hxxps://github[.]com/abbodi1406/KMS_VL_ALL_AIO/releases/

Analysis

max time kernel
1800s
max time network
1579s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2023, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/abbodi1406/KMS_VL_ALL_AIO/releases/

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDebug = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "43200"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "4187226795851251830"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierFlags = "2147483648"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "43200"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
4464	SppExtComObj.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\SppExtComObjHook.dll	powershell.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1480	sc.exe
2524	sc.exe
1112	sc.exe
384	sc.exe
1004	sc.exe
2860	sc.exe
4628	sc.exe
4116	sc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Integrator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Integrator.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Integrator.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000009c91734001d7b65524ae5eb1e97b798b94a6e81a56d7f4bd4eeff494cb2573d1000000000e800000000200002000000070012e88d98a7f6309f4a888e3d2be1512b25c6ab5d5eaaaafbdf7480f896ee720000000db8665fddfb4ad6850bde9071a065c7694245e66ef9c8bc65ef9106ad5e48b1440000000ed34aa956d559ad488571e5e5e1e50c640984f55efba5c862d2afb91aeb46acdd22dd78a7803999d4f83912457d5cdd1355cc6ea344770837ceb67742823c768	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b03187b1428bd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000c4e8a7890fd1c108da3725277abdc0807986dd76900466edba7a1ed4cf67a873000000000e80000000020000200000002956222f92771284d7eb96fc72dde3f673df759d687d3f50dc637530f8057c4f20000000568a916fc7d023738885cb61d7945c6863ca6390e7043e23d4286531a630611040000000d713ed7c58d4e4648b3d73051c408ed10e7238524001667f17fe59c0d466002b3d6158465164bafd9c8500fb57d01893280c96a89ba3170e4863a3b553325f68	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07ab5bd428bd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391369591"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2913428369"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2913428369"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034178"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809a1abd428bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000004edb1abe945612fc3d3e0152feb8dccee4dd16f501d0d39e2aad5b5799f78e1b000000000e80000000020000200000001b1e4252d57c0e0d364342a7bcb383c78c3f7dcc253ac50c185905de4d236f5520000000ff836440f3e9b14f5efa7a2dec2693532cba1bb6b3a0d90e48ea9033ba811c3040000000f3a9dd004c4f4bd503e4c05c6f865bdf29961009231bb65d40575398057239a096915afcec795cd6bba3abee47b952f07da6328209c9ffd1217b5e71595493d7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b000000000200000000001066000000010000200000005537b33d50b6bc5b8ae5f72a436d01d04d43494b58f025b85b6373086c77291a000000000e80000000020000200000004f3bf4ad8ab5c6a6c40617d60b1fc89d8385ca22b4474a6e6c2ab840c07e6e8f20000000ab7d89e50a8646a5c0f870ba1f4d9a9cc10203e4e92e6e72652b6e53ac720b50400000005226feba9a3b395bf1262e4f369a8040a805d3faca71ef1b6369bfd2a68491a67d3816d1908865ce3df9a07efccadcf1d6c954fe05877d77f84e8b2a7fb62dd6	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2922650048"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034178"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ad71b1428bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D8D1A87D-F735-11ED-8227-7E7F627BF915} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034178"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 60 IoCs

Modify Registry

T1112

pid	Process
4464	reg.exe
4664	reg.exe
1548	reg.exe
3036	reg.exe
1476	reg.exe
624	reg.exe
3116	reg.exe
3472	reg.exe
636	reg.exe
4640	reg.exe
4716	reg.exe
4680	reg.exe
1664	reg.exe
1060	reg.exe
5004	reg.exe
4280	reg.exe
384	reg.exe
4432	reg.exe
4216	reg.exe
616	reg.exe
184	reg.exe
1720	reg.exe
1668	reg.exe
3516	reg.exe
4836	reg.exe
4916	reg.exe
4668	reg.exe
2684	reg.exe
2836	reg.exe
4104	reg.exe
2564	reg.exe
652	reg.exe
3048	reg.exe
3196	reg.exe
4216	reg.exe
3716	reg.exe
3524	reg.exe
5020	reg.exe
4108	reg.exe
4000	reg.exe
4564	reg.exe
968	reg.exe
4468	reg.exe
652	reg.exe
2916	reg.exe
3600	reg.exe
640	reg.exe
668	reg.exe
1980	reg.exe
4036	reg.exe
3208	reg.exe
4036	reg.exe
1004	reg.exe
5076	reg.exe
4464	reg.exe
4108	reg.exe
2320	reg.exe
752	reg.exe
636	reg.exe
1436	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49.7z:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
1616	findstr.exe
1616	findstr.exe
1616	findstr.exe
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	findstr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5076	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	firefox.exe
Token: SeDebugPrivilege	1788	firefox.exe
Token: SeDebugPrivilege	1788	firefox.exe
Token: SeDebugPrivilege	1788	firefox.exe
Token: SeDebugPrivilege	1788	firefox.exe
Token: SeDebugPrivilege	1788	firefox.exe
Token: SeRestorePrivilege	4084	7zG.exe
Token: 35	4084	7zG.exe
Token: SeSecurityPrivilege	4084	7zG.exe
Token: SeSecurityPrivilege	4084	7zG.exe
Token: SeIncreaseQuotaPrivilege	968	WMIC.exe
Token: SeSecurityPrivilege	968	WMIC.exe
Token: SeTakeOwnershipPrivilege	968	WMIC.exe
Token: SeLoadDriverPrivilege	968	WMIC.exe
Token: SeSystemProfilePrivilege	968	WMIC.exe
Token: SeSystemtimePrivilege	968	WMIC.exe
Token: SeProfSingleProcessPrivilege	968	WMIC.exe
Token: SeIncBasePriorityPrivilege	968	WMIC.exe
Token: SeCreatePagefilePrivilege	968	WMIC.exe
Token: SeBackupPrivilege	968	WMIC.exe
Token: SeRestorePrivilege	968	WMIC.exe
Token: SeShutdownPrivilege	968	WMIC.exe
Token: SeDebugPrivilege	968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	968	WMIC.exe
Token: SeRemoteShutdownPrivilege	968	WMIC.exe
Token: SeUndockPrivilege	968	WMIC.exe
Token: SeManageVolumePrivilege	968	WMIC.exe
Token: 33	968	WMIC.exe
Token: 34	968	WMIC.exe
Token: 35	968	WMIC.exe
Token: 36	968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	968	WMIC.exe
Token: SeSecurityPrivilege	968	WMIC.exe
Token: SeTakeOwnershipPrivilege	968	WMIC.exe
Token: SeLoadDriverPrivilege	968	WMIC.exe
Token: SeSystemProfilePrivilege	968	WMIC.exe
Token: SeSystemtimePrivilege	968	WMIC.exe
Token: SeProfSingleProcessPrivilege	968	WMIC.exe
Token: SeIncBasePriorityPrivilege	968	WMIC.exe
Token: SeCreatePagefilePrivilege	968	WMIC.exe
Token: SeBackupPrivilege	968	WMIC.exe
Token: SeRestorePrivilege	968	WMIC.exe
Token: SeShutdownPrivilege	968	WMIC.exe
Token: SeDebugPrivilege	968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	968	WMIC.exe
Token: SeRemoteShutdownPrivilege	968	WMIC.exe
Token: SeUndockPrivilege	968	WMIC.exe
Token: SeManageVolumePrivilege	968	WMIC.exe
Token: 33	968	WMIC.exe
Token: 34	968	WMIC.exe
Token: 35	968	WMIC.exe
Token: 36	968	WMIC.exe
Token: SeDebugPrivilege	1616	findstr.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2120	iexplore.exe
1788	firefox.exe
1788	firefox.exe
1788	firefox.exe
1788	firefox.exe
4084	7zG.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1788	firefox.exe
1788	firefox.exe
1788	firefox.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
2120	iexplore.exe
2120	iexplore.exe
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
1788	firefox.exe
1788	firefox.exe
1788	firefox.exe
1788	firefox.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
5076	OpenWith.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
3980	AcroRd32.exe
4200	Integrator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2912	2120	iexplore.exe	84
PID 2120 wrote to memory of 2912	2120	iexplore.exe	84
PID 2120 wrote to memory of 2912	2120	iexplore.exe	84
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 2768 wrote to memory of 1788	2768	firefox.exe	95
PID 1788 wrote to memory of 3668	1788	firefox.exe	96
PID 1788 wrote to memory of 3668	1788	firefox.exe	96
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97
PID 1788 wrote to memory of 4300	1788	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/abbodi1406/KMS_VL_ALL_AIO/releases/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.0.2060058026\2009936992" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9a37e81-c1df-4f49-b1f6-857cf385e54b} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 1960 1a753317a58 gpu
    3⤵
    PID:3668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.1.1948199729\1072669982" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c465690f-bf1e-424b-9bdb-ca0ac6a39747} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 2332 1a745371958 socket
    3⤵
    PID:4300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.2.515344331\1900676250" -childID 1 -isForBrowser -prefsHandle 3376 -prefMapHandle 3332 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {867c7b92-afe2-4bf9-9d92-479cbc84acaf} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 3316 1a756153658 tab
    3⤵
    PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.3.1396689767\2072267781" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1f96428-23e4-4c4a-86a4-e085bdd5e19a} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 2788 1a7566f2b58 tab
    3⤵
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.4.470939604\1407519037" -childID 3 -isForBrowser -prefsHandle 3552 -prefMapHandle 3556 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b51a7aa-8d00-41dd-96d5-2376def7f039} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 3544 1a756773858 tab
    3⤵
    PID:4972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.5.4408063\1258674498" -childID 4 -isForBrowser -prefsHandle 3744 -prefMapHandle 3748 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0966bce1-9f0c-42bb-af80-f9555a0dc2fa} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 3824 1a756772c58 tab
    3⤵
    PID:4612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.6.1246591348\1349258942" -childID 5 -isForBrowser -prefsHandle 4688 -prefMapHandle 4684 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69716230-1f34-449e-97df-349cb4b8d03b} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 4700 1a745361f58 tab
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.7.49747243\55206665" -childID 6 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c034cc-01f9-4674-b9a5-35a57d4323cd} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 5712 1a759d0bb58 tab
    3⤵
    PID:4236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.8.1512870869\1435043157" -childID 7 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e67a945-3588-496b-a370-a365459ceb5f} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 5856 1a755e84b58 tab
    3⤵
    PID:3596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5076
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49.7z"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3980
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4276
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1781655C4F6C13D10E89A01C711027A6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1781655C4F6C13D10E89A01C711027A6 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4912
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DD3AA3E616C49F5CCDD4611CACC19378 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:640
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1795C6479AD061E0D2CE3765BC01AE66 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2236
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E61B567B5DB4BC55CE3080219889D0E6 --mojo-platform-channel-handle=2056 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4668
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=59C3F061F67C28DEE9269EC57D04CA7A --mojo-platform-channel-handle=2060 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4616

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49\" -ad -an -ai#7zMap21695:94:7zEvent8669
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49\KMS_VL_ALL_AIO.cmd" "
1⤵
PID:3416
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
  2⤵
  - Modifies registry key
  PID:3116
- C:\Windows\System32\find.exe
  find /i "0x4"
  2⤵
  PID:3600
- C:\Windows\System32\find.exe
  find /i "ComputerSystem"
  2⤵
  PID:3972
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\System32\find.exe
  find /i "Full"
  2⤵
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $ExecutionContext.SessionState.LanguageMode
  2⤵
  PID:1616
- C:\Windows\System32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  PID:4000
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3236
- C:\Windows\System32\reg.exe
  reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:4444
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:668
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:3972
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2968
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:3400
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
  2⤵
  PID:4996
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:1112
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
  2⤵
  PID:1012
- C:\Windows\System32\mode.com
  mode con cols=80 lines=34
  2⤵
  PID:4108
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:4920
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
  2⤵
  - Modifies registry key
  PID:5076
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:184
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*retail"
  2⤵
  PID:3660
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:2756
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:4000
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:652
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*retail"
  2⤵
  PID:3236
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:968
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:2916
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*volume"
  2⤵
  PID:3312
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:1056
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:4804
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:1720
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*volume"
  2⤵
  PID:4672
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:3400
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:4984
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:1668
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:4600
- C:\Windows\System32\findstr.exe
  findstr /i /r "project.*"
  2⤵
  PID:4716
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:4200
- C:\Windows\System32\findstr.exe
  findstr /i /r "project.*"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4464
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:3600
- C:\Windows\System32\findstr.exe
  findstr /i /r "visio.*"
  2⤵
  PID:2236
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:4360
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4668
- C:\Windows\System32\findstr.exe
  findstr /i /r "visio.*"
  2⤵
  PID:756
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %B in (1) do rem"
  2⤵
  PID:2756
- C:\Windows\System32\choice.exe
  choice /c 1234567890EDRSVX /n /m "> Choose a menu option, or press 0 to Exit: "
  2⤵
  PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
  2⤵
  PID:2348
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:1548
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:384
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:1476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:1116
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:1004
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:1436
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll" Force=True
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "$d='C:\Windows\System32';$f=[IO.File]::ReadAllText('C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49\KMS_VL_ALL_AIO.cmd') -split ':embdbin\:.*';iex ($f[1]);X 2"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\wzzuooav\wzzuooav.cmdline"
    3⤵
    PID:1272
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES2608.tmp" "c:\Windows\Temp\wzzuooav\CSCBBC3F1941BB4D13B065C3465F7E636.TMP"
      4⤵
      PID:3964
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v Debugger
  2⤵
  PID:2324
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDlls /t REG_SZ /d "SppExtComObjHook.dll"
  2⤵
  - Sets file execution options in registry
  PID:1976
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDebug /t REG_DWORD /d 0x00000000
  2⤵
  - Sets file execution options in registry
  PID:3312
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierFlags /t REG_DWORD /d 0x80000000
  2⤵
  - Sets file execution options in registry
  PID:4804
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v GlobalFlag /t REG_DWORD /d 0x00000100
  2⤵
  - Sets file execution options in registry
  PID:3696
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_Emulation /t REG_DWORD /d 1
  2⤵
  - Sets file execution options in registry
  PID:4504
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 43200
  2⤵
  - Sets file execution options in registry
  PID:1404
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 43200
  2⤵
  - Sets file execution options in registry
  PID:2004
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_HWID /t REG_QWORD /d "0x3A1C049600B60076"
  2⤵
  - Sets file execution options in registry
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
  2⤵
  PID:4520
- - C:\Windows\System32\find.exe
    FIND /I "CurrentVersion"
    3⤵
    PID:2236
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
    3⤵
    PID:636
- C:\Windows\System32\reg.exe
  REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288" /v "CurrentState"
  2⤵
  PID:4628
- C:\Windows\System32\find.exe
  FIND /I "0x70"
  2⤵
  PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288
  2⤵
  PID:2348
- C:\Windows\System32\reg.exe
  REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.264" /v "CurrentState"
  2⤵
  PID:384
- C:\Windows\System32\find.exe
  FIND /I "0x70"
  2⤵
  PID:4084
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  PID:4588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value" 2>nul
  2⤵
  PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
  2⤵
  PID:4116
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
    3⤵
    PID:4280
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:4564
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:4464
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  - Modifies registry key
  PID:4664
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:3524
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1108
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1872
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:3388
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:4836
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:4104
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2836
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  PID:1132
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:4432
- C:\Windows\System32\findstr.exe
  findstr /I /C:"MondoVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4980
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlusVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:5004
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4916
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2344
- C:\Windows\System32\findstr.exe
  findstr /I /C:"StandardVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4116
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1436
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4360
- C:\Windows\System32\findstr.exe
  findstr /I /C:"AccessVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4564
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4520
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1980
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ExcelVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4664
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OutlookVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2684
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1108
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PublisherVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:968
- C:\Windows\System32\findstr.exe
  findstr /I /C:"WordVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2948
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProXVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4268
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdXVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1868
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProXVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4000
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdXVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1140
- C:\Windows\System32\findstr.exe
  findstr /I /C:"MondoRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2324
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlusRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4952
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3904
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3660
- C:\Windows\System32\findstr.exe
  findstr /I /C:"StandardRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1476
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4432
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3312
- C:\Windows\System32\findstr.exe
  findstr /I /C:"AccessRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2016
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:5004
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4280
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ExcelRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3036
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OutlookRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4916
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2004
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PublisherRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4984
- C:\Windows\System32\findstr.exe
  findstr /I /C:"WordRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1436
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4520
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1548
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3204
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4036
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:5020
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1712
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3516
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  - Modifies registry key
  PID:1664
- C:\Windows\System32\findstr.exe
  findstr 2019
  2⤵
  PID:4668
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  - Modifies registry key
  PID:4836
- C:\Windows\System32\findstr.exe
  findstr 2021
  2⤵
  PID:3472
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"
  2⤵
  PID:4104
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%' ) get Name /value
  2⤵
  PID:4824
- C:\Windows\System32\find.exe
  find /i "Office 21" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2968
- C:\Windows\System32\find.exe
  find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1976
- C:\Windows\System32\find.exe
  find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:640
- C:\Windows\System32\find.exe
  find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1404
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%' ) get Name /value
  2⤵
  PID:4280
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4564
- C:\Windows\System32\find.exe
  find /i "Office 21"
  2⤵
  PID:4984
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1980
- C:\Windows\System32\find.exe
  find /i "Office 19"
  2⤵
  PID:3236
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1548
- C:\Windows\System32\find.exe
  find /i "Office 16"
  2⤵
  PID:3600
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4036
- C:\Windows\System32\find.exe
  find /i "Office 15"
  2⤵
  PID:184
- C:\Windows\System32\find.exe
  find /i "Office16ProPlusR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1712
- C:\Windows\System32\find.exe
  find /i "Office16StandardR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3516
- C:\Windows\System32\find.exe
  find /i "Office16AccessR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2324
- C:\Windows\System32\find.exe
  find /i "Office16SkypeforBusinessR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4828
- C:\Windows\System32\find.exe
  find /i "Office16ExcelR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:668
- C:\Windows\System32\find.exe
  find /i "Office16OutlookR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2836
- C:\Windows\System32\find.exe
  find /i "Office16PowerPointR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4588
- C:\Windows\System32\find.exe
  find /i "Office16PublisherR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4824
- C:\Windows\System32\find.exe
  find /i "Office16WordR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4980
- C:\Windows\System32\find.exe
  find /i "Office16ProfessionalR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1976
- C:\Windows\System32\find.exe
  find /i "Office16HomeBusinessR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2968
- C:\Windows\System32\find.exe
  find /i "Office16HomeStudentR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1404
- C:\Windows\System32\find.exe
  find /i "Office16ProjectProR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4464
- C:\Windows\System32\find.exe
  find /i "Office16ProjectStdR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3036
- C:\Windows\System32\find.exe
  find /i "Office16VisioProR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:636
- C:\Windows\System32\find.exe
  find /i "Office16VisioStdR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4360
- C:\Windows\System32\sc.exe
  sc query ClickToRunSvc
  2⤵
  - Launches sc.exe
  PID:2860
- C:\Windows\System32\sc.exe
  sc query OfficeSvc
  2⤵
  - Launches sc.exe
  PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:1112
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:5060
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:1016
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:3388
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:4668
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:1052
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID" 2>nul
  2⤵
  PID:1476
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID
    3⤵
    - Modifies registry key
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
  2⤵
  PID:3312
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration" 2>nul
  2⤵
  PID:2736
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration
    3⤵
    - Modifies registry key
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:4860
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:3036
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get Version /value"
  2⤵
  PID:1436
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService get Version /value
    3⤵
    PID:4564
- C:\Windows\System32\findstr.exe
  findstr /V /R "^$"
  2⤵
  PID:1980
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseStatus='1' AND PartialProductKey is not NULL) get Description
  2⤵
  PID:2348
- C:\Windows\System32\find.exe
  find /i "RETAIL channel" "C:\Windows\Temp\crvRetail.txt"
  2⤵
  PID:3696
- C:\Windows\System32\find.exe
  find /i "RETAIL(MAK) channel" "C:\Windows\Temp\crvRetail.txt"
  2⤵
  PID:4828
- C:\Windows\System32\find.exe
  find /i "TIMEBASED_SUB channel" "C:\Windows\Temp\crvRetail.txt"
  2⤵
  PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "$f=[IO.File]::ReadAllText('C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49\KMS_VL_ALL_AIO.cmd') -split ':embdbin\:.*';iex ($f[5])"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663'" get LicenseFamily
  2⤵
  PID:2344
- C:\Windows\System32\findstr.exe
  findstr /V /R "^$"
  2⤵
  PID:2604
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlus2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2736
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3524
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2564
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Standard2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3388
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1868
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4980
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Access2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:668
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3400
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Excel2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4664
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Outlook2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1476
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPoint2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:624
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Publisher2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4084
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Word2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4736
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Professional2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2344
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1116
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudent2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3696
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlus2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1036
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4280
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1720
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Standard2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1712
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3516
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1140
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Access2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4640
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2836
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Excel2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3312
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Outlook2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1548
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPoint2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4252
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Publisher2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4520
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Word2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:5060
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Professional2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4836
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2604
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudent2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:432
- C:\Windows\System32\findstr.exe
  findstr /I /C:"MondoRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2236
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1616
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4628
- C:\Windows\System32\findstr.exe
  findstr /I /C:"StandardRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3524
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2564
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3388
- C:\Windows\System32\findstr.exe
  findstr /I /C:"AccessRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1868
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4980
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ExcelRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:668
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OutlookRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3400
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4664
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PublisherRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1476
- C:\Windows\System32\findstr.exe
  findstr /I /C:"WordRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4520
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:5060
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4836
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2604
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:432
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365ProPlusRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2236
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4268
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2324
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3524
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2564
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlus2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1140
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4640
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4564
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Standard2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1548
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:624
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Access2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1476
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusiness2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4520
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Excel2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:5060
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Outlook2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4836
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPoint2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2604
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Publisher2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:432
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Word2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2236
- C:\Windows\System32\findstr.exe
  findstr /I /C:"MondoVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4268
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1712
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3524
- C:\Windows\System32\findstr.exe
  findstr /I /C:"StandardVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4936
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4588
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:640
- C:\Windows\System32\findstr.exe
  findstr /I /C:"AccessVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3036
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:668
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ExcelVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4480
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OutlookVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1112
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1548
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PublisherVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:624
- C:\Windows\System32\findstr.exe
  findstr /I /C:"WordVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1476
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2684
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\4A356B4B-9D93-4336-A3D6-76F2E8AB0D1B\ProPlusRetail.16
  2⤵
  - Modifies registry key
  PID:4104
- C:\Windows\System32\find.exe
  find /i "Office16ProPlusVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"
  2⤵
  PID:1060
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\4A356B4B-9D93-4336-A3D6-76F2E8AB0D1B\ProPlusVolume.16
  2⤵
  - Modifies registry key
  PID:636
- C:\Windows\System32\find.exe
  find /i "Office16MondoVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"
  2⤵
  PID:1616
- C:\Windows\System32\cscript.exe
  cscript //Nologo //B C:\Windows\System32\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms"
  2⤵
  PID:4280
- C:\Windows\System32\cscript.exe
  cscript //Nologo //B C:\Windows\System32\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms"
  2⤵
  PID:4936
- C:\Windows\System32\cscript.exe
  cscript //Nologo //B C:\Windows\System32\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms"
  2⤵
  PID:3312
- C:\Windows\System32\cscript.exe
  cscript //Nologo //B C:\Windows\System32\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms"
  2⤵
  PID:756
- C:\Windows\System32\cscript.exe
  cscript //Nologo //B C:\Windows\System32\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms"
  2⤵
  PID:3600
- C:\Windows\System32\cscript.exe
  cscript //Nologo //B C:\Windows\System32\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms"
  2⤵
  PID:5060
- C:\Windows\System32\cscript.exe
  cscript //Nologo //B C:\Windows\System32\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms"
  2⤵
  PID:1616
- C:\Windows\System32\reg.exe
  reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady
  2⤵
  - Modifies registry key
  PID:2564
- C:\Program Files\Microsoft Office\root\integration\Integrator.exe
  "C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=ProPlus2019Volume.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:4200
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' get LicenseFamily
  2⤵
  PID:1696
- C:\Windows\System32\find.exe
  find /i "ProPlus2019VL_"
  2⤵
  PID:1932
- C:\Windows\System32\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady /t REG_SZ /d 1
  2⤵
  - Modifies registry key
  PID:4216
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  - Modifies registry key
  PID:4564
- C:\Windows\System32\findstr.exe
  findstr /I "ProPlus2019Volume"
  2⤵
  PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  PID:3204
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:384
- C:\Windows\System32\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds /t REG_SZ /d "ProPlusRetail,ProPlus2019Volume" /f
  2⤵
  - Modifies registry key
  PID:1476
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingService where version='10.0.19041.1266' call RefreshLicenseStatus
  2⤵
  PID:2344
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"
  2⤵
  PID:4036
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%' ) get Name /value
  2⤵
  PID:4588
- C:\Windows\System32\find.exe
  find /i "Office 21" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2236
- C:\Windows\System32\find.exe
  find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3472
- C:\Windows\System32\find.exe
  find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2564
- C:\Windows\System32\find.exe
  find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4268
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%' ) get Name /value
  2⤵
  PID:1932
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:756
- C:\Windows\System32\find.exe
  find /i "Office 21"
  2⤵
  PID:4084
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1980
- C:\Windows\System32\find.exe
  find /i "Office 19"
  2⤵
  PID:4916
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1060
- C:\Windows\System32\find.exe
  find /i "Office 16"
  2⤵
  PID:5060
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:968
- C:\Windows\System32\find.exe
  find /i "Office 15"
  2⤵
  PID:2948
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseFamily like 'Office16O365%' ) get LicenseFamily /value
  2⤵
  PID:624
- C:\Windows\System32\find.exe
  find /i "O365"
  2⤵
  PID:2348
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value
  2⤵
  PID:2836
- C:\Windows\System32\findstr.exe
  findstr /i Windows
  2⤵
  PID:4588
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:3372
- C:\Windows\System32\reg.exe
  reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:1368
- C:\Windows\System32\reg.exe
  reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:3352
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get Name /value
  2⤵
  PID:668
- C:\Windows\System32\findstr.exe
  findstr /i Windows
  2⤵
  PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /value" 2>nul
  2⤵
  PID:4252
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /value
    3⤵
    PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get Version /value"
  2⤵
  PID:3524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService get Version /value
    3⤵
    PID:4704
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
  2⤵
  PID:2948
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:32
  2⤵
  PID:4036
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
  2⤵
  PID:624
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
  2⤵
  PID:2236
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:32
  2⤵
  PID:3716
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
  2⤵
  PID:4280
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:1720
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
  2⤵
  PID:1696
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' ) get ID /value"
  2⤵
  PID:3352
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' ) get ID /value
    3⤵
    PID:1664
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get LicenseStatus /value
  2⤵
  PID:668
- C:\Windows\System32\findstr.exe
  findstr "1"
  2⤵
  PID:2968
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
  2⤵
  PID:4736
- C:\Windows\System32\findstr.exe
  findstr /i "2de67392-b7a7-462a-b1ca-108dd189f588"
  2⤵
  PID:384
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f
  2⤵
  PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get Name /value"
  2⤵
  PID:2016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get Name /value
    3⤵
    PID:1596
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate
  2⤵
  PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value"
  2⤵
  PID:4916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value
    3⤵
    PID:3048
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ID='3f1afc82-f8ac-4f6c-8005-1d233e606eee') get LicenseStatus /value
  2⤵
  PID:756
- C:\Windows\System32\findstr.exe
  findstr "1"
  2⤵
  PID:968
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
  2⤵
  PID:3204
- C:\Windows\System32\findstr.exe
  findstr /i "3f1afc82-f8ac-4f6c-8005-1d233e606eee"
  2⤵
  PID:1872
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ID='73111121-5638-40f6-bc11-f1d7b0d64300') get LicenseStatus /value
  2⤵
  PID:1868
- C:\Windows\System32\findstr.exe
  findstr "1"
  2⤵
  PID:1004
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
  2⤵
  PID:4380
- C:\Windows\System32\findstr.exe
  findstr /i "73111121-5638-40f6-bc11-f1d7b0d64300"
  2⤵
  PID:4716
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ID='82bbc092-bc50-4e16-8e18-b74fc486aec3') get LicenseStatus /value
  2⤵
  PID:3904
- C:\Windows\System32\findstr.exe
  findstr "1"
  2⤵
  PID:2524
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
  2⤵
  PID:3344
- C:\Windows\System32\findstr.exe
  findstr /i "82bbc092-bc50-4e16-8e18-b74fc486aec3"
  2⤵
  PID:224
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ID='e0c42288-980c-4788-a014-c080d2e1926e') get LicenseStatus /value
  2⤵
  PID:1956
- C:\Windows\System32\findstr.exe
  findstr "1"
  2⤵
  PID:2564
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
  2⤵
  PID:5008
- C:\Windows\System32\findstr.exe
  findstr /i "e0c42288-980c-4788-a014-c080d2e1926e"
  2⤵
  PID:3312
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ID='e4db50ea-bda1-4566-b047-0ca50abc6f07') get LicenseStatus /value
  2⤵
  PID:2344
- C:\Windows\System32\findstr.exe
  findstr "1"
  2⤵
  PID:4520
- C:\Windows\System32\findstr.exe
  findstr /i "e4db50ea-bda1-4566-b047-0ca50abc6f07"
  2⤵
  PID:3696
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
  2⤵
  PID:4916
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ID='ec868e65-fadf-4759-b23e-93fe37f2cc29') get LicenseStatus /value
  2⤵
  PID:640
- C:\Windows\System32\findstr.exe
  findstr "1"
  2⤵
  PID:1436
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
  2⤵
  PID:2016
- C:\Windows\System32\findstr.exe
  findstr /i "ec868e65-fadf-4759-b23e-93fe37f2cc29"
  2⤵
  PID:1596
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
  2⤵
  PID:2320
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:4380
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
  2⤵
  PID:2880
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
  2⤵
  PID:1712
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:2692
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:32
  2⤵
  PID:3904
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
  2⤵
  PID:4108
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
  2⤵
  PID:1696
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:32
  2⤵
  PID:3388
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
  2⤵
  PID:4572
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:3688
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
  2⤵
  PID:692
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:1932
- C:\Windows\System32\reg.exe
  reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:3352
- C:\Windows\System32\reg.exe
  reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:5008
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:4116
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:636
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:2004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:4104
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:1480
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:3164
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /f
  2⤵
  PID:384
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoAcquireGT /f
  2⤵
  PID:1468
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll" Force=True
  2⤵
  PID:624
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
  2⤵
  PID:3524
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
  2⤵
  - Sets file execution options in registry
  PID:3652
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
  2⤵
  PID:3472
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe"
  2⤵
  PID:1276
- C:\Windows\System32\schtasks.exe
  schtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"
  2⤵
  PID:2440
- C:\Windows\System32\sc.exe
  sc start sppsvc trigger=timer;sessionid=0
  2⤵
  - Launches sc.exe
  PID:2524
- C:\Windows\System32\mode.com
  mode con cols=80 lines=34
  2⤵
  PID:2348
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
  2⤵
  - Modifies registry key
  PID:752
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:2968
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:2860
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:3236
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*retail"
  2⤵
  PID:4984
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:636
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:1716
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:3660
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*retail"
  2⤵
  PID:3964
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:652
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:968
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:4480
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:4360
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*volume"
  2⤵
  PID:4736
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:1872
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:3476
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*volume"
  2⤵
  PID:1980
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4036
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4468
- C:\Windows\System32\findstr.exe
  findstr /i /r "project.*"
  2⤵
  PID:1468
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:1004
- C:\Windows\System32\findstr.exe
  findstr /i /r "project.*"
  2⤵
  PID:2664
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:1596
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:624
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4716
- C:\Windows\System32\findstr.exe
  findstr /i /r "visio.*"
  2⤵
  PID:4380
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:4200
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:3716
- C:\Windows\System32\findstr.exe
  findstr /i /r "visio.*"
  2⤵
  PID:2660
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:616
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /v VerifierFlags
  2⤵
  PID:4572
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierFlags
  2⤵
  PID:1956
- C:\Windows\System32\choice.exe
  choice /c 1234567890EDRSVX /n /m "> Choose a menu option, or press 0 to Exit: "
  2⤵
  PID:1664
- C:\Windows\System32\mode.com
  mode con cols=80 lines=34
  2⤵
  PID:968
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
  2⤵
  - Modifies registry key
  PID:3048
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:1480
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:640
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:3476
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:4952
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*retail"
  2⤵
  PID:4036
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:4500
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:4840
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*retail"
  2⤵
  PID:1720
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:1004
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:3196
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:4200
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:4716
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*volume"
  2⤵
  PID:4380
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:616
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:692
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:1616
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*volume"
  2⤵
  PID:4828
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:3036
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:4824
- C:\Windows\System32\findstr.exe
  findstr /i /r "project.*"
  2⤵
  PID:3352
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4216
- C:\Windows\System32\findstr.exe
  findstr /i /r "project.*"
  2⤵
  PID:4560
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:2384
- C:\Windows\System32\findstr.exe
  findstr /i /r "visio.*"
  2⤵
  PID:636
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:2200
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4640
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:3208
- C:\Windows\System32\findstr.exe
  findstr /i /r "visio.*"
  2⤵
  PID:4664
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:5020
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /v VerifierFlags
  2⤵
  PID:3696
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierFlags
  2⤵
  PID:2344
- C:\Windows\System32\choice.exe
  choice /c 1234567890EDRSVX /n /m "> Choose a menu option, or press 0 to Exit: "
  2⤵
  PID:3636

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value
1⤵
PID:640

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Loads dropped DLL
PID:4464

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:1052

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
92818b788ab2d07abc2bf6d032f7808f

SHA1
80a04eb82a4187d65bf91eb8d03a558421cceb64

SHA256
9658ada8f53e7ca4ebfa65bddbd0cc247ff44d4f6cf7807a24a523fcf8901b28

SHA512
8cf55e715b65f7c2ac2358ca7ad7b9c1c451ad9e8f8b077915902e44bac96af0fb84e8b4bc47d2ba1c1f75db71e8620cae5f029855abfde7b21aeb9b2f0b9f2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
4ace9525f8c20d9b288ca64d79205b47

SHA1
5cc5dbd63eed0ea6735092f4909b9b1bdd7e7be6

SHA256
0b7a087246583d776c31c07bd387f63baabb261a4fae9bd83b4ec8d545b4b2e5

SHA512
0d9985a0f11d6b0184118d7ca5f03bcb0f5f9647bcd30317ed45b24c22bec82010014a92b1b3b32ce7c79eaaaaa425c3abd333889381b25a226b0648d1ece56c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
515712ce84228f7308ce2b10c64c1eb5

SHA1
93f0cd800e7e5c74d9de433f01e0b6e35c867400

SHA256
984f09601d96d610bbba59f0e13e63dc83f6a76c3a2e971ed526f45c313d8217

SHA512
ea7b9102c04fbb716166f757ee7c6d9b1b37d0eb19967b1f7f10805f622f5fa149b5fdaeb6bc1523ec8089048bfc6636597949a8f3c48c8a96c3f79b2d91caf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
bc3f36843d4b0584e7ac51e976c98925

SHA1
594a4310e3b675a397a5b707eae4d472b7db10b9

SHA256
52565e31bfdcb923f5c8cf518872672bc9ccf002cee789a39082d15d29ff0d52

SHA512
433709226f42ddc35cc8c37564ade6045a5bfc972231bcbae525e5a9920b02948861cd00fa2a36ccf6fa5d4533a61e3368cad08f2d925bec97a5ab3d29409da0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
c0bf7b2b42d2cccf0c1ebb37d2b41588

SHA1
b1ab038b2eb7218119d898b57b7dfa7a22ad0ce9

SHA256
aac02654a76e61dbec9b36c2adbaf2485d8993c02710858df3610439d3cfe7f8

SHA512
cb745ecd781e32e4d602a2a165d71ffaa53b6f16854f238a8480d646ee18df3643b73ccc9e92558451137a6af215319a0852e743bbd1619ed36f5c26753d9375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cz9baam\imagestore.dat

Filesize
1KB

MD5
c9d75e13b5f15370ffc890c8da95ce4d

SHA1
6f0668c1de78d9e67455543fafc788ba3c0929e1

SHA256
c1abd07881bbbf7bbdd052a0a7d83b70cf6e7d301cdbc25e59cbdeb5553c00a6

SHA512
610f573cbbe2e0ddd9a4b556e34700e8efe38daabcd49ffaf778b7b6f56f675a039d72c0720e3d44b319f4fcfe6f03f9116a29d76eee0e2a761e045def593a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\element-registry-8f404beaf269[1].js

Filesize
42KB

MD5
915ee717e9506ef114bd1d709cb860f3

SHA1
a11794fddc840bb0423020a234fdb9a3d49070a5

SHA256
872aa06880858faa7be7fd39bf5605fcc22db7875fd0ac94a0e0910246780237

SHA512
8f404beaf26991f0c7d635749ca2b5b602bbf8262d9ac5a51c4c0adfddb75cebd23a69fcf20da810c5aa29edadc8a5db672d4775b2c2adb35c423b8416857272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\environment-de3997b81651[1].js

Filesize
5KB

MD5
1b85079a9ba25d7ccfa2e6551f1f23da

SHA1
95807b2db9ddb55f1c2d063de80a21126396a938

SHA256
5ae5c1c250b930691353ec3310295d1ea8128ba6b1dd69a8bd0ac08aa3283aa5

SHA512
de3997b816515df468e65014eb9230e603f485f9bebbb1e8f9e28437bb64e15c62e2377b462605099c1f5778324da56f8712ae8419f27628188332283b9644a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\light-0946cdc16f15[1].css

Filesize
53KB

MD5
5235e806bcb88fed6c8c8cfb53348708

SHA1
ab71dbe80857d73ce2ca21a45ab4a216ab1cbce1

SHA256
89233262726664b22e2d2e8a742b89d7439d526394f7413b30a92f304a04775f

SHA512
0946cdc16f1502b0f9aad2daf13882a63691a93f7f9a6afb537da241ef6db703e1173a6591975026f826792a4ddbe79c07b863e2a6a41ec6e7894ef1fa920e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\repositories-0355d3fe50ee[1].js

Filesize
64KB

MD5
92bc7cc04b72eabdc5d8dadea976a93a

SHA1
efa2b79ebd856edb93184d6548e57988f922ffa6

SHA256
87e182a2a527e7a4c994342d8c40d843a489096bc1fdc5282d42d4f24b39ff94

SHA512
0355d3fe50ee70f466793c0206964c89a67a6bc19a19d05a56577b50adffafb9f08b45c9857880ffc441dcf93de03825ed101ae69170d812bf76ec534bf0b2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\sessions-2638decb9ee5[1].js

Filesize
10KB

MD5
bc5d5fea43b7e9661b50456a77478335

SHA1
6b8f6d93bfd302cd5ada9b40279205eb12556cdf

SHA256
a02d02064dbc21e677ef0474aa7e111cb55abf165febcdcbfe62d32056be29a4

SHA512
2638decb9ee5cef55a1829e394cfb0d0fff00835713ef1198e08468bbd6d0de25ffe8b78c3261d466cacdc245703118e78c098cd2e2598222e4560aba94cd2f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\vendors-node_modules_delegated-events_dist_index_js-node_modules_github_auto-complete-element-5b3870-ff38694180c6[1].js

Filesize
26KB

MD5
aed57c5b19c71c3a620a8aa2abf9a69e

SHA1
e30ccdbeb880c3b8fc82cae3d1293354226f3c59

SHA256
a7c516e60d317d33dfa33e6f1ad396b0bdc096b9e2081572ee35be0fa7fb99bc

SHA512
ff38694180c6b07c0efffc27aae6ef9b02852a15b6ec0f6b92b4bc92ec5db0bb6ef46f8d3ef15910fc9bc64dc96af4415c8d2ed44499d0b39b64cffc9487d559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\vendors-node_modules_fzy_js_index_js-node_modules_github_markdown-toolbar-element_dist_index_js-e3de700a4c9d[1].js

Filesize
13KB

MD5
186933c0117b94c9b8aade71f6f310c0

SHA1
ae67ade0e920b536137b6e98bb5e9e6c34b96925

SHA256
1465e7c16987bcaf9bb6209172d23d157cba309e9c8b2e4751b77ce4feb1b14f

SHA512
e3de700a4c9d4e1a490d2daa45c518f837ba0f6e065274231627b3911c43faf07e365ba42dc6d110627987662366ea1cdebc9ed4f5a8b88a04b64a7980c7b5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_github_text-ex-3415a8-7ecc10fb88d0[1].js

Filesize
11KB

MD5
bb1800636a88e2cf90f48ea181a1c3e9

SHA1
486238b0e8fbb84b4f92e462ba7f337f8c6c091d

SHA256
7bfa93a6b92eb9a2f1668a9b16ea5e1f7f2591d3664351788a48107ec879bf84

SHA512
7ecc10fb88d0dc86ce7d35b7a2be7b44f51904fbb1908b53c9afdf0d6d1fe9760753f6cf8f9ca1897bd537552d3f8238c68e9b993a167cc52f43b5f7a58b37e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\vendors-node_modules_github_remote-form_dist_index_js-node_modules_github_memoize_dist_esm_in-687f35-d131f0b6de8e[1].js

Filesize
9KB

MD5
07545d79324e61d14de7d47e9ca6b03e

SHA1
b73039cdd8e424960b0a8dc973788116bbcb11df

SHA256
ce89ceb01d12fa63f5a5edd4ce856335c85eaa59dcabe3cf38d90f6c0040fae3

SHA512
d131f0b6de8eb9ad4a24a9a4857d9b1eeb4a5004932a3b04ab9c6422a829f101c1b5089a0718a751103388d9eed36f52b9be218403da685e2611ad151432e6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\app_assets_modules_github_behaviors_ajax-error_ts-app_assets_modules_github_behaviors_include-2e2258-dae7d38e0248[1].js

Filesize
12KB

MD5
2ea4751c021cf86092225f87a5cc7ca2

SHA1
3c3a818ccfb35a1cfa7b8c7793699aa9ab8a9d72

SHA256
9d4c3a8ff89e9acd1218edd29506299cd6522610df7b06442704ccc318b24c2f

SHA512
dae7d38e02483d4244dda02aa05e081ef94d31f30c8bba7f9581d5541abee149b092d5e216009ac4457fc28336a89373bc78e94a6ab513da516b15289c982653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-c97eacdef68a[1].js

Filesize
11KB

MD5
877af1a0f83cc799c024e324dde1c078

SHA1
e07d194bcdf77c01c0bb78903732babf0acc99f7

SHA256
85edcfe9717ca67aba8f94c45da5071c5bcf600b1431e5daec667d9463474877

SHA512
c97eacdef68aba2c690f85c669524ac13ef83c6c54cd3afe654d0c74f400887226a84be09da958c50a0581f9270aa5ed52b476c336c08d392cd67e4a53c513ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\app_assets_modules_github_behaviors_keyboard-shortcuts-helper_ts-app_assets_modules_github_be-f5afdb-3f05df4c282b[1].js

Filesize
14KB

MD5
9200feadadbbca8309d5977b36e8ea6c

SHA1
5c1f182157d97fdc3c765f93d4e5d1ddc8d091a3

SHA256
c2703d901b7c6cba74a1e0e7179941d5aca8748c25ae79479a48f562d02e77a3

SHA512
3f05df4c282b95264abf3cef77b0dbf2bc00cfd3bd2af67073107f6d929a29c8015f6404da03b32fcb9b9ec70809a6b4f3b9e3107abf5f19f173c57a36d331d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\app_assets_modules_github_blob-anchor_ts-app_assets_modules_github_code-editor_ts-app_assets_-8128e1-65aa849c94d7[1].js

Filesize
10KB

MD5
6fa8e83f250dc77a6af788f589b0135f

SHA1
edb359c0ea8d889b3aa364b517de0a68c5ba6bbb

SHA256
d2117638196370f8d30f111e2a98854dcfd5f179b3705353fec65b6dd55747d3

SHA512
65aa849c94d72457c6638a5b4654c685bcfc0e77b6958d9aa6ab306ab8ded99142818243ca7fe5c1432d2c17ba61ecdbf659067bda0bada87f4960fa2c735171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\app_assets_modules_github_ref-selector_ts-8f8b76ecd8d3[1].js

Filesize
9KB

MD5
019ef7d910ab3ad87d523c379439ab31

SHA1
dd97c99ddd637832502230c904f6fe4e4cacf4d8

SHA256
9e6a2cf46f911f800edc46a13a14dbc4d867283c2f036942fd76d13c5c3f4be4

SHA512
8f8b76ecd8d340cc9d4a3a09ef686e0eb0c00549fd15d50199a20412f479f22026dd00dcb70367cc98e249734ce25d03cbb0b585a5156f439c91c29cda78e647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\app_assets_modules_github_sticky-scroll-into-view_ts-1d145b63ed56[1].js

Filesize
9KB

MD5
9c15e69f34d72ab01a25575780a3dc9d

SHA1
4834bff994ded22703fbce6e1f04d5a13838354e

SHA256
a382c7be63e4761274ff6e21ef7e9596aa0eb700573a0ead42aea76c36e3e47b

SHA512
1d145b63ed56c1ca14a1cb8d7264bc56a9e0c3a7d11ce67b5b1954b034a9ab4c29d74f72ddf860600dfddbf1b73d38caaccecd5bc51dd4fde166f79d426aa086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\app_assets_modules_github_updatable-content_ts-dadb69f79923[1].js

Filesize
8KB

MD5
ea38f9963d35351c101d238af3a3cf73

SHA1
9ab43d46fd1b2774ab8b1bd7d51b55a6a2a49c84

SHA256
8158702cd486d1cfaf584b4784649207f4c668e27d37c2c3c38fc70d0e30b24d

SHA512
dadb69f7992377066b58045ae7182c82eaf7d8c3233571020172bf70e11589447098c1766954df0c736df3def39f1e3f6f34e6153ad571eaf0f71e06477d29b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\behaviors-d1b433c1b6c2[1].js

Filesize
213KB

MD5
d5a97f9fbcda09e1358bedfc8edd5822

SHA1
318def7e9d0a226267228d6c7217175b68b63a4a

SHA256
33c095d35817ab0d22d02d28a735f032edf796c8f7a5e3c565ee37c797acb334

SHA512
d1b433c1b6c2c6f8aceaf563f755c602e4c10dac2ef773d02b06c7b5906c68ce5dccc142406c39dc72ac34151bed6c6a62191287489bb34c64ab5747f9593720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\notifications-global-4dc6f295cc92[1].js

Filesize
11KB

MD5
f9900e70cb1dcc8a67f9f446e5d718ae

SHA1
f7be42badef3fd51ae90deefbc913e74e81e705c

SHA256
3611cb16979f594f606f41f6537a27e431a29d8a883fc1b18cb309b3f5890e7a

SHA512
4dc6f295cc92706460d7f2f96dccbaf776474d47a47889ab69fb549011d0f76cffa0ec1c8f556f8a52dcefe755a4d7d4bc4473a47c710b27223ddced094ec160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\vendors-node_modules_delegated-events_dist_index_js-node_modules_github_catalyst_lib_index_js-623425af41e1[1].js

Filesize
11KB

MD5
342a8882b7df201b3b1612ba41ac63e8

SHA1
f57b133d85bee8d94a041d0f5e0a1fb44e131496

SHA256
779f91df7aedd2267003709efc2dd3fc01abcaf461ac3f8b6ebbaed38fe9cbee

SHA512
623425af41e17a40a879a496612cb521e78721a79a014daa62c637c8c9bf99d52f70b69a5a82b853a6468e9579ab4cd21bc71d4d74a5b1648a6966e570bbb137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\vendors-node_modules_github_paste-markdown_dist_index_esm_js-node_modules_github_quote-select-743f1d-1b20d530fbf0[1].js

Filesize
36KB

MD5
005512a59c929cfe6857ae4aa5b4a445

SHA1
a4fc118a8e3ec2924ff18a65eb6af04c43b6c37d

SHA256
c17f95538fcdd61055b46582d0f102c66342fbfa173f6de5a53f26a1ed49f7b2

SHA512
1b20d530fbf0cdfb7bb55d3e9b89979216267176559260c36357842ddf30b866a249d7406c86d881dfa57b4f43c9a21cd05a2457005fa68956e19c14557a2c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\vendors-node_modules_github_relative-time-element_dist_index_js-99e288659d4f[1].js

Filesize
14KB

MD5
f491d4f9b68507dfdf90a5ef6d4f70f8

SHA1
dac15fb588758d0cf24eb922931dc367d9f0458b

SHA256
6f7e23dd694a3e70ef7b0a8dd6b30161168039187a16bb1f8ad56c0e385fc2f2

SHA512
99e288659d4fae2fc48756d2bc57e0bbe2add23ed9ff370f8f9643ee09585f4bcacc6688cfe6380e60dbe883f614bbe2c61cd7d52fd5109f20aa79b70df6f079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\vendors-node_modules_github_remote-form_dist_index_js-node_modules_scroll-anchoring_dist_scro-52dc4b-e1e33bfc0b7e[1].js

Filesize
12KB

MD5
6ed77e8843f620ad455509ea7f15e2f1

SHA1
6ca0ef769ba65722f22abb77936e917fe66136f2

SHA256
270e861a9bb0e815d2b57ab3fd881132b05eb9a39d1e9269f12529b03aa168b3

SHA512
e1e33bfc0b7ef7040dac38396663113672f27ae9c49e9517a18238dd67012d693ffc8e1b562487ed87dcc9ac91286cfe9bc2778e2b3eed044cb7dd0c6952622a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\vendors-node_modules_lit-html_lit-html_js-9d9fe1859ce5[1].js

Filesize
15KB

MD5
29b126d180066f2cd72287a725af3dce

SHA1
da1a0918b337b6bcda086580271306fbb2d41ea0

SHA256
9417afb32e38d089ae0e18debddaec99629f25af815081ebf426a48066ef3438

SHA512
9d9fe1859ce5c02054af70a2435b2b137398d7f41f2b71cc138333f706bf3c175eccc001e8ba717e80508a10590fd40c91468a9ee60839cf2cf5464c2601deec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\vendors-node_modules_virtualized-list_es_index_js-node_modules_github_template-parts_lib_index_js-c3e624db1d89[1].js

Filesize
16KB

MD5
e64f83d1a9f51f9c14c9ab8f3a50f8fb

SHA1
16e820a27942595273eded6a23ccfb20e47d5472

SHA256
4fde779475a942b75da84597dcf9650ae9eec74aa4718123b7b1d804267883dd

SHA512
c3e624db1d89f8a4598209f6e86f431371354696485067d4c97978b5d8258342e8d3c4079d89b7d1721e782f6749eadfcf4398d635507c8202f34c8e9540d5e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\ui_packages_failbot_failbot_ts-e38c93eab86e[1].js

Filesize
9KB

MD5
a290de737f98b928791420949ae972ae

SHA1
11edff4fef75d57bf6de49c03b83169c89efb951

SHA256
948fbb66794a958cdab7396280920287c12e37f7932acb40395d6a3e5d93b4d3

SHA512
e38c93eab86e95dc38b684ebbfb12a98a4c16dd440321a707941f37794404d418517e47862933a335d2bee4cb8e6769cb4e0f160896bf880b20ec83deb009ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\vendors-node_modules_color-convert_index_js-node_modules_github_jtml_lib_index_js-40bf234a19dc[1].js

Filesize
20KB

MD5
335c0961babd1c1c0d898b5717f961ae

SHA1
104c5caf6c79e0a658ea309651ae75d734be92c9

SHA256
981215a3a3c0857405f95bab20d9e8d1eae8a0e757f787c62824bab1330a8cb8

SHA512
40bf234a19dc5a70430eb6893527d5320d850d63bac10e3789ac6ddaaf6bf1682a0ed81f2224bb1ea2154f9ddfe9afd929a1611078ae3b3f43fafe7d584221da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\vendors-node_modules_github_mini-throttle_dist_decorators_js-node_modules_github_remote-form_-e3de2b-93bbe15e6e78[1].js

Filesize
18KB

MD5
4388686fd42387c0a5bc31216254aeaf

SHA1
d99abdf9750fef9d0c5f6e0a69f19f1dfd506a13

SHA256
067665a80bebd1b7bbe2e968780f61b3e9b203be4c492e4edc7d6b5b61854a4d

SHA512
93bbe15e6e78491753a96ccdd0a1e8500657f17798485b4c6ae4ed1d9feaf8955019420d1843e2dc9189f60ab1d7a7bb4db56858d8bd500ec27b8818c0968ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_github_alive-client_dist-bf5aa2-424aa982deef[1].js

Filesize
13KB

MD5
fa2bd9163204e6ced0bf13f169206c40

SHA1
ea2d13287aef46af1ad0f04b04eada4e8a8966af

SHA256
0c2a6aa4860bd3d3a135d59418bf4e7a00173c3e974842ae436a0a2fbe3da624

SHA512
424aa982deef4fc0969c58c54d1dfcf1b589d6c9da95575e4b5f88ffb03a8457954a19c03b00afbb5f4fa0d64a6d7b7361c0a4737c1d21490d2767eea227e0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\vendors-node_modules_github_selector-observer_dist_index_esm_js-2646a2c533e3[1].js

Filesize
9KB

MD5
e5411d902c14114345232eab0b388a2e

SHA1
a079ffbceba09465e2546881d6b963d05edd3add

SHA256
3dd71977f8bc77d1d340787b166bb300047f951a16e440f75c9fe2599659a70c

SHA512
2646a2c533e30cbd3c0ef653c306fdd6052f00fb9479ea664f791ee17c4a8d8321a0337dc9f79b9a0aa0a1d68a9cc84b46bda6b2285bc16a8434712b54794f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-ba0e4d5b3207[1].js

Filesize
76KB

MD5
80de3fe499fabcd32f3eb5a1c8a080b9

SHA1
45c7a787dd927214b847550fcd44f37261413256

SHA256
0f0b5c21ea9467b911d1377fdff0272addf7fccc7a588f2f30ec6f07ffbdcb6f

SHA512
ba0e4d5b320783d52465d15d4a36113a8e10261eefc707314d7e6f211ebb57930b7cbf2568017febe5e47cb43749552e6992fcd652aec702110a330364e08506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\vendors-node_modules_primer_view-components_app_components_primer_primer_js-node_modules_gith-3af896-ba2b2ef33e4b[1].js

Filesize
84KB

MD5
9f6934b9c53914b8e803a98b9f54a977

SHA1
642c23d569dd5887a91b68496b59d7a477237b20

SHA256
2ea7d3bcbbd9b0962eaf9f2d659c354fec1fa37ad7936d7dafa52227a8389c06

SHA512
ba2b2ef33e4b1dadf6a47fe50cd0cd6a3c19d605e4db7218460d6a97ed3ef4126a4f04399245c9647dab58bc0aeffaba5a905f9caf4a0fc5b8230b23d91da730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\vendors-node_modules_stacktrace-parser_dist_stack-trace-parser_esm_js-node_modules_github_bro-a4c183-ae93d3fba59c[1].js

Filesize
12KB

MD5
e81d89b97d24210d1fed01b8c7527dff

SHA1
e9aeee63975aa26e1c18fb15e703fadef1044af3

SHA256
b3dd2be29f2c480a351a18ffbe7d3fb4b7f3c7636cddf273bcaaa4d355d479ef

SHA512
ae93d3fba59ca967f3bb0b0e6bc1867b903c647d389231e92e559eca742b7d9f5b1f1c9b79b682611ce40ef8fdb327c76b47646f4d4ae97ddbe531e5008c46a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\wp-runtime-377d421cc9f7[1].js

Filesize
30KB

MD5
bb3a62239043356fd1cabd2fd2a49074

SHA1
2589a58e6cc1df0795343f0b274af49d6e5960ec

SHA256
ad151ef7e45f6c4fdc7c289084349671412838295e7784fc1a7179770b0dbae6

SHA512
377d421cc9f70e301ee6cbc7cafbc175b8cd08f6df35e9e7c8fc90e07ae205d92edf38d0b5d2c0b75ad0bb009233c4e9f5d51017921c75a356a9a6ae27046799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\dark-3946c959759a[1].css

Filesize
53KB

MD5
2820c4c7c0513590c53d244c42fb6fe3

SHA1
e7512521010a3afcf5ca395457473e7963a23ed9

SHA256
c2982a111fe3270b0feec1917715b73a1ad11e04a918c3748a129fbedff88370

SHA512
3946c959759a620244e1e09847f1baaeb2e1aad20b8e0b84ca7652fa14a130d5b94af4047a1db76afa5abacc01bba4d87789d44f959e08f8524b864eb66f925f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\favicon[1].png

Filesize
958B

MD5
346e09471362f2907510a31812129cd2

SHA1
323b99430dd424604ae57a19a91f25376e209759

SHA256
74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

SHA512
a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\github-c7a3a0ac71d4[1].css

Filesize
171KB

MD5
2eb35e9de28f967c32f4e8d8d9478db8

SHA1
b8c8ca1d54d2e33b13a2a8055c09d5a679bd4128

SHA256
980bb59f1d582b3955af0a6189ee08c3c345b699f91e6e7f55e92b0a317771e0

SHA512
c7a3a0ac71d460e702edf86b508c4509bb12543d39d19692f21e0c4ad5ad603b4523d2f46edd1c1ea3fc22b0793f78c3db53e770399d953a18f08a6176e089c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\github-elements-7b037525f59f[1].js

Filesize
34KB

MD5
b3c79d1c7d78847525e892155aaa621d

SHA1
0ebfbdb20b1d6db4c26e7b5c9d2e0ceb49a99329

SHA256
9b879ab92de15af68ceebe678fb4d317bcbb7a4265ac816b9ef23bcbaafff3a1

SHA512
7b037525f59f825114685b4567efc2a4ee22659bd18560a512d2b7bf88a0d485eca485c1ca56e41d3d8631f0fe2622810bb75a692283caea2825b24cc48ae0c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\global-0d04dfcdc794[1].css

Filesize
254KB

MD5
2a5effbfaaf296ce901ce3f997149e08

SHA1
d3c9b0558d7933df3e1774236bf284bc947a5fa1

SHA256
b096c40efca7e00885cb78e1caeb4c31e4db9100662228f60c045b9f4b19e624

SHA512
0d04dfcdc79457770a9457282a9ce54184bd35a9aa8d17643564af15ee8dcaad5a453b744811dd53a4a6443ada50b0c7194f90e786c91cf0c7aa4184076045d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\primer-57c312e484b2[1].css

Filesize
316KB

MD5
6264dea995132348f8fbb0bd13604965

SHA1
2c24963a29a8cc2f3fad3c6eb9d664cce9042557

SHA256
edcdf2798ea3d2f53bfd6d72a2839abed123a02848646fac24a54fe6f9af97e0

SHA512
57c312e484b2b1cdf5429cb4f8faffb3a9f1c9a0a7ce91b302dd2235789d744c07c596c9a0c3125ff7a4fe8aee66f42c15f3be37c862b4a8ccb533520244a9f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\primer-primitives-fb1d51d1ef66[1].css

Filesize
7KB

MD5
75b4206d843040a7d81ac8639211cc5c

SHA1
2fcc5d28e05f27e822f4c79cd2ebcb3c55c93850

SHA256
ae074dc2c85a9557c8b646ffc5afb608a552b57066eecb791fe8f17f5fdfc1d8

SHA512
fb1d51d1ef660b84870b0a4970a8772dba4127aca9ab9fbaa29c734a83de07bd8a44b84b6bb22ed6b9b03ebe7a105bb9072a31a01fef987a6a64edc3b894ec32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\releases-f3b24bb0662e[1].css

Filesize
1KB

MD5
8febc841cbb55c45e778fb19a20c06f8

SHA1
ac862ea6377d9c06387db88f15e32c46fa5e4818

SHA256
16ee0301555106edcf551d5d38ff0940d049415a7f4c75075e795f2677b2dc5d

SHA512
f3b24bb0662e42e4233e11be03ffef02c20a590a4d3b87c3d8d0d254598b63c9fb85ff02c8b673bb854f13fc8fb32b1cfb65dfad902964b3fd5fe75d0d435dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_github_filter--b2311f-939ba5085db0[1].js

Filesize
20KB

MD5
d376df628c3e73f17c199bae0ce3e013

SHA1
f42e6dc94b32c915d016a12f1c4c996cc886d727

SHA256
ffd4a453e1ee356f34cd69f1768975c20811b3e396303049dcbb490dfc7cac4f

SHA512
939ba5085db0b7179d736c8af4d8338d93e8685f89a7dac485981aee344b9225eb90182c6f8b7cc60fd9965d9492ba04efba9c4fc2b92614b9988c7f275b5540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-8873b7-5771678648e0[1].js

Filesize
11KB

MD5
cc3b9d72861037e13bd0d0be98ef5ace

SHA1
ee4ffb8a335a106b2b784364f017e017f61d7398

SHA256
7b13afa92922980886b59316cbb313d4d4c05037979c1a49fbc99d6c4ff822ab

SHA512
5771678648e04c79885e4671ed343d33268564ca16a73d0a77dcba1dd1aee2b1ea303d6ab1b226e61f4c0bd5df6b33f28d86ba2ff72e959978e03f8f640a095e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e89c193840c8fb53fc3de104b1c4b092

SHA1
8b41b6a392780e48cc33e673cf4412080c42981e

SHA256
920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

SHA512
865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
151KB

MD5
2009a43b9247d238b3c32485533b170f

SHA1
0630a0f23b991415c5df5620c5e0b49f3aa866ab

SHA256
ebc337a56968340ae6ef4de9e6abd35719819258c18069c86f0a8ed29469cebe

SHA512
a8075ded10f3a8220d84f9c00d55e2bf7047484931a8d341fd836463bcad67c3e0b7879c54e4d1246b3b80c6158c6adb3f936ba705596c5d92a7a9ed7bdcea64

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\22920

Filesize
9KB

MD5
ddd1df7a20a041e92c95264ea2155869

SHA1
c03f067d507c6e48edee98bdb7de51f429dd95ea

SHA256
11de8fa091afa452e83c6ed90e25529102110abc9ef8da878aa6069a4897f08c

SHA512
3c5fd2c72f9534f253bd4831cf42ced086e53cf3bf0e0d55c842fbc384253d98608c39d2805a7247fcc4f3b9d321e9a25e76168395572d3d9a60a43335784f6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\917E41E135032D6BD66E5D6F84F0988D37234A33

Filesize
14KB

MD5
61c6a9604fc08b9a95871edffb22620b

SHA1
047a866de514509fe19256abeac5d5cac7ed38f2

SHA256
cb3ce5eb70a037e21d609d26beb8c373fa730a7aaa4e3114662690f491ba879c

SHA512
11f6514e59c353a70ddcfd6971eb223b00e9bf0131bde5f1021666dfabb4f067ee25276575cfa30a2ca0c9f345fc9ba49921c0192fe62d0534d0154d00cc8f36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_finance.json

Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_games.json

Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_health.json

Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_online_communities.json

Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_real_estate.json

Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_reference.json

Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_science.json

Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_shopping.json

Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_sports.json

Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\nb_model_build_attachment_travel.json

Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\personality-provider\recipe_attachment.json

Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dfwagbu.cf1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF17D8A0993504F3E9.TMP

Filesize
16KB

MD5
d0bbe2a910bb7742fb080d2d81fa8997

SHA1
a29fe18647cee2986ab532c36420cf0bb9fa37a1

SHA256
ca31b25a1914363edc6a1de6f85035d9723470dd2cbf278096203e3bdfa21f84

SHA512
554e6bb01b09c7b0417e1820b4772455a246c1c04403f68424565245935d5559301e8a059dbaedaa905024de2c1365849fd3051845759860915d4c5b7bd94370

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
10KB

MD5
688c54d1724ec4e448d77eaa7eff20dd

SHA1
9d2aa8a4f60eaf270b97d66ce822e38da69efe4e

SHA256
937a529e6830b3294a21f6323ff6993784278eb7e6a77e9c7b4ab9f40a051641

SHA512
6787b7f22c1026ece094c84de812c10bc6d587f3f9cef3231380ebbb5d2200ea34832125f89c2af01c4bbb011539240a3c0fea7791764794257cba212bd81d65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\SiteSecurityServiceState.txt

Filesize
623B

MD5
1925a4a08448bd93476e48f000ca901a

SHA1
f92a7d1bd61e11a1df69a57ad9a94b05ad2f505b

SHA256
3b3c9287238231d8627fbd5bf2172bd8479bac41b4e6626bb24a7cd1d7a3f71c

SHA512
3b4d7c2689823d8763d0f29917ec36b33d1abd2879e0dd81336782e00ae32b37bd72d5966c35895b7b075c6b6dad1ff7cff0c759884175897a7295629a857d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\bookmarkbackups\bookmarks-2023-05-20_11_vctH0C+aUyqmIoYnluBy9g==.jsonlz4

Filesize
940B

MD5
fad1cc737c1b23997334c275ff7685da

SHA1
fff1bb35b69e1d1b992b186a093e2f3b9d9daf39

SHA256
10be0a865e1d27e57a4a51cefe0d3e013e6aac918db4a0e5d8ae8afaef3c7571

SHA512
99aeb57c8db71f092b65cb0a8e91f66646944388c23379541d43953013dd85c63afa800b03fa10aeca1ed001f8e81e83ca71422829bc70195661e69557383c0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
21e86d8113cc37480f7b4e225842e151

SHA1
076d89573897af8fc6f5d4a9301d24aa9e46a57b

SHA256
1912fab3550d9558cbd3efbb31ac3c32aff30c9da6ad01e33836919aed3938f3

SHA512
368f20a5deba25457e63967cd804bcfacc2f880f753a88b534dbb4fb6389a8ac0de9430082c64e648f0c3962cea9b931e7745c6181c17740575a2b361b7d95cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
8d17152d526ea957e578e703e4aa6075

SHA1
73ea9d3582bba1613dd370250b43022fbed23c79

SHA256
98a36393b9195297ffb902fdcf3f5d5d4699f1ca09c4e7456b35637696aca014

SHA512
e3ef321043e1c0d1b1d9f9be054d06149b22aaa591caa54153b7a4b9504b399b41753b8de3f40916e6478ad56c13388f485d7b9dd7f15879ec64deac9b126fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
3dd1a1d616bb609a27b744022bccae16

SHA1
01798a70d179c81c7dd833d3c989481d71cd4122

SHA256
7f20a9a9a6e8f7687040ad084404675d5bb1ca6ea75664df9796b3645ac0b2b9

SHA512
369cef349c8afae10280cba102ddfab4d3ff60b916c5ea63a3f3bde01ca137d9e686ac51cbc43efe98f14741f1a53161dcb100e5305926f3899c0e31c71ff8e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
9KB

MD5
7a8d0798cc8540463d5317f1a2fe0312

SHA1
b92e809d6c56821065405f89a6814b06424181a3

SHA256
d1ad127724272b71fdbc27febc6cf7853251066de754a1b5f5aa66e72514d4b9

SHA512
3d7571d5ceefcf9303c6ef2541209f38f3f2e537f922db3167cf6b7b79f00ecb820fe5180f093065548c5525a1407da40881616f07f428c61b87f2ed51d0e649

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
9ff3b1ed0914f936de71e7731a34ff1a

SHA1
00b5699f2fcf119bf4824cd9b33a65a56412db77

SHA256
7e9039c8c9dbbd736bb20c40ccc8df3894e69b22e2d975beaf91d08333f6d311

SHA512
0de47ab9abb1195129abe8635f3b3841eff08d3c590f00b7e9ea234768161dca83baca7b86333a2a76f93f5706019ea2de23bd142e8948566dc20411e2066ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
e263b5e86049bae59f6accbfae4a3dcc

SHA1
9147264003657cb2d5851186578e6c487fd979ab

SHA256
596b43a4ccbdb0fe2a0fb7f3cf9a5e6eef0c47c47f37f8955f2b2aa43c2f5e07

SHA512
5af7a3fb753c83d8305c1790914c06739cc45f40f59578d76fbb1f73156fb9069ccde0d9eff52e5d277720641b49908a645a7f135164fd55b1e0dd791acbb2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
96ed45ef9cc78791ad4b462bdb9440ef

SHA1
98aa53cd5c6db9f955630778146b031ebc0978ae

SHA256
66c769659ba22d954fc470818e9622bbd64214e74290e210e5e4ae839f0dcdb3

SHA512
c8652b25f7b637dab948f9f038b67910456ba52f3c56cfb26275f96e19cd9f20ccb7f99651409fc24389adb00a1147e89770e426fc4624aacf8eeb8fd0d1ec38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
888160dbf713aae7ee2d2c8bed00a215

SHA1
159ac1622aaeee6b7f1160e17fa1544616aa3c64

SHA256
df2ae03c46d52807aadcd1d9b0c5a669bcd63bdabbc672e281f8a9047a42af8b

SHA512
99c390d026bad3e9a857c40fad622b629e75c62ae891d2408def76ef89c4ac5ed40138f93af81fbaaf14813e7ecad0d51b9c2a44a3b344cf1c2feec39a42263f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
0789b7554a2ab58835bb471d53842584

SHA1
b17f526e4a1cf6982d3557b681d1ea8ac7576c46

SHA256
4fb9894d4473f97bafb7df0cc3fbe5fb559251364128c2842e7380096598ea77

SHA512
8adf3ebc4b41e624f1ebc0c9a51e1da8d6754153d52d9eb3e279b5ef26f1c85835f47a1197e916c6965abf57b8ff1b76ffd73b837f86f067fce01659d238231e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
11KB

MD5
1a02cf9fa1a72f77a78093f7f0f1fbe1

SHA1
4c2dddcedcf6acbcce786f05df95351040d2ae39

SHA256
292dc78a2a59054d947893443034523491986adc67bb3b4a9bdd486d2475ea61

SHA512
aadef3ce6307c8501b27f89810312bad8bf2af8fba060a545aca164f650a6b36b926348d28093ad25378a3b318ff723c76961a9dee885cbdccb6c0d24b8510ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
11KB

MD5
76277638d916cacc9506a79ae3c75f6e

SHA1
4e29a21d7323e6ffdcc4a7f8aa4e7828f214d75c

SHA256
65e6f02de0b1bfa25c9dd639ee827c4b497f28b52b98df833d67567dc47da0ea

SHA512
b98220a2d287c036a46c88299789dda35773ebe33d96fdf926113f04bfd96f8e8f1eaa86625448515e1810c8e6d1d88b65cbe2d02519b501caadd27169252c2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
11KB

MD5
b58fd01909340f64bc938d7272bac86c

SHA1
759d9be9729e7c7020609ed5a025ed821e84ba4a

SHA256
52897cdb8d88badbeb6c37befafd20cb1b2fc55a771fa471a5cbfdc8acd4bb53

SHA512
d7818e2947a9c288594c68d2248b9f11a442f0c2331731125207cf8885cae253c284baa329f92e49041d860ead0728e5dce18a497b9c66046f4aeb1224184eb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\search.json.mozlz4

Filesize
296B

MD5
033eb0645837c8b618a593f7b9a72642

SHA1
cf4c2e7ccaa275ee47cdd945a7bd1f8b57c61172

SHA256
3409fd08295094b37673d748a0374cf0afaecf1671188b2ed012626cad67a582

SHA512
27dd0743306b0845c06b3be3e3ae2f515777dced4bbf91a4864bb95c5873e2d6351d99be36d4762a2ba8262130c6d139db3f4f5272afb8717e02b09c1e39c2b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
bacbaf86090532f2724c95e04bba8b44

SHA1
3ed0dc7a2bdc1b8dea86e0767b24ed5ef59dbeae

SHA256
2e1af2146a8ccd060d11c7b68a4654f98484d31aa7498ff38a686e3fa9b3d069

SHA512
fe5b01a66a39b084fe7644f3a1969bbae4307c32091aa4cf100f1e9e115243e8f9b4f24fa2bf4f24812a3a750fd3c16c61f5c30e59012862ea5b8520c18bb75f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a097a82636b87801c79f83a1f7fb0605

SHA1
a5b80ad7feffb96745b7ce84cd902e643f772318

SHA256
1bbbe170e3057f12805e0b271100b589ffc4a5cdf8030694b8a7ed900897234c

SHA512
f6348c3882fff892d07ed176299c66a76037748b1e6905e6244f58704983f1073c6277baeb71e4c94c91fd6b24fe85601cb1d744f764cf3c92fbf271bc36aa84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\targeting.snapshot.json

Filesize
4KB

MD5
59884eb8556440fb2e172fd5769ff071

SHA1
138f7ad1eae972597a2e5975e51cf736d7cbb848

SHA256
e4aaa013b41b6389e26c99af1736d8ca0bd3ce83c73c43ab2657ac63766a4e6c

SHA512
f1214d319d110cdda684d403fb3e2589295e028ab01b5b929c7ea83857b21c44f6abdceb29fd1e22b80178307edd760b85df7f1b9b7a2d9c4f73d21fd4ce8d8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\xulstore.json

Filesize
217B

MD5
6d87256a2b21b9603b7d731eb033b9e0

SHA1
8e2603f254af21d5dcf310fdb5a688e9097aefd9

SHA256
5b3e57bf27b98cae50a753101df9a00a1f6d96886c1a92c4106a6f7eaf6d09a2

SHA512
67bfabf0b5d3fc75b5223a5da836e6909b2af8d98172120fc5efc0b0f6ece72b6cafbdd97ac170bc5357d85a39b15fda7e2df861981d193f84cfca82f360e156

Download Submit
C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49.7z

Filesize
77KB

MD5
6b65189ea98e0d449547923db96f2c38

SHA1
9e099ccf990414639563817877a60206d61970fd

SHA256
e0f0ed33f805a9ebe4b8b77e88b6d1a7801e6ddcc7165b95d37b4bfd41fad22e

SHA512
5e54d62c1af0184180741ef93997e16eb6b325bd077918940d69aa68c5b194bd8c2c35d45f7c5fc743bad7d69b4a6719862b6402907ca90afe04072cd350afed

Download Submit
C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49.fm61cfMA.7z.part

Filesize
24KB

MD5
3386013c885f8804ea70736f51105a95

SHA1
b9b7142835eca9bb8278964146f5361d6d074651

SHA256
b9192e53a36413616a1c5586f18c6048929773a72e7d08cf35c3e235b5f7adc0

SHA512
80407e5b7d171edee7333b1e321ef6b1ec58f4e9c6bd276d8c07d356e3c83a503714708ccf60b5df04b16136b7b80e5cad763ccd9f3a53afbbe811e8a3cc70f0

Download Submit
C:\Users\Admin\Downloads\KMS_VL_ALL_AIO-49\KMS_VL_ALL_AIO.cmd

Filesize
285KB

MD5
b7704f8278ff47c8e3cbcbc05c0f584e

SHA1
38e74790e64a034ff2d1afcf2017e5cd640cea3c

SHA256
69f3684eb086eb71d86869cdda94ba2e58ba5b5be0803a3572891ed532cce94c

SHA512
97f201f2fccdf81007a279d224b840a565caea681e2f0c020fbb5791a137cb31a2216f31c4b736505c42fe82ca4a813d7d7d3c7ae9725ce7382f38e86bc6bc20

Download Submit
C:\Windows\System32\SppExtComObjHook.dll

Filesize
19KB

MD5
2914300a6e0cdf7ed242505958ac0bb5

SHA1
684103f5c312ae956e66a02b965d9aad59710745

SHA256
29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8

SHA512
6fa6b773275e61596f1d4885fa3089ff24a2f72166dc0a2c40667f0bd03de26b032f2a39aa05e74077ada96bbb6b0785424bfe387b995c147fd74860a11948c9

Download Submit
C:\Windows\System32\SppExtComObjHook.dll

Filesize
19KB

MD5
2914300a6e0cdf7ed242505958ac0bb5

SHA1
684103f5c312ae956e66a02b965d9aad59710745

SHA256
29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8

SHA512
6fa6b773275e61596f1d4885fa3089ff24a2f72166dc0a2c40667f0bd03de26b032f2a39aa05e74077ada96bbb6b0785424bfe387b995c147fd74860a11948c9

Download Submit
C:\Windows\Temp\RES2608.tmp

Filesize
1KB

MD5
55521e89e8ad950f183efbfb308eac2e

SHA1
ca14fd88fee776fe53c531c89b568339aec8bd40

SHA256
d3148e9af5960b0ef429cd1be23eab05e8221708618b4e1a11e98101b7bdd802

SHA512
a89dbf129465a61db14a68214e1d1c44981a08c0ada8a73d76f7e8b10592dcc48820a99085266ab90bef469dbcd4e1940269fe613af2ed96955d5241131f145b

Download Submit
C:\Windows\Temp\c2rchk.txt

Filesize
15B

MD5
606d9abf768025ebe0b25958d417be6c

SHA1
81b33a8807f17530f00225d09943a30a2d2bc94d

SHA256
5e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d

SHA512
e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f

Download Submit
C:\Windows\Temp\crvProductIds.txt

Filesize
15B

MD5
606d9abf768025ebe0b25958d417be6c

SHA1
81b33a8807f17530f00225d09943a30a2d2bc94d

SHA256
5e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d

SHA512
e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f

Download Submit
C:\Windows\Temp\crvRetail.txt

Filesize
80B

MD5
8bf63053cd3d9b456db6f0f5364fbdd8

SHA1
66f296e2f8f2557651948768d23940a364fbbd8b

SHA256
6745801207605da64109696eb8edc436e5599da0012092fc5b5b0d3fc58649d8

SHA512
06f09dde15ae5077b19149f4ef682ece57cd8d83ab1ab1dc30b342b24f534e7926a6671d7268e365dcd9378529bf6f9af682798dd985a4f5522044c047e901a0

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
764B

MD5
8456d990c84b5638c6ba6753dd31b114

SHA1
63c7d3d35294c74b8340d8e6b077b4b95c68e06e

SHA256
16f408b7d9474efb9893f7a090f51e72ea679ae0cd3e16a8701685f357bec4d2

SHA512
ce30e2af40d3c05fe5b2c17e9ddbdd29231229fdb50b1ce290590c8cf91867800f8c84468c4f9e133d8b766b6c5aa56bac1deac17577bbc7719a0c209f29f40f

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
1KB

MD5
9ca430ff9d23c91111e7f982880bb1b5

SHA1
d19b69dfcf697895275aadc5c4d43cf77c5f2de9

SHA256
9297e408b04114294f766ca92924527538621948c094adbdc70255af3ef92634

SHA512
01df1ae217f1ed261984cd09bb864874b2a945886bc3e565477c5769710e80fd307f28247edc119167992cc7d4d8c1e1a926eb9ac029e5d27ba9169474465dcb

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
902B

MD5
5b1dfc7601d9df6abf33eb60bc343941

SHA1
0a7353b1a210baf9b1f113f12872e4fc1ccc8633

SHA256
4f2a8c988a88382e0f13805e5450af8f07e297c23c5c2de27f4620f89ecc3c7a

SHA512
e38cb0ee3c9d29a71d684fde35e7638c6f92a2a50640961ba8bae639881d8e22fb26c27a86a1be66b3c115c439fe44666b67608578b91d0fbc2ff8ca2a2ab9c8

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
518B

MD5
72dc076878e1ed96629111a76edd1bd4

SHA1
1fc264cab84a91deae845882b5dd7fd13125facb

SHA256
994b873edaa12434f6e58bad398fd4a24368d016a658df7820d1850e5eba6d48

SHA512
8d14c4e52af4f07b63796a7da6bb4f75d26917369cd2cb79a0733501b1021140a17940c90f808ab5fc362c2ab49a51f16f8e07bb884a90999c408b680269f96b

Download Submit
C:\Windows\Temp\wzzuooav\wzzuooav.dll

Filesize
4KB

MD5
fd2c975a5291cab383babd07cebf24dd

SHA1
a239af5af06fd4e655af8ea7b873b9a6cfae977f

SHA256
d3b6408d1f12b707024815dddb36174e851721f1826ea9e8d7f15467415e6dea

SHA512
3d494a38a77cdd853b7fc6c9a961250b4d82ef36d093f818fa154070ba3e801f6f13c7587b4d84dc277886d6e98551b64ffc14f4667155d81ed1dd45f844a6ae

Download Submit
\??\c:\Windows\Temp\wzzuooav\CSCBBC3F1941BB4D13B065C3465F7E636.TMP

Filesize
652B

MD5
9c1a7fdacdbbd2c011aad7f9bbbc7422

SHA1
7efdf7962f469e169a258101ac022fcf3642f050

SHA256
81294a2e9bb1c7f04ac9f8e1954eba47ba272d5ed346898dbb1cd001f71256fb

SHA512
0970dab9fde3f70b0d1205e6ef8641487357d218fcd151d6d7f4bcc4d43a78a46ea838a5704ce954174a92f1ddee41ad22ff2d68ab83edec962df61720348f83

Download Submit
\??\c:\Windows\Temp\wzzuooav\wzzuooav.0.cs

Filesize
884B

MD5
eafbb318108fc62a15b458ebba405940

SHA1
0c5f45d0cab61ef4fa12f13f020ca45cba04863a

SHA256
45ee3dd57aa47fcf92c09a44276de5ef1688bb0563e09206d8e882528e6de9d2

SHA512
bac80550d7fedc768522907ba72f2802ac2fead886015356a417533f9fc0e2a767b992c58010e67160b4ee071971c7cc6a5337ffb948cf685dca0811ccaa52f8

Download Submit
\??\c:\Windows\Temp\wzzuooav\wzzuooav.cmdline

Filesize
333B

MD5
3eeda69a302044dad9c6e6b8727713be

SHA1
bb727829f4dbce8f287f15264e483bab58a98532

SHA256
f50a48f78c94ce997e9eb749762cd32eb1f7b045db49a6cd6d56577faf51a3b6

SHA512
baa1977734a70b11f8decfbd710cf3ed475d35c85349830bba85d3048f260f7342c88f40307b2f4bfd86e29abb87a8157dd4b30dcc8af156c3254d55ff3e8904

Download Submit
memory/1616-4138-0x000001A07F830000-0x000001A07F852000-memory.dmp

Filesize
136KB

Download
memory/3904-4610-0x000001B653F00000-0x000001B653F10000-memory.dmp

Filesize
64KB

Download
memory/3904-4609-0x000001B653F00000-0x000001B653F10000-memory.dmp

Filesize
64KB

Download
memory/3904-4608-0x000001B653F00000-0x000001B653F10000-memory.dmp

Filesize
64KB

Download
memory/4104-4478-0x0000012DD31D0000-0x0000012DD31E0000-memory.dmp

Filesize
64KB

Download
memory/4104-4468-0x0000012DD31D0000-0x0000012DD31E0000-memory.dmp

Filesize
64KB

Download