Malware Analysis Report

2024-09-23 18:10

Sample ID 240503-s5cm1adc48
Target _51动漫 稀有视频,24小时不断更.rar
SHA256 d5cebe4a1c84c8cfc3f542c2eb59a22d64ccc1a1b176050ba251299c4e6844d7
Tags
qr link
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d5cebe4a1c84c8cfc3f542c2eb59a22d64ccc1a1b176050ba251299c4e6844d7

Threat Level: Likely malicious

The file _51动漫 稀有视频,24小时不断更.rar was found to be: Likely malicious.

Malicious Activity Summary

qr link

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

One or more HTTP URLs in qr code identified

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Runs ping.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-03 15:42

Signatures

One or more HTTP URLs in qr code identified

qr link

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 15:42

Reported

2024-05-03 15:44

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\_51动漫 稀有视频,24小时不断更.rar"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A yandex.com N/A N/A
N/A yandex.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A yandex.com N/A N/A
N/A yandex.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\System32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\Clipup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\winrar-x64-700.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-700.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-700.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-700.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 4612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4580 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\_51动漫 稀有视频,24小时不断更.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7a60cc40,0x7fff7a60cc4c,0x7fff7a60cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1852 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2476 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2580 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3116 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4524 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4784 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4912 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1872 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bcf657a-cb1c-4d57-ba8a-21df63d77e71} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b8dd1a4-948b-42ec-964a-6f9fb7cd8150} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 2948 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db63211-e2f9-4617-89c5-838a1c151b5b} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 2 -isForBrowser -prefsHandle 1592 -prefMapHandle 3648 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {510b7a73-5635-4b38-b1a4-b0cad252838e} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1596 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4868 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c921fe-58a9-4bfd-8a6f-3cc8e04d4ba5} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5348 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {711f5c77-02b3-4076-8258-71d2e87f0aae} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5572 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c3c1da0-abeb-4fc4-9a6e-bae3b662f14c} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5764 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f10c4e2-9684-48b8-a122-027d8cd6d9ba} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 6 -isForBrowser -prefsHandle 6272 -prefMapHandle 6268 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87bd1249-e97e-47f8-b709-9867a9a75521} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 7 -isForBrowser -prefsHandle 5416 -prefMapHandle 5432 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ae83f47-7118-4f32-a7ad-bc8ee9fbbbc6} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -childID 8 -isForBrowser -prefsHandle 5396 -prefMapHandle 5304 -prefsLen 27877 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {905d40a3-a10c-439a-8aae-3c69f547184d} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Users\Admin\Downloads\winrar-x64-700.exe

"C:\Users\Admin\Downloads\winrar-x64-700.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 9 -isForBrowser -prefsHandle 6452 -prefMapHandle 5824 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a1a58fa-c99c-4cad-a516-78d1de098926} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7352 -childID 10 -isForBrowser -prefsHandle 7376 -prefMapHandle 7372 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a1e0127-f33c-4aec-ac12-16fd98584ae8} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_16873150.cmd" "

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_16873150.cmd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_16873150.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\reg.exe

reg query HKCU\Console /v QuickEdit

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\reg.exe

reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f

C:\Windows\System32\cmd.exe

cmd.exe /c ""C:\Windows\Temp\MAS_16873150.cmd" -qedit"

C:\Windows\System32\reg.exe

reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_16873150.cmd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_16873150.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\reg.exe

reg query HKCU\Console /v QuickEdit

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\PING.EXE

ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "

C:\Windows\System32\find.exe

find "127.69"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "

C:\Windows\System32\find.exe

find "127.69.2.6"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "

C:\Windows\System32\find.exe

find /i "/S"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\mode.com

mode 76, 30

C:\Windows\System32\choice.exe

choice /C:123456780 /N

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\mode.com

mode 110, 34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $ExecutionContext.SessionState.LanguageMode

C:\Windows\System32\find.exe

find /i "Full"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net

C:\Windows\System32\PING.EXE

ping -n 1 l.root-servers.net

C:\Windows\System32\reg.exe

reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start DoSvc

C:\Windows\System32\sc.exe

sc query DoSvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type

C:\Windows\System32\sc.exe

sc start UsoSvc

C:\Windows\System32\sc.exe

sc query UsoSvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type

C:\Windows\System32\sc.exe

sc start CryptSvc

C:\Windows\System32\sc.exe

sc query CryptSvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type

C:\Windows\System32\sc.exe

sc start BITS

C:\Windows\System32\sc.exe

sc query BITS

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type

C:\Windows\System32\sc.exe

sc start TrustedInstaller

C:\Windows\System32\sc.exe

sc query TrustedInstaller

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type

C:\Windows\System32\sc.exe

sc start wuauserv

C:\Windows\System32\sc.exe

sc query wuauserv

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type

C:\Windows\System32\sc.exe

sc start WaaSMedicSvc

C:\Windows\System32\sc.exe

sc query WaaSMedicSvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc start DoSvc

C:\Windows\System32\sc.exe

sc start UsoSvc

C:\Windows\System32\sc.exe

sc start CryptSvc

C:\Windows\System32\sc.exe

sc start BITS

C:\Windows\System32\sc.exe

sc start TrustedInstaller

C:\Windows\System32\sc.exe

sc start wuauserv

C:\Windows\System32\sc.exe

sc start WaaSMedicSvc

C:\Windows\System32\sc.exe

sc config DoSvc start= delayed-auto

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query DoSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Start-Service DoSvc

C:\Windows\System32\sc.exe

sc query DoSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start DoSvc

C:\Windows\System32\sc.exe

sc query UsoSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start UsoSvc

C:\Windows\System32\sc.exe

sc query CryptSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start CryptSvc

C:\Windows\System32\sc.exe

sc query BITS

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start BITS

C:\Windows\System32\sc.exe

sc query TrustedInstaller

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start TrustedInstaller

C:\Windows\System32\sc.exe

sc query wuauserv

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wuauserv

C:\Windows\System32\sc.exe

sc query WaaSMedicSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start WaaSMedicSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16873150.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16873150.cmd') -split ':wpatest\:.*';iex ($f[1]);"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "9" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\Dism.exe

DISM /English /Online /Get-CurrentEdition

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe {AF2A176D-0F94-47FC-8499-E987C4B75B8D}

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID

C:\Windows\System32\cscript.exe

cscript //nologo C:\Windows\system32\slmgr.vbs /dlv

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility

C:\Windows\System32\find.exe

find /i "windowsupdate"

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s

C:\Windows\System32\findstr.exe

findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo: "

C:\Windows\System32\find.exe

find /i "wuauserv"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "

C:\Windows\System32\find.exe

find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Nation

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "

C:\Windows\System32\find.exe

find "AAAA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Restart-Service ClipSVC

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem4C22.tmp

C:\Windows\System32\ClipUp.exe

clipup -v -o

C:\Windows\System32\clipup.exe

clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem53B4.tmp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\mode.com

mode 76, 30

C:\Windows\System32\choice.exe

choice /C:123456780 /N

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 chrome.google.com udp
GB 172.217.16.238:443 chrome.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
N/A 127.0.0.1:62617 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 44.233.67.78:443 shavar.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 78.67.233.44.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 127.0.0.1:62625 tcp
US 8.8.8.8:53 www.mozilla.org udp
DE 18.173.230.179:443 www.mozilla.org tcp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 179.230.173.18.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 219.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 yandex.com udp
RU 5.255.255.50:80 yandex.com tcp
RU 5.255.255.50:80 yandex.com tcp
US 8.8.8.8:53 yandex.com udp
US 8.8.8.8:53 yandex.com udp
RU 5.255.255.50:443 yandex.com tcp
US 8.8.8.8:53 50.255.255.5.in-addr.arpa udp
US 8.8.8.8:53 yastatic.net udp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 yastatic.net udp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
US 8.8.8.8:53 mc.yandex.ru udp
RU 87.250.250.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 mc.yandex.com udp
RU 87.250.251.119:443 mc.yandex.com tcp
RU 87.250.251.119:443 mc.yandex.com tcp
US 8.8.8.8:53 215.131.154.178.in-addr.arpa udp
US 8.8.8.8:53 119.250.250.87.in-addr.arpa udp
US 8.8.8.8:53 119.251.250.87.in-addr.arpa udp
RU 178.154.131.215:443 yastatic.net tcp
RU 87.250.250.119:443 mc.yandex.com tcp
US 8.8.8.8:53 avatars.mds.yandex.net udp
US 8.8.8.8:53 favicon.yandex.net udp
RU 87.250.247.182:443 avatars.mds.yandex.net tcp
US 8.8.8.8:53 avatars.mds.yandex.net udp
RU 87.250.250.36:443 favicon.yandex.net tcp
US 8.8.8.8:53 favicon.yandex.net udp
US 8.8.8.8:53 favicon.yandex.net udp
US 8.8.8.8:53 avatars.mds.yandex.net udp
US 8.8.8.8:53 36.250.250.87.in-addr.arpa udp
RU 87.250.247.182:443 avatars.mds.yandex.net tcp
RU 87.250.247.182:443 avatars.mds.yandex.net tcp
RU 87.250.247.182:443 avatars.mds.yandex.net tcp
RU 87.250.247.182:443 avatars.mds.yandex.net tcp
RU 87.250.247.182:443 avatars.mds.yandex.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 44.238.144.40:443 location.services.mozilla.com tcp
US 8.8.8.8:53 locprod2-elb-us-west-2.prod.mozaws.net udp
US 8.8.8.8:53 static-mon.yandex.net udp
US 8.8.8.8:53 locprod2-elb-us-west-2.prod.mozaws.net udp
US 8.8.8.8:53 yabs.yandex.ru udp
RU 87.250.251.92:443 static-mon.yandex.net tcp
US 8.8.8.8:53 cryprox.yandex.net udp
RU 213.180.204.91:443 yabs.yandex.ru tcp
US 8.8.8.8:53 yabs.yandex.ru udp
US 8.8.8.8:53 yabs.yandex.ru udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 cryprox.yandex.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 2.18.121.197:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6n6s.gvt1.com udp
GB 173.194.3.70:443 r1---sn-aigl6n6s.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6n6s.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6n6s.gvt1.com udp
GB 173.194.3.70:443 r1.sn-aigl6n6s.gvt1.com udp
US 8.8.8.8:53 182.247.250.87.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 92.251.250.87.in-addr.arpa udp
US 8.8.8.8:53 91.204.180.213.in-addr.arpa udp
US 8.8.8.8:53 40.144.238.44.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 197.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 70.3.194.173.in-addr.arpa udp
US 8.8.8.8:53 www.win-rar.com udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 51.195.68.163:443 www.win-rar.com tcp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 www.win-rar.com udp
US 8.8.8.8:53 www.win-rar.com udp
US 8.8.8.8:53 163.68.195.51.in-addr.arpa udp
DE 51.195.68.163:443 www.win-rar.com tcp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 172.217.16.238:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 172.217.16.238:443 consent.google.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.22:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 140.82.114.22:443 glb-db52c2cf8be544.github.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 22.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 massgrave.dev udp
US 172.67.201.171:443 massgrave.dev tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 171.201.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 updatecheck.massgrave.dev udp
US 8.8.8.8:53 l.root-servers.net udp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.164.114:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv501.prod.do.dsp.mp.microsoft.com udp
US 23.220.113.123:443 kv501.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 114.164.104.51.in-addr.arpa udp
US 8.8.8.8:53 cp501.prod.do.dsp.mp.microsoft.com udp
US 23.220.113.123:443 cp501.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 123.113.220.23.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 114.66.68.104.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp

Files

\??\pipe\crashpad_5020_PHTAYLQJWUYVEOIA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1ba4b5c5c29bea2198b895b4c6160351
SHA1 90f4e78da6b5f10f391670d9ea24a80fffe2d0a3
SHA256 e3963957aa123727a84d96aa18c87d1cccbcc864f25fbafbcdef29f596a66dfb
SHA512 5336d23cb6f74543d0717dd27e53d7f8665b1de5c0eb0191bfa175ba2d95d877901fd172d5a8e6160c4576cf1cffb9a673110307b8823831c69fa5329cd47880

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4ef38612260d23f25573485cd1cb8b6f
SHA1 6a00b911c25a74f9f22db40c64005e49d4065f6a
SHA256 313cf0f0b47caf2b63807ff35288866c5b512d39604a925d144ca767d6c76fd9
SHA512 e0bfb16222bf831ea6a14317dddf4592b6cba72c1fb3826f40a311165653fbf69454d8c448b89ca48dcab6aef79b7adbb03e45c23bdf6ab94c13c817e91ec72c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c74bde5ac7e5f513b5a1078c5d363d71
SHA1 21f7c9c4d9daae9aebee4582bf7c030675da1ac7
SHA256 396b5d43b7aa183b175e9e38ecc0a571be902a0427ea3aae98f1a0eeb6bda48d
SHA512 e83002c64406833c7304c737d5c2f408da187ada6586160cadee8c489ae51d87b594d38b62fd65e4bf7c5ad7d3926bedf5d8da2be48791b8d71bb16f36e76c87

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 87b8b1b432a62c320bf945599f42021d
SHA1 0913bfc288ea56549344f1f4d668e6e7957a8c6e
SHA256 f0108728c68364f9893ce0d4efb624c750120a3ae405cab8de3a64bba717f706
SHA512 338fdda6e29111a3f155a79ad7f1397318039c8b99b826f520b439e3ddceb6356737fc58c81615d6c9e61b276b59e8c6318878773af6a976ed0b04d87fbb07b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\300bbd1a-8eee-456c-826e-0eb8d1760158

MD5 a33f9664b78e46dbd016c94206618dae
SHA1 15375bee0993346324fd1231dfd145889934ca75
SHA256 4d73eb6b163c4c1f93b19bf4f0bfe957da78f45c53748c630e4c917c076c3c23
SHA512 d54559bb86105fc6945c23a6cbbd2577f7599edf348da2af2fb7ba0fb51c72f7b4974d92fbd3effc24da523c3705802d20d453079c6d8f2252f72fc678096153

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\1e35bd9b-be68-4385-b9f7-d49993c9aa36

MD5 6935a94870ee9ee53eac1c08c2ba1658
SHA1 9e32c418234c2b6481ca6fa4d451563c26b0c2ce
SHA256 5db6e1cd7698fe9442b63745b3c15d4915a0100ce7944bc9db0476f7e44cb95e
SHA512 ed72a0f5475161867e6b058c3aa08dcd73c7237fd1256b8d12bedc215d7c4a8f69f393e93056019ac785665db8f926da0409e3c24be309e9ac1f22a353e49a02

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\1bc0861f-9227-4839-9813-19825bd15a56

MD5 af9a429d851e48cf198b80f3cd64b5ea
SHA1 f48a5345c8083bce66627f5564eaef30556f8484
SHA256 1ad59fbd52f4c28f8fe7f4c4d72410825bc5f7cbd4c45da984f25e65030f4d18
SHA512 13048907592d1e1d756602facd85a464875c34c558e5e221f8bc37e2939823494405eeb1a41cdaa28ceb15326d45ef87085dc7c10cf96ce555f7387d57607a6b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

MD5 6d47e38923323ae0d211dbfba2c0c5d5
SHA1 7b87ff4109bd3c60afcc4ff18f04312203e283ee
SHA256 999677f6cabf7baff9858823ebd4c99862452fede41905dd02c88bcbfb22242d
SHA512 74698fd256d6c270ae60d6c7716cfa7a781068bc540ad726b183dbc902d66134208295b08780eae7bd25e5c6b38d2861c2f576e231306c23ec7900b0ce373bb8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

MD5 9f57ecfe8615cf66d793f1cf20b22248
SHA1 5ce3f6405d9afb35462991f3ab03e2821d7ee1c9
SHA256 363b053d65ae203df0020a562f910bb1d6d02f5090bfb924839ccc21ac41c881
SHA512 0c25ffa528c3ef72931762d5d68b6068a6e0cc82c5e1dd149a92f71371bd5d992ed18f158db376c85ef8100e1a39a7506f925325f57f5723de0eb61c4e5bd966

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\AlternateServices.bin

MD5 425a9b3c9de914633dedb0006cffa9f5
SHA1 b6c6b920a37d75beb7b0f6e0ded80e322b4821bc
SHA256 ae0b859782644ad23480e84dc2bef58169ac548cf3bacfdafc760e6be7b9c4ff
SHA512 c7057a8a4582fee154a7d23aa0f29fbd5019dfdc41ebb7c961db7b99f8cb3d64e0e0411dd85074b2e293aa69ef5376ee25dfecee3d35c929f68b18c11f9f4c72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

MD5 57296fa3fe6922e7781c711af2506703
SHA1 08ef7293b8945d39508cf4cf12405a57bf02ced8
SHA256 0e025cfee2adc8a11c804c46e6548ba392802ddad2e5f627ed768413c219ffc0
SHA512 9753740362f7283295769ebc9f41a379cc976160c22900537ef03e1e9881f6a4074ef9f3bdf5df321c1ce8ec70136abf2253e7f4089b0b32fe2eca228c88d9e4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

MD5 4d07de2999467bf723a2a589a7c45050
SHA1 8f971d3b50f98a7419cf17a2eb4f6ca91b5581f7
SHA256 f5c3c9038c696c94d207e509a1b4902676b5220ee6da078fafdb0ee46bbbf67c
SHA512 a81e28518db5430de2052bad59aa7a68a2632d6bf4dc3ab78d6871228a2802c3b53e1489da1ceaf595b234cf60cda22f035082e01c9d34eae254b36448a25adc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4

MD5 053c77d04ab743da6fd8c54f3e7486ae
SHA1 2213101ddebdd7dc6fcbc9fe9344f4ded0ffeb6b
SHA256 6e7acff71c3db6dafd23db76e89aa17e9203ead60fc898da235297047e116a38
SHA512 5353f832a03e91d1cf65a8f4e21742b4d8181e983b5b7e42362a5ffd195ff37539a810bbc3eaecb066778fe9c6467dc2cefb031ad52a3385257be3a724a86945

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs-1.js

MD5 3eb8040b7502a706e7a985882cb0aa60
SHA1 8d8b7fc08807f1732031bd62b7b0cf057590c9f3
SHA256 6bcff12ed87c1900546602c88796eb1a8a935eb1a4ced8fcf31aebf9bb240f9a
SHA512 ea3ac82bb0f6c4b8abf5463ead365a598f094dcf74cd71c2daa49ac26f03ded06c4efd974eee058f44ad4fbe34c61f0e0bb8a47bfef33bab37dbb8a0101b4949

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

MD5 8e0f642a4d775443428d7d1d54f343db
SHA1 37dbaad4d61d9e0a728d100a5d79ce3e10be8a7c
SHA256 edf8e50d11a96a405555ec1dcf318fcc4fb4e7574160af83f936e755023a25ba
SHA512 c4d6a006bb7b05fa6bfd3ce2d43f4ec96deb003d593b6df208d0e35caab26f1c75dbcbc356d3d9648ab1ab442f60686a3bbb54254effb57832228ce4783ead12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4

MD5 84579d4688eb996d59ea5bca7b736d8e
SHA1 4e7315d67f2c7ca0f11934702da2e454b612cd0d
SHA256 b9cc919ff5bfa52d922d47d2ff8c0095d8dbb2a8573910d6a42708bdd7519d65
SHA512 62427ae2402c3e71a525bb326b2934abdf03d37c8c9afad4d1ed535512c25c0dc304efcaaceba307c250ca2a61d7ba0a9165a96c398167870e3deb43858caea7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\cache2\entries\79B0DDE3FA8DCB1BD2B4CA2ED3EB8F3088226A6C

MD5 0916e2f6c9ab73ed88f2b624bfc365e1
SHA1 4ffe35b85bda2b5e4fba060b0205d35e59274f2a
SHA256 f232368b44d93d3ef4447e7cd25fb9b70b0b45a820afad91e4a039aead3ea6dd
SHA512 c1eab5a25a29ac4cd5a4a123e96b81a533cb739ef0e0607b572728f0f154112170524458c487dbdb2ac48ba78c4a7c057e2e4f7803a3e491647bffd8de55690e

C:\Users\Admin\Downloads\winrar-x64-700.3oyFPkuJ.exe.part

MD5 48deabfacb5c8e88b81c7165ed4e3b0b
SHA1 de3dab0e9258f9ff3c93ab6738818c6ec399e6a4
SHA256 ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24
SHA512 d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

MD5 de6b17af1cb6ab111fc369f37dc69ca8
SHA1 ceeeb96010fe93ed5c37ed62db9be216d8b74ab0
SHA256 edc37ee6d047f6bb2abbfde409e2c1799a286f32dc12ae49bf45c6f658de2a78
SHA512 2943e67d986bceaf9f31c7a26d6ef9dddf828298e1fe8d81f9d5a40b501279f03e8ad19b9295c572fdf8a16d3ebbfb77bca560c68f49cd47d87d43bf72214bd9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4

MD5 13191531ae735a34b47878e5bc4d73a7
SHA1 d03b0ce640c5315c98d0460465e49bdda620664c
SHA256 14aa5038f057ea453b2aeab65c4db6374e2fe5d856c878497cb8c6acbaf8a1ec
SHA512 b9a935a794ebbf8be1e5e038f685a65551809323352a835fc3a03db7957f53a7f4bb8774c3c25c64bf32b1dd5906ab6ab6a023317fd3bb4ed74915ba1439f5c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4

MD5 dab002d29eb760a728c266894090ce0e
SHA1 ef917f3a124108f02a16d229b4c9b770d1355700
SHA256 31991fa46442653aa799a465ca134edad4a43382ec29926a614bfec447ef943a
SHA512 3a940bc9d3f0d7a5808bcdebf37137affe29917b9c8ac32f23b7b3cf875d5d69c5cda37ff4fcc3893126e804753cbe195cf3130fec241aa3c8f7d1a05f976fea

memory/3816-1263-0x00000169EFDD0000-0x00000169EFDF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2e2prxdm.nlf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3816-1268-0x00000169EFE70000-0x00000169EFEB4000-memory.dmp

memory/3816-1269-0x00000169F03A0000-0x00000169F0416000-memory.dmp

memory/3816-1271-0x00000169F05F0000-0x00000169F07B2000-memory.dmp

C:\Windows\Temp\MAS_16873150.cmd

MD5 d0c2664bed8979aca50d19d904149e87
SHA1 71814a7115898cac08467530fb27c46a034bd151
SHA256 22fdadf75c5d400937e9c43be16ddf6c8730b05a46b32de20968af9ba8a21c19
SHA512 4cf680da813e5629fc53ea25caf35ef3f5efec845779d7586be8af592217216c37d946b599cfb5fde1f220db2980296086e9f20cdb41793ccd7e7db5c948594d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4

MD5 30fd5d42510a93133bb58b5194342bf9
SHA1 e40fd897e6f6634cf29bcc78a406d6714891ceb7
SHA256 eca4283d561478bc11c9f59bfec68b51559a15445274ab49de73bb8eb41dd216
SHA512 60f436e03a0d7510ce8cb221daf81bcd5163a0f169c03e6627de30f53a77f12b6cfba351f43e9e7e0b24547c7be90a6fcef3be718eba26bea9db44dde8f6c302

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

MD5 0c48e2ccb0e4fb1ba8a58964c3bc0128
SHA1 317012b51b4cfdf0ec9bba10e1413bf53bf80cfc
SHA256 42c21eecb811e9303cee33edd6690f2485f3fbf2613b35cd5c9df00c541cae3c
SHA512 d6d855083db0daa6cc573dafcc0edcb0152642040cbcfd5125c00adb8fabc90c3c4e5218644cc4716dde86094112e3947c60de43cdb1b53fe18ea99781a3c766

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs-1.js

MD5 4f1ece32c4aa57c9ef674d1dd4b9cbed
SHA1 bbaffdfe6a7dc908b06f4995f962373afa8873bc
SHA256 24f8ff7540e853b39dd5e3f092d8009a176acbcf2c0fbd7e05bfb8feb4961958
SHA512 4f53f97c404717f90e715da4e1921665a0aceabd92202e8e7b7f59b1eb828ba20842015a3285acfbb0eb124cbde24d750a4bb6279e669c8c1c61ea56b9573f83

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionCheckpoints.json.tmp

MD5 c8dc58eff0c029d381a67f5dca34a913
SHA1 3576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA256 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512 b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8857491a4a65a9a1d560c4705786a312
SHA1 4f3caf2ad5d66a2410c9cca0381d26a46e832cb4
SHA256 b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360
SHA512 d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2ad33642f863ae14ee53bc6853ee330e
SHA1 ca81cc7d8c33a46ebe97bc1d3db55e41a813029e
SHA256 17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19
SHA512 52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 235a8eb126d835efb2e253459ab8b089
SHA1 293fbf68e6726a5a230c3a42624c01899e35a89f
SHA256 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512 a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\DismHost.exe

MD5 e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1 dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256 e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA512 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\DismCorePS.dll

MD5 a033f16836d6f8acbe3b27b614b51453
SHA1 716297072897aea3ec985640793d2cdcbf996cf9
SHA256 e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512 ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismprov.dll

MD5 490be3119ea17fa29329e77b7e416e80
SHA1 c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256 ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA512 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\OSProvider.dll

MD5 db4c3a07a1d3a45af53a4cf44ed550ad
SHA1 5dea737faadf0422c94f8f50e9588033d53d13b3
SHA256 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA512 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\LogProvider.dll

MD5 815a4e7a7342224a239232f2c788d7c0
SHA1 430b7526d864cfbd727b75738197230d148de21a
SHA256 a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA512 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

C:\Windows\Logs\DISM\dism.log

MD5 3a34ce4ddeb992ad7fe291b1002b7843
SHA1 9efb7bc799366cbace7e2ba7e8c87e26327aa73e
SHA256 c2176b8b065c91bdd51e4e01a994a59cde08d315e6cf882cebefd1635f712dcb
SHA512 98bc16cefa189d0dfada568fd9e9db7fe0f9b2b9132b3d39d6db50ab1e5f50a0d976f798622caf6b99fd3fd2285316944a94a295f2fc78120f0540f599a92abf

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\CbsProvider.dll.mui

MD5 6c51a3187d2464c48cc8550b141e25c5
SHA1 a42e5ae0a3090b5ab4376058e506b111405d5508
SHA256 d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199
SHA512 87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\AssocProvider.dll.mui

MD5 8833761572f0964bdc1bea6e1667f458
SHA1 166260a12c3399a9aa298932862569756b4ecc45
SHA256 b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5
SHA512 2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\DismCore.dll

MD5 b1f793773dc727b4af1648d6d61f5602
SHA1 be7ed4e121c39989f2fb343558171ef8b5f7af68
SHA256 af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e
SHA512 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\FolderProvider.dll

MD5 4f3250ecb7a170a5eb18295aa768702d
SHA1 70eb14976ddab023f85bc778621ade1d4b5f4d9d
SHA256 a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461
SHA512 e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\ImagingProvider.dll

MD5 35e989a1df828378baa340f4e0b2dfcb
SHA1 59ecc73a0b3f55e43dace3b05ff339f24ec2c406
SHA256 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d
SHA512 c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\SysprepProvider.dll

MD5 8bd67d87dbdcf881fb9c1f4f6bf83f46
SHA1 10bd2e541b6a125c29f05958f496edf31ff9abb1
SHA256 f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204
SHA512 258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\SysprepProvider.dll.mui

MD5 93d076056dd01dfc64d95d4c552a2dff
SHA1 a90fd06a62c6d63d87e00f5f7e9646b44d2c726a
SHA256 4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4
SHA512 b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\SmiProvider.dll.mui

MD5 f32e38247d0b21476bbfb49989478f7e
SHA1 b950fd72ea2a6a94ee049454df562aed79ca1e35
SHA256 a1a302e940f6d6718700737b787af7a2053ef68b5ea2ec61497e7ae2444c5835
SHA512 f483807d790a4bc3e68d6d1f986bd4a57b4a67c91fb3dbef88220a4b510f11d1190cdd98a857eb1937e921e668dff2bcb5e4a7df640b1f3639ce6d2239ff8106

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\SmiProvider.dll

MD5 ad7bbb62335f6dc36214d8c9fe1aaca0
SHA1 f03cb2db64c361d47a1c21f6d714e090d695b776
SHA256 ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb
SHA512 4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\SetupPlatformProvider.dll.mui

MD5 73e78fbbf6e6679fa643441c66628d37
SHA1 57b70e6226c0cf3f8bc9a939f8b1ec411dedeff5
SHA256 5d4dfc9bde18be1ec0b3834a65de6abab581e04c8c4f66ee14a62fb4b1b4cd06
SHA512 a045a6cdf9ca989b3ed9a50cda208affa17372f65b1d86e1bf4c10b5d5e3fee58c5d4b8ec0749a54e2e2156ed0e9776b59a8d3b78f062349873cb574ab3f77fa

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\SetupPlatformProvider.dll

MD5 1ae66f4524911b2728201fff6776903c
SHA1 68bea62eb0f616af0729dbcbb80dc27de5816a83
SHA256 367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3
SHA512 7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\ProvProvider.dll.mui

MD5 b8a8c6c4cd89eeda1e299c212dc9c198
SHA1 f88c8a563b20864e0fc6f3d63fadda507aa2e96e
SHA256 50ad19e21b6425d12aa57cd4656748877db1f147189ec44abb19ba90be8505ea
SHA512 4a6f0dac5b3b18e4942ce5f51b566ce3ba465baa43457384ee785d1c0e7c33f9b9396a143aac0398a34e4e2f7d704ba06d3cc68761fd3cb6f53f4043a906e475

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\ProvProvider.dll

MD5 70c34975e700a9d7e120aaecf9d8f14b
SHA1 e24d47f025c0ec0f60ec187bfc664e9347dc2c9c
SHA256 a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7
SHA512 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\OSProvider.dll.mui

MD5 0633e0fccd477d9b22de4dd5a84abe53
SHA1 e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9
SHA256 b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706
SHA512 e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\OfflineSetupProvider.dll.mui

MD5 015271d46ab128a854a4e9d214ab8a43
SHA1 2569deff96fb5ad6db924cee2e08a998ddc80b2a
SHA256 692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec
SHA512 6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\OfflineSetupProvider.dll

MD5 9cd7292cca75d278387d2bdfb940003c
SHA1 bab579889ed3ac9cb0f124842c3e495cb2ec92ac
SHA256 b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f
SHA512 ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\MsiProvider.dll.mui

MD5 c5e60ee2d8534f57fddb81ffce297763
SHA1 78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2
SHA256 1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145
SHA512 ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\MsiProvider.dll

MD5 9a760ddc9fdca758501faf7e6d9ec368
SHA1 5d395ad119ceb41b776690f9085f508eaaddb263
SHA256 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f
SHA512 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\LogProvider.dll.mui

MD5 8933c8d708e5acf5a458824b19fd97da
SHA1 de55756ddbeebc5ad9d3ce950acba5d2fb312331
SHA256 6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6
SHA512 ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\IntlProvider.dll.mui

MD5 2eb303db5753eb7a6bb3ab773eeabdcb
SHA1 44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4
SHA256 aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f
SHA512 df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\IntlProvider.dll

MD5 510e132215cef8d09be40402f355879b
SHA1 cae8659f2d3fd54eb321a8f690267ba93d56c6f1
SHA256 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52
SHA512 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\ImagingProvider.dll.mui

MD5 f2e2ba029f26341158420f3c4db9a68f
SHA1 1dee9d3dddb41460995ad8913ad701546be1e59d
SHA256 32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3
SHA512 3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\IBSProvider.dll.mui

MD5 d4b67a347900e29392613b5d86fe4ac2
SHA1 fb84756d11bfd638c4b49268b96d0007b26ba2fb
SHA256 4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5
SHA512 af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\IBSProvider.dll

MD5 120f0a2022f423fc9aadb630250f52c4
SHA1 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7
SHA256 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0
SHA512 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\GenericProvider.dll.mui

MD5 d6b02daf9583f640269b4d8b8496a5dd
SHA1 e3bc2acd8e6a73b6530bc201902ab714e34b3182
SHA256 9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0
SHA512 189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\GenericProvider.dll

MD5 ef7e2760c0a24453fc78359aea3d7869
SHA1 0ea67f1fd29df2615da43e023e86046e8e46e2e1
SHA256 d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a
SHA512 be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\FolderProvider.dll.mui

MD5 22b4a3a1ec3b6d7aa3bc61d0812dc85f
SHA1 97ae3504a29eb555632d124022d8406fc5b6f662
SHA256 c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105
SHA512 9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\FfuProvider.dll.mui

MD5 dc826a9cb121e2142b670d0b10022e22
SHA1 b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9
SHA256 ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a
SHA512 038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\FfuProvider.dll

MD5 df785c5e4aacaee3bd16642d91492815
SHA1 286330d2ab07512e1f636b90613afcd6529ada1e
SHA256 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271
SHA512 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\DmiProvider.dll.mui

MD5 b7252234aa43b7295bb62336adc1b85c
SHA1 b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f
SHA256 73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c
SHA512 88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\DmiProvider.dll

MD5 ea8488990b95ce4ef6b4e210e0d963b2
SHA1 cd8bf723aa9690b8ca9a0215321e8148626a27d1
SHA256 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98
SHA512 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\dismprov.dll.mui

MD5 7d06108999cc83eb3a23eadcebb547a5
SHA1 200866d87a490d17f6f8b17b26225afeb6d39446
SHA256 cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311
SHA512 9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\DismCore.dll.mui

MD5 7a15f6e845f0679de593c5896fe171f9
SHA1 0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4
SHA256 f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419
SHA512 5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\AssocProvider.dll

MD5 94dc379aa020d365ea5a32c4fab7f6a3
SHA1 7270573fd7df3f3c996a772f85915e5982ad30a1
SHA256 dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907
SHA512 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\AppxProvider.dll.mui

MD5 bd0dd9c5a602cb0ad7eabc16b3c1abfc
SHA1 cede6e6a55d972c22da4bc9e0389759690e6b37f
SHA256 8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3
SHA512 86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\AppxProvider.dll

MD5 a7927846f2bd5e6ab6159fbe762990b1
SHA1 8e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA512 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\CbsProvider.dll

MD5 6ad0376a375e747e66f29fb7877da7d0
SHA1 a0de5966453ff2c899f00f165bbff50214b5ea39
SHA256 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA512 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

C:\Windows\Logs\DISM\dism.log

MD5 7e387d5d0707be9fa47073c133cedb08
SHA1 5043e03d1843c66d992aeefdabec3b2d613b15c0
SHA256 a2c2588e98b076c7feb39fdd596c083a3d7d5964e7d1d2454a87b22f986af6b2
SHA512 55f7fc5bb0ade2708756a4c4f0c3229500c80b37454518ca6a8c8ec1fd3f5369ebb07ff8129544709101f32a6b98d2f4566da78aaa75b31cb32782e107d8cbf3

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

MD5 67a8abe602fd21c5683962fa75f8c9fd
SHA1 e296942da1d2b56452e05ae7f753cd176d488ea8
SHA256 1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA512 70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

memory/2456-1827-0x000001A975DF0000-0x000001A975E00000-memory.dmp

memory/2456-1828-0x000001A975DF0000-0x000001A975E00000-memory.dmp

memory/5156-1829-0x000001F87BD60000-0x000001F87BD70000-memory.dmp

memory/5156-1830-0x000001F87BD60000-0x000001F87BD70000-memory.dmp

memory/5156-1833-0x000001F87BD60000-0x000001F87BD70000-memory.dmp

memory/2456-1834-0x000001A975DF0000-0x000001A975E00000-memory.dmp

memory/5160-1841-0x000001E510860000-0x000001E510870000-memory.dmp

memory/5160-1842-0x000001E510860000-0x000001E510870000-memory.dmp

memory/5260-1843-0x000001C9001A0000-0x000001C9001B0000-memory.dmp

memory/5260-1844-0x000001C9001A0000-0x000001C9001B0000-memory.dmp

memory/5260-1847-0x000001C9001A0000-0x000001C9001B0000-memory.dmp

memory/5160-1848-0x000001E510860000-0x000001E510870000-memory.dmp