a1c498a7aef7ac2384a86283b5f2f00a2f852c9748ab22c36cf0c73b9e8b4c27106651805fd10cd3dd7f88d152
-
Filesize
9KB
MD547569ae620317d8bbd88c29c9b3da6c1
SHA11ee35d267de130ecd0980157ca7e3c726c73969c
SHA256a4c13a6b4d737ffa6aa616d298c0b5e7b8ed9d4b91bcea684abc0528fd9674b2
SHA51281c51bcfd57074d051f5af20d72dd017e59c0271a42a65dc27ae288467feca22266965738efabb16f440e07fa1e9f0faa953ab5eb7a006b86347cc79279ee932
-
Filesize
11KB
MD593608f506c7af0076b03d1668e924582
SHA15402e03b7444afd9d780e0218784a86b2df424f2
SHA256d936f8184d6bb6bc0216bfb4a7dca0f6b57e18b05c1599b193686504e7602b70
SHA512fa32f78d509e3726676797ed0376dfa39b6375e9f15835a675762c63cf29dbde34bdba1cce02e4ffb6528e7f7cea8dc16eea54eeffe7e2c90b03d1e94cead602
-
Filesize
10KB
MD5cba8787a1108196145566eee807a6197
SHA1429001aee4519bf9b9ef6165aa450ebc24ae1e94
SHA256116f22889eb83806c532cb50ef5b1f60f157a907de4a4ca43cdd617b0cebee54
SHA5126c8f57773161295d4bd611209226df8be2cd7756cdf6da370fc8aa68019defb7186e8672e1760175c238ff46fadcae816f42dc8ca7cca461dd6ae79fda2129f6
-
Filesize
11KB
MD56dc7c80677d197c11868dddda35da06a
SHA10b218314418c609450439601d05e4cdd356656ff
SHA256aea0b782190e8c31c36c947b37ae7325b61578a7ce2007460c68c6e952dbc4ce
SHA512ff5c3d2aa5f17653d639bfc8eb296ec74797e81a1bef01b988965f3f42d182d8a8811d91fbe7d7728a1291793cfbd2147bc122e403b14b4975d48e1208cfcc57
-
Filesize
11KB
MD5753b170a5f13d506a715e48bda2844f8
SHA15b6fbe70b5b29f9bf889290cf611f35a59afc670
SHA2567f0045aecfd59705d132fbcca51073e4f5525a6c8f786cbc355b204fe87e6c8c
SHA51244a1326d8d9ec77719be858d7e9e0a365bc19a2879f354b510001ed67a466afc35ef62e518fe9ad6a5e2755362de9a3e49b4d9ebc2adfbba726d2f48b75559d7
-
Filesize
11KB
MD5d87ffd4a19a6e351fb14f8536a6677b7
SHA1beced5d4aecc18cc6ecbd971d1adcb84cf0b39b0
SHA256bf8ebc38517edbb43d0a03189ab42004abf670d12f1a2744c28d311df56f2ea8
SHA512bd66e1235c33a28f525ca5cd15d7bcef28d139033cfdcd78b38b4873a8f6f8fb4afc206a7e5c581364791950aa9b2662db0d9d9b19005c531722dbf7fa972517
-
Filesize
11KB
MD5f538e62a9fd66092000b43a18a229f5a
SHA14f7afce39d5d5829f60d60a480f75aff5dd0861e
SHA256ef7976c3ebc901669bd5f3e99033807f3d49b81c54e7c0d38c9cfbea1d6b4a5f
SHA51218ca57663952d347cf6a246710f17b6b6f878e1d403ba2dc846fecf32395b68f85a996175d189dd8d3dea3dd02be92ae735179c49e6d75aee967d1e303cf70a1
-
Filesize
11KB
MD5aa1c3a343cf84e40990be1eb4327ef71
SHA1bcb9c9912b3bd4863a34f7d798e75c35a2445408
SHA256e2e7be4de5a2d2be185b699cf3c74b004199d00715aa4e1b3e7c5fdca8292bd2
SHA51287eb4f52e5171cffaa20391115b6fdf3e88321345fd37e11dfda496febca09a6eeef275e02844fe940bdd12e4450471aba3cef2943338c338b148013bfdebb36
-
Filesize
11KB
MD5d073833564fb8fcf84e9d18a897538c0
SHA1bb0409916502fd1897c8a3d1e360e0baf7165ec5
SHA256e9badb01a0796c6c4d5b5f28214f0e8f576893699d77129a58411de0dd793358
SHA512fa0d317c09ee8e701aa27ca15ab884326de16f8819220723152e7ac0e2e17ea8f7e3f4eb7ecfe94d61b10f4d17af6ef685e82251e9a16fc17eb896b0d4b2202f
-
Filesize
11KB
MD5f29432b9482f6888108a0975cd877151
SHA1ca5e8156293734f224ef31f8e5df5050848cb07e
SHA25691083b3c94fef3e5b83abd2424f02086b95e4f0ecfc5b8ef444f3398851b6388
SHA512e78a5d3c468b10b324144ceb011c435102055062be7679131d4a6a169aa4d56fe7d2139f67eb5cdf8ef24d3a949a9529619f6f298fc1d8796ead0d87e939035e
-
Filesize
11KB
MD53a7672100cfb168f29647b3915d9f52e
SHA18df1fc28846addd7f340cd3ff09f04e9c3bf1e68
SHA2560456ad46753a855ed9253d8e910538f9cb1d332757f14b29991d5df94f84ae78
SHA512efb93b3c5faae2ca89bd54a173129737e0cd96dff1e6e963836e788927ef9342331abb543eb49e5b4a8fdc9702486d5941391c35de46c88c83495725c92f7470
-
Filesize
11KB
MD5505cca9d4d33b2a45132f5edac568c59
SHA1bd39d087e8dc37e99b14e64926d45bf3c8201779
SHA256ca0651afd0093994792197f14cce69d7bd43c00dc13d13c76e011c50230d279b
SHA51260107a4b329b55550ce42c6f141e3142e8aaf069dc0304c4a844f4175be0e897c8907ad50c4ba43412c5c65570988e1e7dc37077c4b576a8a8f84b12a6eb4b2e
-
Filesize
11KB
MD59f250b6fae5ad867c9726b892baa11f3
SHA15363a6e935b2e7aeeb180f8b1b56504acddd040b
SHA256808b0655e4bc2b0eea9405863cd2432641c6dd9f26822367c2360e351f4fb460
SHA512ffac78d3bd0ba88834b204fb65ec01325f81fb7df3a4af02423fe9de16693e90e6572f168ad3d25e8aa4919594e9f7bd74b015330e885b6679ff4f6e5c430274
-
Filesize
11KB
MD506b33ca8bb0ec83acffb606afd046d61
SHA1396bc1c9f25853d9e68010d9210df35f381c856b
SHA25632c71d692e045fa8a9586827a6462b7921bea6a70766d0c031f5ca6e2f0947da
SHA51299c5adff0c6b242d4b85e94200cdeff29b08aaab32f92472158dff3831bddfa153eaf8ac30054e59919145c99086df61cfa0b6822fc0b3523460cb54dce49c8f
-
Filesize
11KB
MD5d277eaa64521f5709353b6972af22ce8
SHA177dac4a6457401b7182edeba9c82f83089c1aeb6
SHA2568e8e5dfb0f4d9faca7cc028c0756fb65ab279b141d7bf90a437e53892a8114b9
SHA512b391b71a919bd5ca1e5ca2c39918a57e11fa3ccc43c90c5dd4e1ff6c90b43dafd9526e700b8d84f35b4adc9c9eca080993baba4528d1b3ad68c9c3359dc19615
-
Filesize
11KB
MD54bfed7e45e0141c61f0e9bd13f9fb833
SHA11b28c9a254c6a73f010497cf55d735d601acbbd5
SHA256b4e5f3b743bc363f25ec012014ce03feb87686dd1d6570138c95c97e4bd7ec4b
SHA512dcbb7770cadcbf53e985b9fb6956f8918d3603b868946cdccce81cde5c41f576cada48d54b832190cc8736ab5b56087eaedad2a4f32b2f559fe587863f4537c0
-
Filesize
11KB
MD5e645b93d451e41d956095fb45caa5395
SHA17fb84f578aecda066d2ae09250550c538dc70023
SHA2564fdfc9092adfcb3dcef3e0741349fc0b19f9c1c7a41583d2a36f6bdd71881c0d
SHA51218988def2072c4f95c5b6b47391e978e0c2b5d61ba268651cc398fbfbf2aa977763404460e16fcb6a89e30e323764a362283c2b88564fcafd2eb48e2d3f319cd
-
Filesize
11KB
MD5dd3645cdfaba9c7eccd6cd0bbc2da819
SHA17345389e2dc0c6d43a9958ed434800c3ad482903
SHA256ebe3f143e14ad853a78b5596591a6e88100cc3471604bc3f925f6ecab1ab449c
SHA51282b26b2f14c7b3874349233c6dc69e0c1c83a38b7a80b813012f7c70d6110b0eebf08acbb92378cd27a86bd9b3a88763cbda975adf11ce29633a42932675e737
-
Filesize
11KB
MD549c07abcf68e56fe47f21014f8688d68
SHA1996cf32e1b3f412f393147615e695963e2986a7b
SHA256b1a77882f344e01bef1270c6b0ce019dc0df0e884424a62daa23c1506425f7be
SHA5123c3c2988186443ed73871b3841b9b7a37a0705b4913fb88701bfae5695f77f64777bec8cd89a17f0710860cf1ed52ea93fc728921fd92e441aa465b78de3a974
-
Filesize
118KB
MD518d6bc703724c6a6abbfd60c4a6c367f
SHA1124dcda3f350c0bb337f361f6ade644ed6885d7a
SHA256433acd0da9734d63f13d20813279f0e5a9555d1405d298187b3424f60dd0d077
SHA512575a030435ae6678e7e8f2192dad491b1712a9394ba27aee5b003d7f79858211a023c618797540498dcf764267144ca9edf60d528754cc7a84dd325bebe6fa41
-
Filesize
118KB
MD53848574be6103cc3c327f23f6b4ca517
SHA1c8edb340b380040154b52fd394186d28b730b0ea
SHA256941d5142e8cb0dac190492b62091d934a5ae9f34fe273dc5d64bfcad283d6bed
SHA512a66328cb727e0ea360710a10daf7f034170ec97bd8728c40ab9b0cd14b4442bc1ce446c340b795edb33643b58d7695d0c90d38fd7ea2a966b36e96a830976f06
-
Filesize
118KB
MD56206720095d609582122d3711ecd139d
SHA15b87583a447aaf2b60a9f19635de411ee2c39169
SHA256d540d7588ce989238e3a8a04222f199a31cac427b9262c71ea3b8071145dbc57
SHA512a89429aeca563c0fcb388758edb0cfc9b08343184f144217324db5bd3f79b1639240ad87d4f483390335f2b9546e72e65409d1d8782884273ef72fb46b9c8335
-
Filesize
2KB
MD5e30544e6d048b2c1c6129c89835c16dd
SHA121d167ff64825d3f8a5c351c3160b670dc14cb60
SHA256df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1
SHA512fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b
-
Filesize
1KB
MD55ac5b0734794962cfb806bd8996dc3cf
SHA1845becd411fef91a8bee05f78f65bffb97463e4c
SHA256fcb64b7f1769f7513c999b5041434fdbc8de32f58816f8f4d7847b72343b614a
SHA51263f5d29c173a197c0c2988566070ed397ee36a55534b9e4a18e4f9d74c57c97103ef5d68b962d27d3149be11eda2f4ad9e78f8ea1edc3673a198cf167c3c1b87
-
Filesize
944B
MD5642610e02505cb6fee570c0d786e6901
SHA1f6bc047d34670430ae30bec9aebb8bd37adc6d66
SHA25644b4c7dc246558da04fa562b6ea8d73f4c76be0bc3b180bcb0963a46044ec3cc
SHA51258dd463a8a611c6f1efa5dbcf8da525177106f853e0478e3ff236da4314ab66a1948f2613e45158b240c5aa0bcda35f384fdad4a07600ec86dad86cdbd0d2943
-
Filesize
1KB
MD5dfb984815a45028d5c44f1b03b04a247
SHA1cf594d44c899cb340862b8d05a2e92338f353a31
SHA256a444730cdcba669d46ad04a80aa106c7ccf98192fd80deae28841b5ebc33c8e4
SHA512445b26ee5258c356cf32e155f6195b772aee191e76da1722dea828e6589b5e5c13f7272c5e0ce330a739b397af109c35bc7e9d2c2b500cc2f1ab393a58d0b229
-
Filesize
944B
MD59ee31fce117f641b8aa9e8df726463a2
SHA189508f3d13d943a4891ea7434c0b59c7d406ee18
SHA2560810502185df01209385c52b2fd086a3ce5d7c9752ed522aed835a63ca151aed
SHA5126c18f6dcf262594a5cb0594b5971a2a731db51e4c8932cda486f1386d3786cf5b62c3f283876ef508cca3197594ff5565da5dc5966306b140e19227bec4b3e77
-
Filesize
1KB
MD5d3ef3c33ee4a817c753b3e9b67944115
SHA1c1d46babdd3d5a51baccfe0ed32c6fd4f6fe2c51
SHA256bc71fbec97387f6e555cae2ea9822a1b6236ce985b9bbf2b6f790f743269689b
SHA512f43aed7625ac1a2d917ed6925b4894ede583f7f2fa53f6f339684e222dd4240f0ac991b8cb3a7f97553489919b4eeacb3bcec9f1ae754f935b213b6bb468a6c0
-
Filesize
1KB
MD5354b9ef1cd59e42846f32f6f174ce0e8
SHA1e703692080b9507e50b20d059643308994583592
SHA256ca35c7385a1c094bc12c602ac74496528133f209c323febce0d6dbe5345bc8e4
SHA512e94989fb615096a73165a510761aecf7f2b309b414e54ac0cbc9eb4acee107f5723334ef4b52b220dfeddc41dfbd3e61b5ce931d35fae53eee4dbb0c08111269
-
Filesize
944B
MD561d68fa5ec8cb29e11d462a37fdb3287
SHA16d1176c10fafc35a2ad9e637a760820ee8b63ab5
SHA256d5c92a1b6824fe91e75bb90a3fe750624e64f228796c6ec3875a8fd749fec5bf
SHA512551939a6d7f43bd966d17f4b44e3a1ed1d05eb0f6f86cac6e5fcac53f296e4eebe688045181a2ebd1f513e15a877848217f7b89338779cab518f741689e08122
-
Filesize
1KB
MD526555f460505eff10343a8b781830edf
SHA1a2ff1cb63557e775cf253dd0cc81716c55143f14
SHA2562e45be2670671338c14bfbdb831b5c84eda9bbea604cd36202afc4f74e12c26a
SHA512a4b7a2973ca7377f5a62f0d4e527f78316c00890c7f0313f75c273b3d72cdf7c31b7e684bddab4c8abfc45fdddd8197434505d57801b1c5fd8121c00d8cf9ea0
-
Filesize
1KB
MD53b189ab8ec91993cbadc39694e3664e1
SHA124a5746a4545f10ee1226ba652c97cf10e5be2fc
SHA25675f1385cba29dcb249d78f9d727183f6089ad02ffbd0a0649518a385f5086258
SHA5125781b75e5ac5abd908f73cf092f6c07cdc8f532e29cee986b40e5f719f9620874f75afa5fae7b0275944abb1f0439dfb6a55468ec6f6cbcfbdebead287dfed86
-
Filesize
1KB
MD5e550294e6fc2835219e96205a6a52ac9
SHA141adea62b5c249173aef7ac5ced65d9b4ac565bc
SHA256efaea30783896b0b4912e032f07985b09d8a862cfc08685e9dcb065ee0165941
SHA512737b20d77037018f77ce81a51895d600b9933c3ab4b9c23be39119ebc6ce1086efbc1b51951abc45d950ad7f461d0ff7499450761c445e5b4f9e8f2a29c48216
-
Filesize
1KB
MD5b8d659b83a3b20477e3b55243260d8ea
SHA142dd115932fcb7892cbb10e296ed76c0f57085a3
SHA256612c85ef5478ba57a71941f897b2d19160bd01d9748fb5dc40f3f8d694f8a83b
SHA5122d459bc41557b24e45e684504ac8198a54404608daff984bb4729289fc07d14814e55128781bbec314b9d0b91b903737e1af805558ef5a935108d52bbb645782
-
Filesize
1KB
MD5ccef1afdceb73c7d0537e14716dd14c6
SHA1dc67fe631763a0a0392fb711bf889c24927d03ed
SHA25606d42030275cb632580d6d044d8f04927da3e3550d77af5b468b13c6bdb46524
SHA512a163daefd601ed994637e006c206b5f83da1faebc6130e15d524266000a2cb239071bbced771e0aea1283fc569efd2b0578cf7bac63936766cb961e7082a9bd8
-
Filesize
948B
MD530376fc6cf7ed694659cb8b8ad5413d5
SHA1c799e3263878134bb4f4445901bfeaf9af866b38
SHA256eadc8b1a93a59925de036c28ce29b34e615a4e73a02ac0e95178852b8b52074f
SHA512a4ecca1aa7676afae0bf0e8c07b899644c4e07796e3ac69b19cfa0e6d1db0271ffcd34db51b17a2c9cfddbb867a5842cbfd8ce38ef868590f6b21ee0ad3c6553
-
Filesize
1KB
MD5b542da368fc38d500ef78e4b742bbe77
SHA1afefaf7164a08747f8522bfa5561befd90eccde3
SHA25642e293a569a0533403e50b42fc38e175ab0f750202e1d97c36ae6b32e8fb3ea8
SHA5129326305254e2a749423af5029d9342ad5090092e8c52c1502a9421cdd130e305880ead903ff8aeea261fca9b5f5f9661c0c41ad69a5fa30cba771950c558bd49
-
Filesize
944B
MD5b6a311a793133569dbfaf6be7a8dd188
SHA1945a025342a83b542a49da91351211eb3ac5a9ba
SHA256741e45b06ffc8e53e60a3b7c699c1cba5f5392ce448f3b029c690d48b58eaea2
SHA512bca47815df4335c51898e60a942a323c78dfc43a0895fbd6193af06418e0da3d9a9840df2057a29e9963e45d11c3ca013510b33fff96941c971b368d0263e01d
-
Filesize
1KB
MD598d2cb57b517217af19d7aa3e708c37c
SHA18c89b4176b27381b47715417a6a27eac5cfc2ed3
SHA25698dc144dc3bb3dc1170e7f5814a9f729a3379aca98ddd61306e9ea2f42a9199d
SHA512dda7ae5af861d66400b7cefb296e8b3395032912c432ad9bf4ed51995f71006a9fb54f04412fd63824c08b6fb6bbb4be5372b5f195a654557456dea0015a74b3
-
Filesize
1KB
MD539329ac610edda1fbc5c1da1304eb4b1
SHA1294987ee15e12289511c84caf771868384ea2a9e
SHA256b30528817e2fbfc358b75adb373f259a7727fb9ebcdc14e8b628c02eeaebf145
SHA51203988fe0729bc9a72b488591f578df68eae4a00bc13ac100b5f33e38236db7b29f8d96c32af42f5f63472087b76292a381a1fc744db29e7414adfdd1b9a08727
-
Filesize
1KB
MD5a2d24f9830de86e00fc6649cb269ccce
SHA1cecfe1506beccf1f3e19a4e9a71dae1493e9dc9f
SHA256f337c17166085d53a4029f3fd0f09b29cb524aef98279710f7dd5406a2fdc3ec
SHA512836a5909ef2f68b4974737b1d7eff4171fcfe9b20f06b7146134c53e20531a96a8c68c518c82bf5082e647e2675124c8f98a8ab2d9e27e07f47a667c3e18c8e0
-
Filesize
1KB
MD555c8068c0072a7be04da296108cf4b2b
SHA1d7db9aad58cfc1dbf099e618e90c9a9f9d6fcf31
SHA2566b60b4d8068679065493422f5e57114ebe5af4a6257a89b7e5578e3509c1a8aa
SHA5120466ed56ce66e971a9a9bd75248db835953a6442aee1fa93153a29091811dc89c360d94c6aea72e51836a491e70aa237d7a9d7e504241f109395c150dba358ee
-
Filesize
1KB
MD5386b107df9241d8f248fc96faad1544c
SHA1a05d694e3cb27a95d678d74762c0ae631249d055
SHA256a8eeb94f5b7fa5e09a311c3f38290087586388e2449d7500a4aaed8f46092050
SHA512180712905b0280a509e3a6aadfed222eabfd5f2246884d30f19b318b3ebd69707412aef217ff287f511b66058f704900e9f1e83f4ab0b2678a2f18befa6a80a3
-
Filesize
1KB
MD5f369c263f7c94652dc75d93071f23b63
SHA11a78273c959cc1acb91fb690eeaf04f955ac1b41
SHA256d2250f3c97968749fc8315a2b3d17091196a5cadd7c4dc6ebd90284f02665d48
SHA5120f32f57ce26568ed107147e794ba4b5cc85d46ba95b2771030c181c3030e35689cfaf2811101e61e494bee6763292d8f32286444b6f808bd47641fae35e782aa
-
Filesize
1KB
MD565264d7035d2d3450db0a87076811634
SHA1c8406b301832b7acfc215efe7296ba966acd13b3
SHA2562ec4fecc5bfcd7c669b2a226df6488122832498efaa560962c78aa1a5e6ba814
SHA5120be4a9b2b02b1e0b827b138c6f0aeeec02f4ffc980885a548bddacddbb1e3afbac1b6b1482145d55e9c2184cb2eed6a67f36079557a65e9534a1699fc3957c15
-
Filesize
1KB
MD5996a0666d0926f9b23863932ddb7b73c
SHA1f81bd9f495ec0313ed2a99e866cb3244acfa9063
SHA2566eccfbf910d202050ec560350ada31e1fbbdb88f0f2ca0497efef8d5be3de32a
SHA5129dccf7e424830976cc15920b17cc9db6e922463db2a2e9b3649a85cc9606dd31052d3847358037d81f82e92fe9aead58e64f0f374b46c0741ae6ce229c87be8e
-
Filesize
944B
MD50aade5d737f6451790e0586e5b04b0f8
SHA11b07068003400fe47fb99011a3413002065a6a21
SHA2567fc11acad836e9a17f807bde78487703a5dee4e964681b1926c5f576cf111311
SHA5127766056a57efdb52f2f0683ff3503ec7a3761c3e160d83e9b4e479f5dd262fb33e5fe7425e636bf8e615ea25e84a0320d03a06fde05c6528f24e0b53c1c3e011
-
Filesize
1KB
MD573ebaff0117cf97ba8ed64bc0071f8fd
SHA1a9246ff20c0df9a452fbb2e3817886c6729f0912
SHA256391e721241c4e98e963c3295916b42ec02bab0eb0f26f09a3563b1a6de35bdd0
SHA512ffd7d41bf5af31cd51a450d8d3e67e3d99fe60b401060fe4305c0e81cfc211458e0706f624a0e04cfee0fd78d9b71b4702230c5e9b0d905e48c8a84e4e3c078d
-
Filesize
1KB
MD5fd67bac2c8300839d0f639840ca07b60
SHA125215e741e30edd8176b3097c4e3e772328e0a7a
SHA256993aaf987d59b5db329b28c0cbb6456850234f48fce4552f93ceb63312ae9d7b
SHA5128f9665deaa25ae36fba47f037f1eb3a8da566cde8d5b0a839aeacca62f081c3792d78f04cf08bd6a0b2687de8d690f0db3e45dbe6bafe83299d8f88f196f1a5e
-
Filesize
944B
MD587005308471169dc6c5a3683b7122717
SHA125b4750425d444c5514c61cf47763d65c470eab6
SHA2569360b29b6c01be2b75393cdb1e0bbef4e7278908929facd2229f443ecd67a7be
SHA512cf3cbfd0b26eb7e1b455821167b0fb9a64bb37dfe499a5b9265903fe6ed5a005d78e2f3b56cbf108e2427d4acfbcc3364d86be9c3d1470f50dfd16d77d0662ca
-
Filesize
1KB
MD5f7f47d5e8040dc056c3e567bca102cfc
SHA1ecbac7c336e04d694ac540eeb3a55930f425bba0
SHA256f3725206835c6f15765eef61b6f9d42ea0028f9eb01d54b4591cebf847e1e48c
SHA51242ba8a0591d1117dc260bad22b8d605d62acc7ef5cfda582065cb85aa897ddf3b749bffc281d1ea7d03cf9282177892b3da0d4a97662d0f134f4c30e23b93fef
-
Filesize
1KB
MD58ae09ee3602efc105e317ff760ca0e8f
SHA115a7de4ae2291eb17d75d1e7145756b1fc9d3a55
SHA256690ac1d3fe2af9867b3a23cb7c1d9b884629e3ab68914fa78f7b90d07092c64f
SHA5121a827d65e16aef87f64d48739f90a90b0ab7d753d7a38a27aec38ba4bef729a9902e5dbdaa738918563e98b4d88d9a57ff1a0fab3115f4f224a088d0a604d125
-
Filesize
1KB
MD58eee28b669ba3615bfcb6e64a6fbaada
SHA1233736732f1ae619960cbf151fdb032456a69169
SHA256ba681cc94cd9d604e95cd572ef6725b2268e763c887a73a86865f83f2d313f4c
SHA51200265c6209a02fcc1abd6d3ba196eab264fabe18d021b5321fb0cce308bc9feda8d494865890c24ecd9b78fb1a4cdfc1ae0ac81aebdca13472c958bfbe932cc7
-
Filesize
1KB
MD5ce1d7abf0cc8fbd54f0d232571690aed
SHA1463456c4e5361d5bfd2adadb39061fbb978802d8
SHA2565e7f4a2a7f48a43376562dc4eeb576a77bc524062898bb40d154427fa93d7022
SHA512cc9ff997bd7b9f6fb4dbb41c907e2aadc5457d99c5016949ed47d6d3ce19d4e9c5b349e9f01cfeb02295c3e38755ee60897615b32b01d0a92d12146902e5828c
-
Filesize
1KB
MD5694f641cdf324f6dfb401ea537263fad
SHA1b3585f7a610805505520b59936aefdd293f3e50b
SHA25620ef665d0745925f9042f8ac7185d34088a94fdf1fc775556d861c705a81119d
SHA5125a60d4524ee419471ee0b2d97b90a8080a24f8b7b361e853e01940ab7f2542732ab1dcd5665aec5bae69d66fae4ba411311a5395e88d1496d34f5a5714d0f4e5
-
Filesize
944B
MD5bd801a419be0770ce8ce40db8a9d3746
SHA1ec62e6eb92e9843876443c95a9f38be828f7af73
SHA2567d9cedb0936bc4668788229b84f399a69cd5060964dfbc4ff471d9d9b4ae48ad
SHA512d805e6b1a570aeb1a6e04710fc03e01bdb23ce1cb880ae6117784d393b5dd1fc300db79c3580539ed87a1ec192731b3ba34274fbe61c53d3aa6b90ce10b0ba54
-
Filesize
1KB
MD5e3865f44be563d0af3b39734429d4f5b
SHA117961bdf941365acb0e6cf8fe34291e490dca19d
SHA256dfd017c79e76577b22d30e8f90a14794d5c0610e8237a9b97c5fd4dc29c0a70f
SHA51240eff9f0c72955b3d0ec2aa4245619980e55b8a8832fc9a53a6d779889b979c55d6f613d15febec17371115bc4cf8d644ed6aef2970999d9aa02ff29216d69d3
-
Filesize
1KB
MD52a949ec2508babb7ad0e5f71ae8d0660
SHA127b2919a902a4d187e4e694c6d6d14c4a8b9e3dd
SHA256b833b184026251d07f7819c3ea87f91f9bc53b5b976eb6c642dbd464e644338c
SHA51222814bbdaba0e42de5d0d4a3410effa3e669e7dd71d71c11883c13ffe5a621d967fcf55fcb11dd647af4356436ca24cc69f1eb97d46a9954cdf22eae25d7fd95
-
Filesize
1KB
MD5c33908b9985f91f626d6ef467bdfc4ad
SHA1f9953fdfc75d97829e312c7cfd4c89d8c14865aa
SHA25672b0752d3cf4f49a53b106710f067a40c46b48119158d6547d7fe5ae8e62aca8
SHA512941e190c4a10befb5e187bd0f02983809a26c0738df1935f02ecaf054a64a0502be7bf3aa382ab67eddc46c9875c4d5f9dea21de1330fa92f63c24dfd1304b59
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TD9A1703\microsoft.windows[1].xml
Filesize96B
MD5f2e16f95f5d0e6afdc08db7a1ed75fef
SHA1b3d3a1f0fed3397475216a575bf7d8a47420b118
SHA2566ec6c0a5e6d91fbc884cb3687a852d2f4b4172baa9b38d4827cb66eca246aae6
SHA512ca807e03c20c4d5699305aa6c5288fa03983b00106d446a0466650750fb280ec4f4e64f56b321caef2499df1e12c0562422d0d13ff4676dbbb43ee6e43eb7731
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}
Filesize36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
Filesize36KB
MD5406347732c383e23c3b1af590a47bccd
SHA1fae764f62a396f2503dd81eefd3c7f06a5fb8e5f
SHA256e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e
SHA51218905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133778113154587140.txt
Filesize82KB
MD5a3cfe38af2c6d82d24e069a4932c9787
SHA1ee8f9643dfe33cd956b3f283021f40747a922e96
SHA256698534246a8f9480b845c0d0e5aa5b523bafa94af1bb4173fa8fd38c44ea5eb6
SHA5129c1904ae4e6756c9aa47c7b076d39066d10a80bf1b190dae9fb94de16a480765d889dc1ef34f38c50e07a1e4fe5c72b4eb665ce20639ca06b86d4735667bf30e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
584B
MD55f555490ef62b83b8345c20864e42f83
SHA17d704b816bb745b6fbc0e1878a83d2f6fa74e5c2
SHA256eb994f9a98f959e6aa5a6f21332119e3296fa146be355ff2faebe73203ac0b90
SHA51261ce910cd6cd2502351c038d00fd1d81516afb8f27b82c31fe631cbe1b4db4832d1c7577a8d0ffc27033d313cc23f5032796b64eb4414e80d7b875ce1ea8ef65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5d1bd44273a890277bc743717e6852fa1
SHA1bdd2e646a7a9acc46a85e39c1dcfc7fa53e20990
SHA25669c05225e7c410a7f60f8803d9f637dbd3a2e40f02ed1fcec11f1a798e8c640c
SHA512492ba8198682292f64134e7516b6fa6de3eaea230f98ab7dfc3ea2f70fdebf5a4dc67bf7999de1be4c3c7c05589233903f64439be49382b86542b9a1385d4d82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD547c0aa260c0d7ede1fc22865754cdb7a
SHA19ed5bc9e8c6489e5a28268a11b5fdbd73fc064ee
SHA25613d1d913677bb13952491e0f724cc92c3ade77a17b64c6e1f5712bd2e3c2e521
SHA5125f3b2f3add39368728f808281e5f2526570ab52f7b1f9b8358b44ab3024b0770460bda5be4b6ff243a0ac83c7e186bd501380a398284e6e4416f9faedf5e8c4a
-
Filesize
4.8MB
MD54f543bf58bbf481126a556fc8d642415
SHA153fa292e148d65227910bac9be1ad498d17fabf9
SHA25649af13fcadea3f3b5807f11df9d2636da4033f6a4ec294940fef671336c88ce7
SHA512c273e54478c3a85c4aab3498af6b5abed9001bd87062ee3a83349e731be11af31482dd541d44af8275d96d45017ab67bfe48d2fcfd57583f493c0477d04a3627
-
Filesize
1KB
MD5a250345f9dfd1301984a24d51a7d2ef5
SHA174ca6cf486ac2c3531a325efb8ab736f8815122f
SHA256f2255a21a7ceb158ee4a0cdbd24ea6ed758a1866f7f1ae8344ae942670384781
SHA512ab087451dc5a79def7a6a68c3262d623baa611d03a2dac5356c77357f5477f491654e9a0a5ef38a363b34ab228c9b39f43736821cc1eb93043dc19d73a547846
-
Filesize
206B
MD5b13af738aa8be55154b2752979d76827
SHA164a5f927720af02a367c105c65c1f5da639b7a93
SHA256663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b
SHA512cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4
-
Filesize
435KB
MD56dce34246fc125f14603240550420570
SHA195a0b3042404eb119d97c7033660f39989f5027f
SHA256731c001689d6c22f88df8026e0eef964094cb4a6da1e8a8b03193f53143ee0ee
SHA512eb51a90a944ad19cf56c1ab317a8b91591b0742a440a2e1ec05241eee5d45ad790bc5e647c202bba06fed193c7024d49a549475f1046041f1a9d1685e7889d70