Analysis
-
max time kernel
1183s -
max time network
1173s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
-
submitted
27/03/2025, 19:46
General
-
Target
Bewertung Dokumentation.pdf
-
Size
570KB
-
MD5
642dda2b02d66b2d92dd230c7f48c3e7
-
SHA1
22925e15898dfdd263e0fc4c9236ca164ca0acbd
-
SHA256
9d178a49b3dbb231676082c4b0b0dd6ed4ee16efd76260e3b5cd15c25d4c024b
-
SHA512
d592eb26b909b6c7c18afb6d49e7ab71684d3394c04b989152f7a064e0fe276ab56339b5c83972d7ece1cc6b3be90b0da3b020d101e633816f59ddab271c815a
-
SSDEEP
12288:VkzKlmqqqp7jqrQq6ysZViZIo9M38D95tYRC:mGp7jqEq6ycVyW3Y9YRC
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Using powershell.exe command.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 41 IoCs
-
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 60 IoCs
-
Modifies registry key 1 TTPs 48 IoCs
-
NTFS ADS 2 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Bewertung Dokumentation.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=914BFA0AFC9F1CCD65BFB671C5FAB976 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=09A720329B69F52E66D3A92721F62B0E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=09A720329B69F52E66D3A92721F62B0E --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AB24C6B9969ECF2AA06083D6AC2350D7 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3CBBC2C8CD965474645FDD25A25A18E8 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6E8E211EEB74C5F330A5DD9840BE46D0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6E8E211EEB74C5F330A5DD9840BE46D0 --renderer-client-id=6 --mojo-platform-channel-handle=2544 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AC84E1FC8DBA5C7ABB9B43B8C4287B93 --mojo-platform-channel-handle=2788 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C9EA1919A3E68065EDB200AF0D75D6EA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C9EA1919A3E68065EDB200AF0D75D6EA --renderer-client-id=10 --mojo-platform-channel-handle=1880 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 8.8.8.82⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo CMD is working"2⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd" "2⤵
-
C:\Windows\System32\sc.exesc query Null3⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"3⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd"3⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver3⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV23⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "3⤵
-
-
C:\Windows\System32\find.exefind /i "ARM64"3⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "4⤵
-
-
C:\Windows\System32\cmd.execmd4⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd" "3⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"3⤵
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd') -split ':PStest:\s*';iex ($f[1])""3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd') -split ':PStest:\s*';iex ($f[1])"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"3⤵
-
-
C:\Windows\System32\fltMC.exefltmc3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\find.exefind /i "True"3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd""" -el -qedit'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd" -el -qedit"4⤵
-
C:\Windows\System32\sc.exesc query Null5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵
-
-
C:\Windows\System32\find.exefind /i "/"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver5⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV25⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "5⤵
-
-
C:\Windows\System32\find.exefind /i "ARM64"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd5⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "6⤵
-
-
C:\Windows\System32\cmd.execmd6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd" "5⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"5⤵
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd') -split ':PStest:\s*';iex ($f[1])""5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_105ef56b-b18c-4105-af53-38570b89c47c.cmd') -split ':PStest:\s*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"5⤵
-
-
C:\Windows\System32\fltMC.exefltmc5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\find.exefind /i "True"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -4 -n 1 activated.win6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck30.activated.win6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵
-
-
C:\Windows\System32\find.exefind /i "/S"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "5⤵
-
-
C:\Windows\System32\find.exefind /i "/"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop5⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop6⤵
-
-
-
C:\Windows\System32\mode.commode 76, 345⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789EH0 /N5⤵
-
-
C:\Windows\System32\mode.commode 76, 255⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c tasklist | findstr /I ".exe" 2>nul5⤵
-
C:\Windows\System32\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
C:\Windows\System32\findstr.exefindstr /I ".exe"6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-msaccess.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-excel.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-groove.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-lync.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-onenote.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-outlook.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-powerpnt.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-winproj.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-mspub.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-visio.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-winword.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-lime.exe-"5⤵
-
-
C:\Windows\System32\choice.exechoice /C:1230 /N5⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://massgrave.dev/genuine-installation-media5⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x308,0x7ffadb38f208,0x7ffadb38f214,0x7ffadb38f2206⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1780,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:116⤵
- Downloads MZ/PE file
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2176,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2464,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:136⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3432,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4084,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4108,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:96⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4132,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4160,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:96⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3584,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4784,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5548,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5556,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6128,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:146⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11287⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6304,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6300,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6464,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6456,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6124,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6344,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6512,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7096,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7216 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=5476,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6844 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=5468,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7360,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7100,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6840 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7304,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:146⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=6848,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7248,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7308 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5020,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6688,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7392 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=4164,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4712 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7580,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7608 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=7564,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7848 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=7436,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7864 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=7288,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6504 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=8056,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8088 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=7396,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6660 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=8228,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8216 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=8424,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8404 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=7408,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=7900,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7800 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=7524,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7204 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=8576,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7728 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=7428,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=7952,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7964 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=8624,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8652 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=8704,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8240 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=7696,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=8648,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6812 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=8904,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8892 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=9128,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9164 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=9080,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9348 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=9440,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9504 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=9476,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9508 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=9756,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9784 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=9800,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9932 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=10116,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9312 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=10232,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=10252 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=10420,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=10296 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --always-read-main-dll --field-trial-handle=10600,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=10220 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=10160,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=10540 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=10276,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=10768 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=10432,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=10416 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=11040,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11060 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --always-read-main-dll --field-trial-handle=11204,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --always-read-main-dll --field-trial-handle=11252,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11484 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --always-read-main-dll --field-trial-handle=11660,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11364 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --always-read-main-dll --field-trial-handle=11500,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11800 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --always-read-main-dll --field-trial-handle=11284,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11352 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --always-read-main-dll --field-trial-handle=11532,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11744 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --always-read-main-dll --field-trial-handle=10776,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11892 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --always-read-main-dll --field-trial-handle=11148,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=10752 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11684,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --always-read-main-dll --field-trial-handle=6224,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7356 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --always-read-main-dll --field-trial-handle=11780,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11748 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --always-read-main-dll --field-trial-handle=8924,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8980 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --always-read-main-dll --field-trial-handle=10540,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8988 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --always-read-main-dll --field-trial-handle=9172,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8200 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --always-read-main-dll --field-trial-handle=11232,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8140 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --always-read-main-dll --field-trial-handle=9332,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9060 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --always-read-main-dll --field-trial-handle=9044,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8308 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --always-read-main-dll --field-trial-handle=11240,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --always-read-main-dll --field-trial-handle=7776,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7884 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --always-read-main-dll --field-trial-handle=10408,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9812 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --always-read-main-dll --field-trial-handle=9820,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8352 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --always-read-main-dll --field-trial-handle=10216,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8976 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8708,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=9764 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8716,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=7512 /prefetch:146⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7276,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=3400 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5304,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=8872 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5708,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=11536 /prefetch:106⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5432,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8832,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3612,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4776,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6316,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:146⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8840,i,7639449911619869037,4502701214280565401,262144 --variations-seed-version --mojo-platform-channel-handle=1156 /prefetch:146⤵
-
-
-
C:\Windows\System32\mode.commode 76, 255⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c tasklist | findstr /I ".exe" 2>nul5⤵
-
C:\Windows\System32\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
C:\Windows\System32\findstr.exefindstr /I ".exe"6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-msaccess.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-excel.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-groove.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-lync.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-onenote.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-outlook.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-powerpnt.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-winproj.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-mspub.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-visio.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-winword.exe-"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo -smss.exe- -csrss.exe- -wininit.exe- -csrss.exe- -winlogon.exe- -services.exe- -lsass.exe- -svchost.exe- -fontdrvhost.exe- -fontdrvhost.exe- -svchost.exe- -svchost.exe- -dwm.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -spoolsv.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sysmon.exe- -svchost.exe- -svchost.exe- -svchost.exe- -sihost.exe- -svchost.exe- -unsecapp.exe- -svchost.exe- -explorer.exe- -svchost.exe- -svchost.exe- -SearchHost.exe- -RuntimeBroker.exe- -RuntimeBroker.exe- -dllhost.exe- -svchost.exe- -dllhost.exe- -svchost.exe- -sppsvc.exe- -svchost.exe- -svchost.exe- -svchost.exe- -OfficeClickToRun.exe- -SppExtComObj.Exe- -svchost.exe- -dllhost.exe- -svchost.exe- -AcroRd32.exe- -RdrCEF.exe- -RdrCEF.exe- -CompPkgSrv.exe- -RdrCEF.exe- -RdrCEF.exe- -SystemSettings.exe- -ApplicationFrameHost.exe- -svchost.exe- -svchost.exe- -UserOOBEBroker.exe- -MiniSearchHost.exe- -svchost.exe- -powershell.exe- -conhost.exe- -chrome.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -chrome.exe- -WmiPrvSE.exe- -svchost.exe- -chrome.exe- -chrome.exe- -chrome.exe- -cmd.exe- -conhost.exe- -powershell.exe- -cmd.exe- -msedge.exe- -msedge.exe- -cmd.exe- -tasklist.exe- -findstr.exe- "5⤵
-
-
C:\Windows\System32\find.exefind /i "-lime.exe-"5⤵
-
-
C:\Windows\System32\choice.exechoice /C:1230 /N5⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae934dcf8,0x7ffae934dd04,0x7ffae934dd102⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1268,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2120 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2092,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2088 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=1932,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2428 /prefetch:132⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3260,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4228,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4248 /prefetch:92⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4708,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4736 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5312,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5348 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4564,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5476 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5720,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5716 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5888,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5904 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5892,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5868 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5884,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5880 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5612,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4388,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4864,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3860 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6072,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3580 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5812,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3660 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5852,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4748 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4676 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5912,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5692 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5592,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5568 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4244,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4260 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6080,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6068 /prefetch:92⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5488,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1136 /prefetch:102⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=872,i,1337338338254191785,17592774946181753647,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3136 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo CMD is working"4⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd" "4⤵
-
C:\Windows\System32\sc.exesc query Null5⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver5⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV25⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "5⤵
-
-
C:\Windows\System32\find.exefind /i "ARM64"5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd5⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "6⤵
-
-
C:\Windows\System32\cmd.execmd6⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd" "5⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"5⤵
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':PStest:\s*';iex ($f[1])""5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':PStest:\s*';iex ($f[1])"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"5⤵
-
-
C:\Windows\System32\fltMC.exefltmc5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\find.exefind /i "True"5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd""" -el -qedit'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd" -el -qedit"6⤵
-
C:\Windows\System32\sc.exesc query Null7⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"7⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "7⤵
-
-
C:\Windows\System32\find.exefind /i "/"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver7⤵
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV27⤵
-
-
C:\Windows\System32\find.exefind /i "0x0"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "7⤵
-
-
C:\Windows\System32\find.exefind /i "ARM64"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c echo prompt $E | cmd7⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "8⤵
-
-
C:\Windows\System32\cmd.execmd8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd" "7⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"7⤵
-
-
C:\Windows\System32\cmd.execmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':PStest:\s*';iex ($f[1])""7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':PStest:\s*';iex ($f[1])"8⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"7⤵
-
-
C:\Windows\System32\fltMC.exefltmc7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\find.exefind /i "True"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win7⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -4 -n 1 activated.win8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win7⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck30.activated.win8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "7⤵
-
-
C:\Windows\System32\find.exefind /i "/S"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "7⤵
-
-
C:\Windows\System32\find.exefind /i "/"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop7⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop8⤵
-
-
-
C:\Windows\System32\mode.commode 76, 347⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789EH0 /N7⤵
-
-
C:\Windows\System32\mode.commode 100, 367⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=35;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[IO.File]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':sppmgr\:.*';iex ($f[1])"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\mode.commode 76, 347⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789EH0 /N7⤵
-
-
C:\Windows\System32\mode.commode 110, 347⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s7⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"7⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts7⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts7⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts7⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts7⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "7⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"7⤵
-
-
C:\Windows\System32\cmd.execmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value8⤵
-
-
-
C:\Windows\System32\find.exefind /i "computersystem"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul7⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST8⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':winsubstatus\:.*';iex ($f[1])"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\find.exefind /i "Subscription_is_activated"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')8⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "7⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"7⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value7⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE7⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ver7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net7⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\PING.EXEping -n 1 l.root-servers.net8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s7⤵
-
-
C:\Windows\System32\find.exefind /i "AutoPico"7⤵
-
-
C:\Windows\System32\find.exefind /i "avira.com" C:\Windows\System32\drivers\etc\hosts7⤵
-
-
C:\Windows\System32\find.exefind /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts7⤵
-
-
C:\Windows\System32\find.exefind /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts7⤵
-
-
C:\Windows\System32\find.exefind /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts7⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "1056" "7⤵
-
-
C:\Windows\System32\findstr.exefindstr "577 225"7⤵
-
-
C:\Windows\System32\sc.exesc query Null7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start ClipSVC7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query ClipSVC7⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type7⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start wlidsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query wlidsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type7⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start sppsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query sppsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type7⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start KeyIso7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query KeyIso7⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type7⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start LicenseManager7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query LicenseManager7⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type7⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start Winmgmt7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query Winmgmt7⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start7⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type7⤵
- Modifies registry key
-
-
C:\Windows\System32\sc.exesc start ClipSVC7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start wlidsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start sppsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start KeyIso7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start LicenseManager7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc start Winmgmt7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query ClipSVC7⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"7⤵
-
-
C:\Windows\System32\sc.exesc start ClipSVC7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query wlidsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"7⤵
-
-
C:\Windows\System32\sc.exesc start wlidsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query sppsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"7⤵
-
-
C:\Windows\System32\sc.exesc start sppsvc7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query KeyIso7⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"7⤵
-
-
C:\Windows\System32\sc.exesc start KeyIso7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query LicenseManager7⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"7⤵
-
-
C:\Windows\System32\sc.exesc start LicenseManager7⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc query Winmgmt7⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"7⤵
-
-
C:\Windows\System32\sc.exesc start Winmgmt7⤵
- Launches sc.exe
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState7⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState8⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':wpatest\:.*';iex ($f[1])"8⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "11" "7⤵
-
-
C:\Windows\System32\find.exefind /i "Error Found"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE8⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"7⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 07⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value7⤵
-
-
C:\Windows\System32\find.exefind /i "computersystem"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "0" "7⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "0x800410 0x800440 0x80131501"7⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"7⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"7⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"7⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"7⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"7⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul7⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"8⤵
-
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul7⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE8⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-WmiObject -Query 'SELECT Description FROM SoftwareLicensingProduct WHERE PartialProductKey IS NOT NULL AND LicenseDependsOn IS NULL' | Select-Object -Property Description"7⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "KMS_"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "7⤵
-
-
C:\Windows\System32\find.exefind /i "Ready"7⤵
-
-
C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f7⤵
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"7⤵
-
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "7⤵
-
-
C:\Windows\System32\find.exefind /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"7⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"7⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 07⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus7⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul7⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Name8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul7⤵
-
C:\Windows\System32\reg.exereg query "HKCU\Control Panel\International\Geo" /v Nation8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))8⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "7⤵
-
-
C:\Windows\System32\find.exefind "AAAA"7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 20 | Out-Null"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\ClipUp.execlipup -v -o7⤵
-
C:\Windows\System32\clipup.execlipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem9350.tmp8⤵
- Checks SCSI registry key(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')8⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /S /D /c" echo "Windows 11 Pro" "7⤵
-
-
C:\Windows\System32\find.exefind /i "Windows"7⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate7⤵
-
-
C:\Windows\System32\cmd.execmd /c exit /b 07⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value7⤵
-
-
C:\Windows\System32\findstr.exefindstr /i "Windows"7⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f7⤵
-
-
C:\Windows\System32\reg.exereg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 20 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\mode.commode 76, 347⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789EH0 /N7⤵
-
-
C:\Windows\System32\mode.commode 100, 367⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=35;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[IO.File]::ReadAllText('C:\Windows\Temp\MAS_18ca8757-e91d-4af2-8b35-cb70b969ea9c.cmd') -split ':sppmgr\:.*';iex ($f[1])"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\mode.commode 76, 347⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456789EH0 /N7⤵
-
-
-
-
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem8B61.tmp2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567a8abe602fd21c5683962fa75f8c9fd
SHA1e296942da1d2b56452e05ae7f753cd176d488ea8
SHA2561d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA51270b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6
-
Filesize
64KB
MD55cf9a65896508d02e02c7204151f8ac5
SHA1a779e343d6b784b1ae5985cc4d6e967905fa6915
SHA256e8407762e715c98dcefd649296cf9e803165543e4832178b7c426ae23fe8593c
SHA512917cacdfea07f407a195709c3f7bb77bf29a31eb58fe83660445664a04b7703cfe07ab0ea690b3cc2374a69ed9d23038e27bef37311b62d40a83d7fb53a2d68b
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
649B
MD526ea9efb64bca2eaa8fbbf24ccb076b9
SHA1e262c2c37cec36160a095f057197fcda795a0c3d
SHA256f785c1779282f0206a4adfbeeb237b3572643daa081311fa79e9395108d94838
SHA512dc173669f660809cfed51654b115de905665a17d03776870f3ba53e5673419db08cd386df09cd27687c9af74795643c38f0280c042ef136fb29e2cfaa3edc6a0
-
Filesize
2KB
MD51299feb9358782cef8042659822343e6
SHA1643f8a69deacb9af5a5d531c32ef87220faf475d
SHA256077610e9ba14bafecd0fd77f7d5f0ce29e1bd9885dae6b4ed7ef4d12a29f72bf
SHA51289c91d3b8902b4e0ca17b7ff5dfd6adddd73ab34ac0fc35962268246c3109722ca9dbb22591a63eccfc708d7e42384f44ba4bd186507ca6db46c71bda52a8b0e
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
7KB
MD5c5da549c2eb4485226e212e6534b23a7
SHA1edefe3d61a73a67c9839b230aa48fb66aaba00f4
SHA2562e232eb4fb7ca1cfc8641eb82313ebee939027f5039a14ecdde8749f712399fb
SHA5127c1d51109bc4acf2f96cdb4bb7a9bbdddc443d75a4c1b3c0f885ad6cfd0bcff3dcd85ecaca89927015dc97b3fc8a036ff2c01eae4d53cb1c209805b1729852e5
-
Filesize
8KB
MD5bd80ae68e774dddf42a178e2d94e5cfb
SHA14e73f15c65c02dc41ea15e8659f2d4a4c76e1b6d
SHA256e52795ba868d3d649e66db58b05ca7d335304a96aecdddc4b1d1eecdb3dfcace
SHA512d229c8e102d140f715c50601357577ae627a06f6e1a748a5c627949a42d8ac1712e57c29d1f22c004b0670a4f54a61f4360cfa60392e20cea153f6add3ebb1ce
-
Filesize
1KB
MD511b4649ddae1d7118eb9af731437f668
SHA1dd7b4dd6a08eb7cee59da18d225f333091d15d47
SHA2567e5706d4e58ae5d5bc96a5d87bb13e39ee3d7b89aaebeb9b5afd8c0fbe699eac
SHA512a2844f40f4f2be7dceb9f2a0790edbca9be112ae6d32027ad4ef8e4f51e47671f4b4503be0f4b3fd128682811072245e75c614ce5c18ad975ecc723d151c836e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
12KB
MD59b03722c06dbc7257e6c59d4ae12b4a2
SHA1176088573394baa19b1c5d590ed205496d13c42c
SHA256f5c65990eb39bfb986c695313147c49a4786aad0059b8315cee2b277ae8ed2a9
SHA512a0c226ee2ff17522380f6b237a390cc4390f030682ef4815dfe401363d16ae130af7fa4c8ef4b5fb1ccc7571059e7c00a0549a22c47958f938051910643f5b3e
-
Filesize
11KB
MD53d1855a2ed815c3d5fbc1dc7eda5a59b
SHA14802f893bfe4db14c471cc60a9454355086cf98b
SHA256e7db569e6db69903ec00edabd55506e7f33d7ce828893445961e6c4a507f8e4c
SHA5123da610c29c3f98b8d65433805a28b547f0502d72f94c8c0ec50226e813052ba569a6b9db288c7860ff7b276479fe9648937557419785a4d3783404bd1add3c7a
-
Filesize
13KB
MD55893f408fc066e14ecb1c4e38625d9a7
SHA1ce74dba5ca25666120c11a4e9cbbfdbf94a0b1b4
SHA256e8702b7a41d7271cb77820e7f242b03d147f7e064ae1f0165d80d0bb44a7375d
SHA512eb07e9fe17f33bb075ab966149a5ce6b7d2f729b01d596befc5fb0958ae37b6c1c482442dd59b9ec42b9555f39392217e8c283ac7b428b4633dbe0b2aeacabb6
-
Filesize
18KB
MD5704470a316bb04b67ffe8937702bfa21
SHA1eba470760d4eaaec94aa0ea55741065511f61b0a
SHA256d0acc3cba298b1d4946512d22bbe1e731f48bff0e63c3c8cfb9bb8b0c0e9c55f
SHA51288cb31bb3a5f8944521dca2fbe2174f19292c31815752d981e7faf53f145d8f5d12e575ed0249784417999b781823e233a3f896347d31a930891887f8d3e44fb
-
Filesize
15KB
MD5898c35279a7caf6b3ce2fcb42799538e
SHA13e918370544b5f080b24ceff84a5c746a6f6b235
SHA25667e1426b9ed9741570baa2171de83878f05f4c40ffd0f47a86f13ab47ccaa570
SHA51249b259c4835a9d0fc4e757696c45997e350d1ab23c7cff89a64f39c6129e073eb29ca747821ccb1d83393d35f9f1c9d05f7b0549399d4fbdab3791ac0993f440
-
Filesize
72B
MD56d7452314a50db7a924ec471904d7195
SHA104a14491c0cf721844d101b4da2e93cdd177c624
SHA25642b26fb8ea6ac76b90c330aaec6d4fdc9898df8f63f97d42d31f04db5bda54c1
SHA5124cb236b9c3dc2bffddf187b6addc745c090e42d1a6c20b798e82caf0ebc87af7d50896072489444707efdd03e99d443ef64bdbfab04ca0c2018e86b476bdb1db
-
Filesize
72B
MD503d798ab1ee62580d9ed3c4b991cce3d
SHA1645c4b3568a86d1087d335a74ce3a27fb007669f
SHA256f61db1d876b3c6b58afde6808147871971c0fb956842b2d49ff761e072caaeb8
SHA51253cea9ea53ec38deee11c39f1119f275f9f1362c68d2172dcb3c84263bab6f9f8f88653982a4c6bf97100fe9febe803c1288137ed89ef6907f3e91d41c79475d
-
Filesize
48B
MD5eb15e83ec8ae6ff523b0c7c3fa929442
SHA1ec8ff92f5e7e238814cbf2a2a3684670322444e2
SHA256b8561aebb882698060331b635474e62b40618f9d064a121088ea2b456ae67057
SHA512a50d6a0b6e554941eb86d87b3a64b174eafc6b5dc6a41d103227e18e449c01b4f1d55fd3dd1d3eede16c37df15b1d5385f8bdf49421d6aaaffe0a23adcca41e8
-
Filesize
156KB
MD596fb9d103c6d210d2ffc6ae65b066131
SHA19c015e6da176b4d6b7aac5496bd8e6b75bf40347
SHA2567c67d184470b6d6f081f5617347e863d59d6d78bc830a71414ee6572a57f2a95
SHA51204172c6b58321397803c5db1fdb9de43c15e62307518c867fa23e6a09d73508ee967cf3995bb7cc93ebcb61df00dc098786f0ecb8250f5c85c474060e3fa48de
-
Filesize
80KB
MD5e00773339c53008ef0de323a29fe6963
SHA13a8643c9f56510409202d4133734e9d920ff0d9e
SHA256a9b409bbd77401c6ce432da886ed029bf96a1358bd71edb6bf463beb39c2b3bc
SHA512305d46a63776f787f5a9c38cd166da60e5ce0867ad624daee65248a3447890a142e9cec536d6ac3367e097c818f836e6a5280b5bef3450455f0a1f2cf0c746af
-
Filesize
155KB
MD552b32b3de0c1bc04cdbdad1c7febe258
SHA1d4440b111a84e8afaca8fd2a0cc05ea588425f19
SHA256d581980acb011ce5accd96bc0a76164b686e7f41f9f06be41e5a90af0e438bcf
SHA5120a5e6351dd76ecd28514a0aeff0296f6443e9ce8ad37cb51d6d12d58f2f501c74ccb0e669f71ceb7cb08dbba012580c91352efe4cb563aae9c944a839e115bfb
-
Filesize
156KB
MD5387e4816c82ec0c4ae306125a87ee3c1
SHA1c48f4fc60b205bda7c02c4323c8d3a50a5d7138c
SHA256ce1b71ddb031c4925e8038af6ddcd90f8eb369a03639cdd606208d1b00436a93
SHA5127d7798cc9f17f854e91cd0a3f4f3c77444c19f90b0a54b0c8784be7e12a3552d6c6424e983aab9ae2a4c0bd7520cab9607d7d3a37c76d03b1ad7883540f1255b
-
Filesize
155KB
MD514f9a647a065d35c18d2ba8db93b92ce
SHA1f0605a8eba39da70289659f4b609925a3bac636e
SHA256616f4a97d9d2d760cf1d7db409d3e24d06649ce00887d9f886de9e9bc0b102b4
SHA51290d33547f1558afae045e3225d1fd79a4d6efd2f0589f40d608b6f96668129d00b78c8d4984ec4c811e4a2c36ab36f5599a911ed7dc1c501df230eba442409a1
-
Filesize
156KB
MD5d65e6e6decd526f377706d56184846af
SHA13a507209a09453bcf287f610579f616d81429777
SHA256d7d42e905c25aa597ef0c71bc9f25c2d6da22fa1304cf924dc21160bfd26bc28
SHA51214dc12f883443209eb6c77727ad2917b15feae3cd8ee3323cc3e83e3c53354c7fcbadbe07bcff444c1c811d2f96caa4f0f018bda3bac7c92b9074a298543aec3
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
280B
MD5cbc9fc2d9ad2df85283109b48c8e6db0
SHA1721ea0dfafd882d6354f8b0a35560425a60a8819
SHA2567c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe
SHA51209594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609
-
Filesize
280B
MD5046b1cdbd636e82e7711ea1fde31d7e3
SHA1f5fa4183cb259a99b4148ee957a5f76e80a77ada
SHA25640328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a
SHA512460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4
-
Filesize
280B
MD51700927fc9307747b6f4e3a85cce3706
SHA1567fb1530e8393bb41b5464d19010cbc32408d44
SHA25630be93efca80985543da2bd14f7746151b900e63a1cb33050c67513664abca90
SHA512c8b208ee5f26f3e0673c332d4e667c715ecfc939f0378d5f62844c027c817544b12f43403dffcb2afa3cb99c7da44d834a94a364deadfdf795978b3e673b21f6
-
Filesize
27KB
MD5d2b0a6f94b6922d1d184dd0d274a3ce8
SHA1c90ab06f09ef84d31bc52d24141efb2541b6be89
SHA256cea7f38cbab58c4262b92447b4c858890c15ac87bc8423344d242d380c80aa55
SHA512f4158b7053395b21e9dfcf7fbdb3ac97a3b70359bf0490d8ec07ba1b4e4c116348ffa87191838ff86d08ce20966af260115befebe4734cb39e66c7626be62b3f
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
1024KB
MD5df7e549e3352b8c2672a802483e665bc
SHA1594359afdb93c5939a3fc1a63c8f444c36ea826d
SHA256db49ad9c27bd76b1764c5a849f4cc915057da1c93496059605831ba8953145eb
SHA512d5e3067825c05866ec9a328f8ede9200735964b9a40f078f5155423eab52753503c0cd10065a4744422656bbff1a7594d83817aad5dd3496654d47a6f39510e0
-
Filesize
19KB
MD53b25fbd9be0594e7d5dd630003ef4194
SHA173d1b16b7b95ec2907407f06c3f353497e29a362
SHA2560ab699ef1483cd423e0880e48701eb0f38d8d250a4f7e63262a5a10e587f6df1
SHA512137ca7a8f12319721e9ad5a729c14c14cd560abad62366fe47d2742ed30e9dcf5f3a3c1c5607deee579ba9407ce5b5c1c737bc74e07e64dee65e1fc2ab8b0615
-
Filesize
76KB
MD5c99f966767a99c2971aaad4890f0d323
SHA1d6dd4e0199e653bd6663c5203dc3889e9b6c0baa
SHA256ad5f0de938a628df6b0de66005e92497bb39c09fb8491ea7fc4d5afd600262e2
SHA51202475dacf307541c4e2801b2e849585d4210990fff97bf5afe9f44f5ee46ae8ba21152295cd8baeeecba3005250d81e7d280007f0b8f57f77247a3e2588b7c1a
-
Filesize
128KB
MD59b260b685006cbdbb15f9a96a17e63e9
SHA1393d72cc9d928b7c1696a9b8cd31c3157a1a7988
SHA256e26c72728c98ef25f40ecdec620c3003884c79a1476738443c544b209c804069
SHA51273dd76887252e4bcae44a972045c722150953fb08c4d4944df95127c4ed51ea6246ae2b588debea6de59f1aece9109fc9831951cd493b191bfbb5691e9cbe209
-
Filesize
256KB
MD53f3297819cd2b781023bb50471132691
SHA1206d8863f895adc7cd368b454c86715ba027a688
SHA256bd2aadbf00196cc0ac2fb4c03e46c10ae55675b44caa9d3419d8f71662841173
SHA51212749e9126de711f23204455aaf9992e02102cf5261e91c3e9f43016a80b83f72854188baed529c0b1ea0c8d78c031e30b2cd70a532e85fd93d1c509fe7965a6
-
Filesize
64KB
MD58244ff6b5f4eddea68c923ad5f8780cb
SHA12d1fc1ede0314f2730ca00eff5038a1007449e44
SHA256bbb972c775b1f3dcfc0309a8496dc42b068512893f52b98a87e4beedde77c18a
SHA512ea3cf5ab0f39b0278611b4185846406e8fbb11d63e6c5e007a732c4d4250463aa039f8805f812ae0afbee45427ffaafe7fb33bab71cd55421e0a66e83ad7e92a
-
Filesize
39KB
MD57a999ad744521231299a47ae4ed6a12d
SHA13f0939136df6d23dc8ab5826615446982f5c528e
SHA2567cfefe47f3eed5c68cbc0f6be1884112f8a7a18ba9fcd47249daa1910009ecbb
SHA51255767670521db715065ac97d47145920e853755afe09d75a58a62e6d13c960f4025641d9c546c01b448ae3145e88d5772667d02861bdbf65d01c3f4b97f522d4
-
Filesize
45KB
MD57149037857321d671b08942b9185605a
SHA1ef676b71ea4ae8f3dd8e1e9c625962a5f6f92923
SHA256e98d135cd1decb80bcf6bca69e4146ae022eb04020dc9b2d2d44b27ff6c5cb92
SHA5125b17bd8dfdf693281d502cfcbfb93a65521f363e6854331683dd4ccef44b7feb7609e6c5d005cf9d284487ca4403c2b343adad253b2ec96948d7a50aeb4a132b
-
Filesize
101KB
MD5a4e91dd7094e570bdc11d0f58ab517dc
SHA1b0cfacfcd190ba440985796a4eb2dd00e8328c6b
SHA2563a21cd4e70a71d8ffd283f56d5c56f0f1c951f41e2de0e269c64d3ba75917c05
SHA51236738a7efb2995e79e799ad5a7f13331d6544fa4200e211f312857427010b87a4b3dc2154181dafbe7e9eceacae682fe8302b60134cfd23528c433b2fd36a30b
-
Filesize
22KB
MD5280d0dffcf08dedc8ce52f25270bf1e8
SHA1e9566fd9372120a6fb9760a131f8919934954f35
SHA256ed51e026d37d510820ca0b811d1f774fa8eb13ce09775c5a891853ca072fb58f
SHA5121dd8a347348a3d211bd8f03c30d7dfcf160d62ade9c354dd9649ef4591c874bd466d864ac0aad454a0b0e01f1149c1c5a95aa365affbd7d81f79558c7ddc39b7
-
Filesize
28KB
MD5564a80f06c5058cd19537375a47d2da5
SHA1db5220e6e520a2011362bfe82a1be6fdb413cb48
SHA256230a4ea452bc7ba039775d964e2de8a643a9fce5d9f74c25649a55031151d8ca
SHA512fd617efe1dd3b9425648ea8ca5c7769c8e81e3f78caee6805b0671ed7681824dd135e90191a1195d5ccb8610b9056a07018483098ba473a507ecd100739d1c32
-
Filesize
7KB
MD5f2034c8c8b4b5a9e910ba3b4f6478f03
SHA1bdc96726fa4adeaf025358b557e2c1590775c30b
SHA25670a4117643342dc1e34d93e5aaa6602e2b8eacd8a2dff3d707ddddfb7849c843
SHA512859be87fd7b4f582ff170fc98439d7b82074359ef73d5f88b35e041887a89a1f8dd06aac45eeb5adc8e848809a650b4cb4457e12eaae1c607b292366e12de269
-
Filesize
7KB
MD5539179431915b870219f76c83f66b416
SHA1c4a9f31b84af58f26133caee8cd9fcc1142815bc
SHA256109e7fd2f1c1626b5cc5d25c26fc016c448c46b19fe6800f620a822866253399
SHA5124acc79e3e146352bc9d9fdb162a1764bafaeb75bed9440b87b08872e34d7b389b38b4080fc4739a21bb52349b6d1985b56f58b48fa21f01c69baf741fb60928b
-
Filesize
3KB
MD58916312674d8e3f33dd4482a05da9a9b
SHA1d0c66cf0b1edd4ebe5f951151d0ea10287e513d1
SHA256962c491d8de5f4d517e53ec16f54057ea083c4a75ff82f1462dcced42155aa71
SHA5124a14669781f0e734155824fd5889b9f0fabf15702b407fd936e0a96dec203bb7c1afc7b4c6050de373e6b6d5772b22b916f31640bd63cdf3769e11ad30b53503
-
Filesize
264KB
MD576c0fde559ebc1d6f5db2b2b1b3d755f
SHA1406d314924a6f1962151d291a8e11dad021dbe28
SHA25653c4ec9706c511ae9ebc5f717c2375383fd24f92993f2bd5eda8ed13f88da62c
SHA5124917817ac834136fc16d2024a755e65f378cd2a038b0f4529b273090db54dcb97f2022ad33a693642e4ee252213d549eb3f2155dc3782e7836258a74a104bcb9
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
Filesize
1KB
MD5578215fbb8c12cb7e6cd73fbd16ec994
SHA19471d71fa6d82ce1863b74e24237ad4fd9477187
SHA256102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1
SHA512e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212
-
Filesize
2KB
MD51048f1f4d861f5c812e5bc268eb68a06
SHA14c9495a3202f63fd0878086f27310db6d3bf5be9
SHA2568b3b5b96a5d6d7c613052b4a751c6632f5f91cb0a912c96e515978999b6f43f5
SHA512158ca9fc4e59568c8d04b8f6ad16fd8216ee10d8869ce1e2dec844e52d3d3b19bd98433665fa003552e8896a2691531141ee11fef212d8d66283d7002ece8c76
-
Filesize
9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
25KB
MD50dd7bfdd06a26affb52616143943ef8a
SHA1fcf69fa66f2344d347828453e132c3165f5c4c74
SHA256436e5cd7d7693d47297c28938c5e1ea4a74d2c67ed99c920acc0542105ee1df1
SHA512da623d17b6d65a9e7388c41b232f31f057b8dd44925f6c39370d5974abeb29d4bed1a5f42b0ecb828a464ff1b4013b57dd39cdfa9f80f25409d5695d8090eb66
-
Filesize
29KB
MD5015032f865360b32852292072e0753a0
SHA1feed2ce68066bff1b7b14a3028bed3cecdfe9926
SHA256ad81922a3bfe69e16fd36e9fd073a823cb626a3f4cf55d80fb39ee592c9a457b
SHA512becc9ff11b764d1806eca0d100488f2a91b108f56cbf25e056b814f1f8eb6242ba475a26fa2c5c60f4e4381c5bb0651b4c3612ac563beecbbf3cf5783f7a2952
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
28KB
MD5a6b9dbebfd87afea68173d35e65bcf53
SHA11ea224254f669c65707491d94f59bd3e3c3192a2
SHA25611d4a073a198ab0dfb7671f57a79a73c51737a5880a65faa60b3a83bec648b7f
SHA512af0b67c084c7142d9b5f4946d0d1fae80ca2b6d8470122bf544294c3b1135e7ba0b9c79f35a319679fdf4ce08d5718852141f7506c3cef407d91a8322d058ef9
-
Filesize
28KB
MD5596ab390875183b202159c1935bdf4db
SHA10223d2543500798d2644a6aecc3c48d4268af24b
SHA256774f37b4e32166f13143c0f7bf9282d78afb445bcafbcbce097f1db694c2ef26
SHA51293d2a20508d4b0a1ba3a63d6646064416fba4763da8631969861de7552b1cbf105b7195e51abd7c3e8fdab9215c96c8b29c718a25b1a4464cad2d345b018640d
-
Filesize
14KB
MD50d322bce8270d3cdcff1eb96b6255365
SHA1db3994d2a4ad17b02372eeea1bfb56f79e98cd38
SHA256b77a0a3eda7e325bae1559bd0911e9a9f218771dc5773961e67eed994845f3c8
SHA512a59eb2162bbe8bae7b7e343cf2f2e89e842e3616d6f1e50410c6d122bf1bf242458c6d055c12f096b53abdf98de295f4429793e9fad13d7854cac5b88111c3c0
-
Filesize
14KB
MD52c5b95ee0cfe79f45bb973bcd59211ae
SHA1340e14abd8f1a48eb88cd60ceeaba929035226f2
SHA2565840447c58203b632d25d4f19cce7c2072699e678a251d1ad5bbfb3985dcd3c1
SHA5124509839f612badc3a8fec43ae1d4b887a51eb454d6ff7e238e3584b1c87f5fb643f8e72c0f855b69f815ea174e744e08ae066c9db8d7a2a5f46a9c93cc71c1c7
-
Filesize
27KB
MD5595c086ddabef06fb3964c7594faac8b
SHA11286093d8dbf4e4124d64007d264c97473b4e511
SHA2565acfedfc32b1c85e2646f4f54422364d10669d161434000ac7c9bf14b3073528
SHA512aa480256223e2508078f71173b0576c6457ef4478f7186ad0b1d07f2af80bc2a3beabbdfc6d9703762393749a31e8477e63c7720fc8b4d7098c0e40f0fe98255
-
Filesize
25KB
MD57293d5cedfb3ed10d8a5f499f747fcd3
SHA133f559ff8d36d19e4a69cfb4fcdcc284b5886572
SHA2568cc6c501eee0a946c1415703d0fd5d08d3b9a20164ac6df27249298f39821e75
SHA512c1beb3726484a2a8aef186952ec0efc156e8ab5c60b3e7fb15587416c18256dd1fd4418b29425af0ee67b6de8275e91050b4624759fd32d6562ccc6e44b06760
-
Filesize
27KB
MD578d82c8f7a410f7c7d550338cb861c6e
SHA1e9e71a9890999387aef9499835d7daa6cadb7626
SHA256d6521bdf6753b29223d7038abe04a81a05cb718775c6ad0069957a39b74f4ad5
SHA512fd37cdca519e7da77600670421aff32b0d55676bb2e4c7d49baf914d31b48261cc11f371465b58b7fa86a3c893536344dcbcfa7fa5e7749d2ae4b4328944eff5
-
Filesize
28KB
MD5043165fa2453877c7d7246a79a98dd6e
SHA17b70a65e6b50b9c4227f4a2fcbba516b15388bc3
SHA2569755f1dbfe94b22a5fe2f54a9c0ed4f7792ef9a1f6128346d93edf602387f2a5
SHA51233c0cde0d6033c473574826e9a1a31285784919e2dbb0d85ae0f6291b41320f7e12c998ccb346a7ae57b69d0904a33d0b01d98a6ae2bb6a698fd4bd3ffaa1224
-
Filesize
37KB
MD5846cabbddf55d452e3c55882a5b94d2d
SHA17cd835e2a421af99952a42d2aa24b40da7b697d2
SHA2569db212f2b8c1bc074c426438183146193ddcd1ab20b7fb73a07f221578eadba3
SHA5127e93ee452fc17bf47b7854b3bd49ccbace7d026f43ae167f93ffe2e38a4410b3118107a9777292f37fde5bc3db3eb6ca91d55e03b7628262561b5620388dad59
-
Filesize
72B
MD580826742244010affc3c697c155de1a4
SHA1b0bb60db5e83359c5fb29dbbfe34b899b016a3cc
SHA256c4bbe8cdbdda2c397b9cf4c1d81a06125e430a3e6edc7bcb7679abc259451cf5
SHA512a21fcb190e4c448e8e6b16234a8016b1f066ee8474ad327a46651137f97f598b0201ebfad16c69b6f9e421bb2be99540e812bb61a2e3e21b70b3d2fde01f1706
-
Filesize
912B
MD5018b5e5b17c9aa970a6fa3ccc169f262
SHA1ef4b5ff1cb025aa7a95ed08869fe480d2bfa80f0
SHA25690d9f4be5c536efbfd75b12ba5c54e7ff70f0dbd3d22ced9ac3f42ee6039357f
SHA5121ae5cae5b5d842875211d64430f7ad55d8ae889f25afe62ce47b5052e527a926b7fa538fc951d1db5e94dc8ff9cc258d47c0d56bbcfe03733b9b2bc8c6f6eae8
-
Filesize
2KB
MD58569faf3521fd7f4fb89a4c836ef7baa
SHA1ab0b58845ca52a622211cf980693d14abd9b5732
SHA256e1f00d36cf6d7a0cc2b4f5ab5e6734f56dff55d765fa293fc9257796708f2b29
SHA5122db9784ade04cf404cbcbe82ae16ab9dccdb28d246d48ae9a387addbfeafcdadd775f4c4b17fc64a74715082d5b496b7f1496aab6a0b38a6a0fff19e6fdd951a
-
Filesize
912B
MD5a945b394faf37808e0c674882fc28711
SHA1991a114268b7839e57aaa222258262a4fca831f0
SHA25645b9ba28dacb39fdefeaff25c2a9bd08cedd88a61274a2c678e9331fdebe3122
SHA51231bf0fade162e730cd9a0516319d09116941e00a60591beb1270760809ef011e8ac79d284d3886ae261ac604d2c29946a4f05e7f707eef870cb7ebef2d6f24d4
-
Filesize
72B
MD54ecb6328f87992647e589a4b86e5766a
SHA1df7a4b5a09279870cd517622e44a68449a44e239
SHA2565a1fc7564aafc184fcaad4978c0233ae06e1873a87b018896ba833cf55f6eb59
SHA512012b91268da759733eb8bb84e2460a0445001f4ab0bfc59aa547978dd273dd2d39c666bd0f7294f13b8d45db3198d1c9c892664573d785bbf7bf39b65a5aab29
-
Filesize
48B
MD52b8f3f9729036e8e53311eb4fc7f6348
SHA171df5120daaecaa746ec8048dc23ebe6a7068997
SHA2564d2d55f435d5e353d8c43c6140ae5da92488c76184d1539ed9ee61fba29774c8
SHA5126d9abdf2ed8b60b6d6e5da81cd5fc31783548289c446b5df13e281cf49dedfea62072a096b8a9a39e37a88afa11fff9dccc52163a80627f398bda25ed3281e0b
-
Filesize
56KB
MD5c91a85b78c47e3dd2adc070aef7820a5
SHA1fce3d0fe43b974569ce44f6218ef34f4f6ea6872
SHA256405b1e3ecb507387d4c3b675ca0da018aa5880b04058eb719bb9c2bacded0407
SHA5124632ac1f8883e76b8ea3d581dddaf3bb9e4c28c488f48f7bf940220a944bc976f76501cb26f909544c142a58470726929c22edd705f57d4fe8b06e628bfc3b29
-
Filesize
72B
MD5e0c0af705bc0a91d6a62f112ee82092d
SHA1c2c0e9ed79cc8357a0db9211660dd51626c6b236
SHA25640190773d1aa8c57a49c1d833703a00c10f2ed6c4d608e36ae9b09eae75606f9
SHA5124e7595265959fd68d0256ac0171f11593ac641f947609c96a17374ee1adb0d7f84795b1283c6ed5a58c4bb2eb59034fc0111980fee1b6560cab273fb9b0ecab3
-
Filesize
72B
MD555e958745edb2f8548ea07105d1515f8
SHA1d60585c097f486154060138a61fd1b88ef3af504
SHA256f068dbf29c1ba68faa1f8acb8ce52135deb1583e32a92b3f68c729e3863d1ebe
SHA5122fe336633158c699a080de3cb5503a47c9eed14eea916660394b077da633c8a5f50f3f5d4a6e9c0084c3b0b3a1156fed7afc77296955a7075d325d4262a2ee84
-
Filesize
72B
MD51deabf678b6a5e1b1c2bc96ce6c1e574
SHA1371eeb848e12592fb27b03dd37de3835fbdb913d
SHA256fa44a5d1661a40b48752d985e76c5e3641c32be312d710e9d4e81c9d35e99d92
SHA512908acf90578a33463aae2b1a462fe739b753576e8892667441ff63b46b55437823d548099ec07151d474df263b29a3d4855c1dec7a6c48bf767bf67839497cd4
-
Filesize
253B
MD59bec29008eae63c9fdbb350b36918661
SHA1d57fa5d047ee52723df976da6a9afea438fb851d
SHA256f53958663bec9214d534c61066975872fc8f8616e61ee18f0cbcb4f2b19b7ab6
SHA512063ed6acfd730e8d18932d0f36bf62f567f8d4a0a80410ceb60c52be5422ed602efaacff38e2020eae1544f950e95814c64c1e750ae38c3bad3e7bddeb47ffd0
-
Filesize
327B
MD5fae0daf47170ff29d32662a37762673c
SHA1fa6e30d378aeb7186a64f9fab481d1e4a40b43f6
SHA2561cd335fb1c6964da54cdb9105503be16e60cde0b067a2a1a55535be53003bb7c
SHA512b8e289ef289c8beee92bf30425af65536180732ad00eff0c53880f9e212fe2c3eb6f8ea724c7f07e629f5ffc294cd9a0a4f8d5c83012fbefc2d1947e6fa2c736
-
Filesize
322B
MD51cae3402e00acddc171dabaf121370ce
SHA18f7bd951e0ea1283e98eeb91a19d93077188d968
SHA256a59349f506cd6c32e142c9c02e1bc345de792c2eb1ee0844972cb77a8e2752e5
SHA512604bbb4b9c40780663adf6283e67a651037c19c3cdcbf63bbcabc93e39e4d9c49daf26d9e3a26cd5c73620fcaa9ac72707e69a4b3f76315194e24ead47b2cd76
-
Filesize
116KB
MD544fe9b352eda9f47a4309cacc372df95
SHA10520e1bffddd7df6aba373267444e7092db2969a
SHA2569fd15268c74a0bd0f0ad2541bd904e98772411ea2201d138bbf5d600b25985ad
SHA512cbaa6aca07896d1de1a240c723359aafa5e8f4e36e3462379bf816153aa55d3e860a12cd90879106327e7162b3f7210fd904d4590fc17713f80ade0717e6bbb5
-
Filesize
204KB
MD5a802b5e5f17b7bb3c9af50d8c679a6bc
SHA121b5f451e9a1f0a7c8ae36d0de73f0cc77dde7be
SHA256f4fb0be6c47a37af5887b0604729a4a1fa9efc7c06e7dc02a60171a5ad98f840
SHA5123f6b9a2ddbde17e4923b934fb30afffb4b47f2faf2d199e350c09586790ae4f4b3ab49b4d8c200f08ed312fbb2ffa09dedf061585d948f40a4347db4e9edb6f3
-
Filesize
72B
MD515463364912089e8b5d27d4eb098e393
SHA13bc725c8661e8bb9ba824ca327eaf9e0c8d9ffae
SHA25661d63b6672f2655199898735f456155947089d8b9b111162e8194e809d54a042
SHA512960cf93541051064b4fce67ee51685980a1efd89863d60b3be0fdf623e8b70ef34c3ec463f5bb0527429a65fd89dfcd5b1405e83a22b7547cc196079d2a84e9f
-
Filesize
48B
MD5aca6f64eaceb55a77676274076d8bfc0
SHA19127aae1ef8897c536c1cb2a0f580670fcf0f656
SHA2567db9efca3ec533c50f2e8c713e3dae31e076e8f0d04ce0d9932324487c46c28d
SHA512467c9fed690740fbfc81792ac904de257a1d880ede3a01cad416a2d2e41dcfc7fb6f65696d9b7d403da6ad8dde7d7631075eb81d4d134ee61afc33ce13630ca9
-
Filesize
4KB
MD52dd77fbe48987b909d973fe485abe654
SHA15a833467186e6d218eb0d88f5bb975f53bceffcc
SHA256592daeee9e613cb1cc162b4ea33d76e276e19ee77e65f2fc878b96ab8397f850
SHA5125ce6a3c00e47ed6a1927e475cc7e082733b87249c51463c706940a8b0a315831bdf0775b8ad4e4eea5dc6c53cdd2a43c425baa2f61d64027ca0d8ed5d058dc28
-
Filesize
17KB
MD52ff8f481a9766c778a30b2169cb2e7c1
SHA1b7a20764a0e8a905e4dd632193ba4f7fc42dbde9
SHA256b1ac651d29d45dd39cd8cab13606ba739d14a9abc71e3a894ca76c0079e3f6b9
SHA512518eed6c390a54e6aeae0f0fc151d963c9d1b24e1142c95a902add5426e37db7c5481306fe736382af39e154caa20278cfee9473b84b0564a70db417b65bdcc6
-
Filesize
874B
MD547ada57e5b15b8420ab26a5afcdf1322
SHA1eca2715322a6261995070c4bb7ce7f4e3c961a5d
SHA2563874e56bad504385d6d9ba299579862bfa0dc73bfab80c821bf22f423d11aad6
SHA51299f327c2215611a66d52dd907f5ff98a06ed371b396123c2b97e66cefdc517f4681a4191127141872e8071c889cb672564a58c09f179fb80ff3aaaac849497e2
-
Filesize
23KB
MD52befaab6c44082079dd6172bd94d58a8
SHA1f9baa774c05ca913a33fa31a843402f250d31ef9
SHA2562223d4819ba002a5e42970357133eb02f227e185f794f93f9347ce500be6c4d5
SHA5125a749f113ca99f8d3ff4be5fdda160e50987eae7d7c4e554b3aea42175e3cbbcd55d1005674c9d15b3be1af0f3124634908c84d1b23de3fc51c5b55bd4c963fb
-
Filesize
465B
MD508dc447f459159bf0d8b49797c50a498
SHA1c9a9f7c05f9b89e6f8da9656e458958bf5e10cd2
SHA256a9dd2eee7d92be1a71c0111f0ab0903e9fe62ce82c6cd16198c6b117e8a3f24b
SHA512435c28df28584fc2474a84c8a68f678ddfd30bd11a99fc49d821b6065d18bcc965161fc60491b6e48be7cd27f53d66b863d5a267ea0dfa2ab0aee7cd7994f76a
-
Filesize
22KB
MD506592b86d8ab6309c77426804f7b590e
SHA1d63f876ab8d1dcbd92e052769cbf13f9a983534f
SHA25643920eeafa84fd526a2e7c9bbe5de63b5306fdc17595bbc4e8ad1370f53d225d
SHA512f2e4e7e937cdb486fa9d524b46d3a97a02624e4f612325da590fbc46ad337e063b771c8370cd389e581f1b16450c410850bf1979a46a118ded4a491fddb56ffa
-
Filesize
3KB
MD5c7569efb2fa9fe93c0ea2f0896f54036
SHA1e231c700b778b624f6065b035e5803fdd8b4db4b
SHA2562422f055fd21adce7a027c3eaab1bbc474345a26cb1b9762b3d7572ebde67d3f
SHA512c394da9a75cca87f6e20cb2abbc2e087d3e374b613bbc960f255ebfc8f01d4349fc8a487ec56ff8141f47566cf021dc33196e42b6295ce5399ff78e5ce4b066f
-
Filesize
3KB
MD594406cdd51b55c0f006cfea05745effb
SHA1a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9
SHA2568480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e
SHA512d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3
-
Filesize
39KB
MD58226c32e3c70e6d4c5fbf9f5eb47ea70
SHA175b282b3243d8910b015e2ff49abd2a007e56815
SHA256509421317606da38840fd1c52c10d53a4001213e28194f2058fe2be41cccd3f3
SHA512600215995267ff890beb00e1cca11a0d060ef76bacaf2dada64e7457b03aa33761f030129267b1ff19eeeab963c863c28488d7648bdc209ce716c1b2b4f67094
-
Filesize
30KB
MD5cd83cb6ac40b9eb1ecf508c63d77166d
SHA13a5bc32490f5844ad059a6393a3bd73afa90384a
SHA256ee02fb1fa1a8a7a85e0b529b89e9a8d24cb5059cca88d58d0f10136bf1253733
SHA512638c25c4ea28ed72e9c2d4ebb291686fd6eefda732c8f75e7d4d2461c1dd94ca30b77181e2810c7ea5d4f348df71f7cce16f451b0b4a2f140ade5195d3bc7a0b
-
Filesize
7KB
MD563d3ba82b91a843e4e37d51e1a7b20d7
SHA19277403344cdce43272ccb56ba254d83a5ec18da
SHA256187de64cfb19fbec750fc46e1801581f85a25e6bb2a9cedbb8ea1913a175ae81
SHA51253ac419fa245219ebe87aad742a8ad225ceb296be4e3267207f5324524e31bacb7d430c826f0628fb483d811d6f5bea6fa4d1eb74acfc8dc9f164137edde62d2
-
Filesize
48KB
MD53685a178966f9419db2d62ad3b84f2c8
SHA1efb8ba1b7d427eaed513bd299caa982915ae71b2
SHA256c1c3b72a52de068d659ba7451afb631311097251f4afaf4bfcff6d6ce9d75c5c
SHA512d934971d3dada1cab33f53f09a8d0d402992bd0b88375b8ca08dded4e521648317a456046bfee64ae0cf9071c0b1f254d6a50c7fbc22f94d15384fb2b747a4a0
-
Filesize
6KB
MD54b4eaf44f2a6830f7cd0a59227ba4977
SHA17ea3692885155a7a302a44057ea214b9eb775102
SHA256928d0c86d9e44ee598a81a9ba7c7ea10597ae3ea5e2f80166c9db40b3a79b57a
SHA512aaa435ad0e7795aeebe8441744043bbc03f9688e020a7629ae498f53dfab8c7bbc2783e14c6cccf1d84a847fa173b7caab310d0fe99e27608331f72da102b527
-
Filesize
392B
MD57648622176f94816ac747ba4b71b00a6
SHA1990ff2a40bdda3304433003a1f93ad62c45c2606
SHA2566a10cb41f9630b4d94234a965fa28f2a8567032fac0069606d80bbeb4ed05935
SHA512a5878becda06c7d7796e0f1e5bb612f9fc17bc2d8bf07b2c29fb908f55066cee9ec5d38295241d6326eb2b9f6a660e2bd97d280a9ad02e5bf4843fda520119fc
-
Filesize
392B
MD5f6c93dd982534d4869f7e76843de02ac
SHA149a8ae31dcfaeb98f4a447b74f1973f4f6eace2a
SHA256697f589a02cef279b74675571b8e8ca243da250561bf280243df88f1334f0bfc
SHA51257ec5f6a112b2384094d78a86cbce947060081acd4165ed48f249d95ff3e26c0a83c342167b69c8e4c6cea48b0bc091e51595ddc8a6de94f5f26763bff81a8e1
-
Filesize
392B
MD536a4408ec32e1f81575fe3ef9c7ed2ef
SHA1ce75d78d42f8bf2e1086a78e7e25ac2defc97d79
SHA256584e4c003c86b9964c723735e5f64c1d7a77ad37ca11292928ec98374a08f5fd
SHA5127180fb2bd4656636dd44fe48be45046a4efe54ee06c90193c628f17429db63f8c4d2bdc8ed005797ac28856b73f301c7a49c1a01ee8b88776575171df0341af1
-
Filesize
392B
MD5fec27f8f947f9f1f85a9cb0ccea4c819
SHA1306089f8d4d83619092b9bea2b603cb8bd12557c
SHA2566eaf4b60526537cf89ec6f266469ab21c781ee7b088145e5be5e1603b6eb3ed9
SHA5124b6b792d8b1bdcb847da0a86ea7a281eba297a3d78097883bafc52ef66f6f5d0246cd72dc9f0c164f19b1dca3b5f44517e1006ef5b4473b55f27f7e8eb245728
-
Filesize
392B
MD5a3079748e967755cbb11e128cd1d071b
SHA11cdc80e553b893e7c62014b338a7b5ed474eebd4
SHA256fb295f074d23b45a572859b69c590aafbc497399ceb56b01e8cc62de31f8a4de
SHA5122e90bcf580abfb7e79ddbae1bc15318f2e92c7be83877b9844913e8c025240573adf8168ac682566f491d811291efa4cf9bc296e4f6408a45e58f178dc194253
-
Filesize
6KB
MD5bef4f9f856321c6dccb47a61f605e823
SHA18e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c
-
Filesize
2KB
MD5499d9e568b96e759959dc69635470211
SHA12462a315342e0c09fd6c5fbd7f1e7ff6914c17e6
SHA25698252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d
SHA5123a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905
-
Filesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
Filesize
1KB
MD58a9ce637f47cb4acdbef782b0c075292
SHA161c4f0209f159fae19220a78c4428848c90d0e01
SHA256fd949ff64bc93b6bcff447de4f7307dbd4cfb391faf81efe2a845f8349d9b10c
SHA5126452ea5fff0d3139dd61de41cb37738a228bd13f7b039aa519acb8ab5f2084c10473415f0d3631a68829e81da3dc6018e37cff3618c48ae358c9a94fa91eb122
-
Filesize
1KB
MD55a7997b9cd9a9e512ad671443f815627
SHA1fb9ad246acd82f99e797297a58134a9d0f997ba4
SHA256ca530245f940ad5023933109e6f32d2e3f9b3d79c460affa9ae3105305c073ae
SHA512916efb6ce72ee2a6d0a65be247234ae3f05252fc4466ba8bb02b004087a35d3a586174d4fcac767346da35410fd67557900419e1b80174aa3f8d198737b96713
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
2KB
MD5cb018e923895eb6c81c8cc7d5a5ac273
SHA1497db7e523c3a68b994f20b434f1d25c479023a6
SHA2565fdb9467df3040ccffadd11dca998ca4b9897b10960e64dcd92483e7da66bd03
SHA5127805c9e71f9fcfedcc14198482866ddb7394b3b6b3ff3d9fb71457974b296a1e471415b27555409f6b2bb8deb07c69ecfb7e79597555d1f7325d9e9da705a6ae
-
Filesize
17KB
MD59b3ea46e46f50df34b8ba0e67eb9527a
SHA1156cc2b0b905fa355d2b356a7f6a07d572697c3e
SHA2567d79c449dac52d183ed66fa80a658122e800f89b38c327f1bebe99fb28b52496
SHA5120417da4bfab8b4a6905866d1049868194f701fa64b005bd03c08799acc70e9acc9870611297f8b1d37df5d2a80871495a3f39ce715306cf7538087a51b8f7ec2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
Filesize
1KB
MD564eaeb92cb15bf128429c2354ef22977
SHA145ec549acaa1fda7c664d3906835ced6295ee752
SHA2564f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c
SHA512f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def
-
Filesize
1KB
MD52a738ca67be8dd698c70974c9d4bb21b
SHA145a4086c876d276954ffce187af2ebe3dc667b5f
SHA256b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e
SHA512f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
6KB
MD512851d07d8ee4517c42425f3e69c1445
SHA17c11b01dffa75c31c98378387e1409d3d04c66ff
SHA25616b5406351a51dbaedefcfab0033efd2ee4c15721b82cce6a2331cebbc845f57
SHA5121114ca81a8624ddd9c5551b176a28a359d324cad7ef04223550df295b3599c5a620203ac618f4527d927a5ca97b6a58899dab0054829a34ef9ef2eeecfce1e8e
-
Filesize
7.2MB
MD56f307a50fa7e3260dae675d42e8b10de
SHA163a178dd12ecd31a827005daf9d57db75a0a0c44
SHA25612c013722acda771610bcc3602cdc17b1f901c976b457ce528362863ba4c43b3
SHA5124c46ed4674d5e3e78221cffbd7aa53d5bf1fc7f3ff204cada01d5a2bf6be8d2b87c4ace18e829735d4a84fd28248591ece0feb7a42c81a5b1c5564a9298c1aa2
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
160B
MD5c3911ceb35539db42e5654bdd60ac956
SHA171be0751e5fc583b119730dbceb2c723f2389f6c
SHA25631952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d
SHA512d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
79B
MD57f4b594a35d631af0e37fea02df71e72
SHA1f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360
-
Filesize
176B
MD56607494855f7b5c0348eecd49ef7ce46
SHA12c844dd9ea648efec08776757bc376b5a6f9eb71
SHA25637c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd
SHA5128cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a
-
Filesize
135B
MD54055ba4ebd5546fb6306d6a3151a236a
SHA1609a989f14f8ee9ed9bffbd6ddba3214fd0d0109
SHA256cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5
SHA51258d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a
-
Filesize
160B
MD5a24a1941bbb8d90784f5ef76712002f5
SHA15c2b6323c7ed8913b5d0d65a4d21062c96df24eb
SHA2562a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747
SHA512fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2
-
Filesize
43B
MD5af3a9104ca46f35bb5f6123d89c25966
SHA11ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8
SHA25681bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea
SHA5126a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
651KB
MD5416a1c936135e694d19ae10472c6d2ba
SHA1b2090566c170a0e35061f8de3845f69db1430e4a
SHA256dd0b119d4219b159f522925b46237f00de60ee8a80ba3c2294dad11d6268d3bc
SHA51296144c9d05e43d72e3a848dfd6cdc3aa9a2055d306de4ae4661691642a201435ffbd46c2cefc447731c1d9151733ea35f64bc06a90aa88ff42f9b95c8375bad5
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
280KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
1.5MB