Analysis Overview
SHA256
d5cebe4a1c84c8cfc3f542c2eb59a22d64ccc1a1b176050ba251299c4e6844d7
Threat Level: Likely malicious
The file _51动漫 稀有视频,24小时不断更.rar was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
One or more HTTP URLs in qr code identified
Modifies registry class
Enumerates system info in registry
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Runs ping.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-03 15:42
Signatures
One or more HTTP URLs in qr code identified
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-03 15:42
Reported
2024-05-03 15:44
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | yandex.com | N/A | N/A |
| N/A | yandex.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | yandex.com | N/A | N/A |
| N/A | yandex.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\Clipup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry key
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\winrar-x64-700.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\_51动漫 稀有视频,24小时不断更.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7a60cc40,0x7fff7a60cc4c,0x7fff7a60cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1852 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2476 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2580 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3116 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4524 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4784 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,15966804825083273296,11087953719510329618,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4912 /prefetch:8
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1872 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bcf657a-cb1c-4d57-ba8a-21df63d77e71} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b8dd1a4-948b-42ec-964a-6f9fb7cd8150} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 2948 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db63211-e2f9-4617-89c5-838a1c151b5b} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 2 -isForBrowser -prefsHandle 1592 -prefMapHandle 3648 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {510b7a73-5635-4b38-b1a4-b0cad252838e} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1596 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4868 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c921fe-58a9-4bfd-8a6f-3cc8e04d4ba5} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5348 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {711f5c77-02b3-4076-8258-71d2e87f0aae} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5572 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c3c1da0-abeb-4fc4-9a6e-bae3b662f14c} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5764 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f10c4e2-9684-48b8-a122-027d8cd6d9ba} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 6 -isForBrowser -prefsHandle 6272 -prefMapHandle 6268 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87bd1249-e97e-47f8-b709-9867a9a75521} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 7 -isForBrowser -prefsHandle 5416 -prefMapHandle 5432 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ae83f47-7118-4f32-a7ad-bc8ee9fbbbc6} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -childID 8 -isForBrowser -prefsHandle 5396 -prefMapHandle 5304 -prefsLen 27877 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {905d40a3-a10c-439a-8aae-3c69f547184d} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 9 -isForBrowser -prefsHandle 6452 -prefMapHandle 5824 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a1a58fa-c99c-4cad-a516-78d1de098926} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7352 -childID 10 -isForBrowser -prefsHandle 7376 -prefMapHandle 7372 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a1e0127-f33c-4aec-ac12-16fd98584ae8} 5556 "\\.\pipe\gecko-crash-server-pipe.5556" tab
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_16873150.cmd" "
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_16873150.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_16873150.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
cmd.exe /c ""C:\Windows\Temp\MAS_16873150.cmd" -qedit"
C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_16873150.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_16873150.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
C:\Windows\System32\find.exe
find "127.69"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
C:\Windows\System32\find.exe
find "127.69.2.6"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/S"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\mode.com
mode 110, 34
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $ExecutionContext.SessionState.LanguageMode
C:\Windows\System32\find.exe
find /i "Full"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc query UsoSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc query CryptSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc query BITS
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc query TrustedInstaller
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\System32\sc.exe
sc config DoSvc start= delayed-auto
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service DoSvc
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc query UsoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc query CryptSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc query BITS
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc query TrustedInstaller
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16873150.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_16873150.cmd') -split ':wpatest\:.*';iex ($f[1]);"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "9" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismhost.exe {AF2A176D-0F94-47FC-8499-E987C4B75B8D}
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
C:\Windows\System32\find.exe
find /i "windowsupdate"
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
C:\Windows\System32\findstr.exe
findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo: "
C:\Windows\System32\find.exe
find /i "wuauserv"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
C:\Windows\System32\find.exe
find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Nation
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
C:\Windows\System32\find.exe
find "AAAA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Restart-Service ClipSVC
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem4C22.tmp
C:\Windows\System32\ClipUp.exe
clipup -v -o
C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem53B4.tmp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chrome.google.com | udp |
| GB | 172.217.16.238:443 | chrome.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| N/A | 127.0.0.1:62617 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 44.233.67.78:443 | shavar.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 78.67.233.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:62625 | tcp | |
| US | 8.8.8.8:53 | www.mozilla.org | udp |
| DE | 18.173.230.179:443 | www.mozilla.org | tcp |
| US | 8.8.8.8:53 | www.mozorg.moz.works | udp |
| US | 8.8.8.8:53 | www.mozorg.moz.works | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.230.173.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 227.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yandex.com | udp |
| RU | 5.255.255.50:80 | yandex.com | tcp |
| RU | 5.255.255.50:80 | yandex.com | tcp |
| US | 8.8.8.8:53 | yandex.com | udp |
| US | 8.8.8.8:53 | yandex.com | udp |
| RU | 5.255.255.50:443 | yandex.com | tcp |
| US | 8.8.8.8:53 | 50.255.255.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| RU | 87.250.250.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| US | 8.8.8.8:53 | 215.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.250.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.251.250.87.in-addr.arpa | udp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 87.250.250.119:443 | mc.yandex.com | tcp |
| US | 8.8.8.8:53 | avatars.mds.yandex.net | udp |
| US | 8.8.8.8:53 | favicon.yandex.net | udp |
| RU | 87.250.247.182:443 | avatars.mds.yandex.net | tcp |
| US | 8.8.8.8:53 | avatars.mds.yandex.net | udp |
| RU | 87.250.250.36:443 | favicon.yandex.net | tcp |
| US | 8.8.8.8:53 | favicon.yandex.net | udp |
| US | 8.8.8.8:53 | favicon.yandex.net | udp |
| US | 8.8.8.8:53 | avatars.mds.yandex.net | udp |
| US | 8.8.8.8:53 | 36.250.250.87.in-addr.arpa | udp |
| RU | 87.250.247.182:443 | avatars.mds.yandex.net | tcp |
| RU | 87.250.247.182:443 | avatars.mds.yandex.net | tcp |
| RU | 87.250.247.182:443 | avatars.mds.yandex.net | tcp |
| RU | 87.250.247.182:443 | avatars.mds.yandex.net | tcp |
| RU | 87.250.247.182:443 | avatars.mds.yandex.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 44.238.144.40:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | static-mon.yandex.net | udp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | yabs.yandex.ru | udp |
| RU | 87.250.251.92:443 | static-mon.yandex.net | tcp |
| US | 8.8.8.8:53 | cryprox.yandex.net | udp |
| RU | 213.180.204.91:443 | yabs.yandex.ru | tcp |
| US | 8.8.8.8:53 | yabs.yandex.ru | udp |
| US | 8.8.8.8:53 | yabs.yandex.ru | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | cryprox.yandex.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 2.18.121.197:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6n6s.gvt1.com | udp |
| GB | 173.194.3.70:443 | r1---sn-aigl6n6s.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6n6s.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6n6s.gvt1.com | udp |
| GB | 173.194.3.70:443 | r1.sn-aigl6n6s.gvt1.com | udp |
| US | 8.8.8.8:53 | 182.247.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.251.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.204.180.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.144.238.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.3.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| US | 8.8.8.8:53 | 163.68.195.51.in-addr.arpa | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 140.82.114.22:443 | glb-db52c2cf8be544.github.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 22.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | massgrave.dev | udp |
| US | 172.67.201.171:443 | massgrave.dev | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 171.201.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updatecheck.massgrave.dev | udp |
| US | 8.8.8.8:53 | l.root-servers.net | udp |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 51.104.164.114:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv501.prod.do.dsp.mp.microsoft.com | udp |
| US | 23.220.113.123:443 | kv501.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 114.164.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cp501.prod.do.dsp.mp.microsoft.com | udp |
| US | 23.220.113.123:443 | cp501.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 123.113.220.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 114.66.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
Files
\??\pipe\crashpad_5020_PHTAYLQJWUYVEOIA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1ba4b5c5c29bea2198b895b4c6160351 |
| SHA1 | 90f4e78da6b5f10f391670d9ea24a80fffe2d0a3 |
| SHA256 | e3963957aa123727a84d96aa18c87d1cccbcc864f25fbafbcdef29f596a66dfb |
| SHA512 | 5336d23cb6f74543d0717dd27e53d7f8665b1de5c0eb0191bfa175ba2d95d877901fd172d5a8e6160c4576cf1cffb9a673110307b8823831c69fa5329cd47880 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4ef38612260d23f25573485cd1cb8b6f |
| SHA1 | 6a00b911c25a74f9f22db40c64005e49d4065f6a |
| SHA256 | 313cf0f0b47caf2b63807ff35288866c5b512d39604a925d144ca767d6c76fd9 |
| SHA512 | e0bfb16222bf831ea6a14317dddf4592b6cba72c1fb3826f40a311165653fbf69454d8c448b89ca48dcab6aef79b7adbb03e45c23bdf6ab94c13c817e91ec72c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c74bde5ac7e5f513b5a1078c5d363d71 |
| SHA1 | 21f7c9c4d9daae9aebee4582bf7c030675da1ac7 |
| SHA256 | 396b5d43b7aa183b175e9e38ecc0a571be902a0427ea3aae98f1a0eeb6bda48d |
| SHA512 | e83002c64406833c7304c737d5c2f408da187ada6586160cadee8c489ae51d87b594d38b62fd65e4bf7c5ad7d3926bedf5d8da2be48791b8d71bb16f36e76c87 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 87b8b1b432a62c320bf945599f42021d |
| SHA1 | 0913bfc288ea56549344f1f4d668e6e7957a8c6e |
| SHA256 | f0108728c68364f9893ce0d4efb624c750120a3ae405cab8de3a64bba717f706 |
| SHA512 | 338fdda6e29111a3f155a79ad7f1397318039c8b99b826f520b439e3ddceb6356737fc58c81615d6c9e61b276b59e8c6318878773af6a976ed0b04d87fbb07b5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\300bbd1a-8eee-456c-826e-0eb8d1760158
| MD5 | a33f9664b78e46dbd016c94206618dae |
| SHA1 | 15375bee0993346324fd1231dfd145889934ca75 |
| SHA256 | 4d73eb6b163c4c1f93b19bf4f0bfe957da78f45c53748c630e4c917c076c3c23 |
| SHA512 | d54559bb86105fc6945c23a6cbbd2577f7599edf348da2af2fb7ba0fb51c72f7b4974d92fbd3effc24da523c3705802d20d453079c6d8f2252f72fc678096153 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\1e35bd9b-be68-4385-b9f7-d49993c9aa36
| MD5 | 6935a94870ee9ee53eac1c08c2ba1658 |
| SHA1 | 9e32c418234c2b6481ca6fa4d451563c26b0c2ce |
| SHA256 | 5db6e1cd7698fe9442b63745b3c15d4915a0100ce7944bc9db0476f7e44cb95e |
| SHA512 | ed72a0f5475161867e6b058c3aa08dcd73c7237fd1256b8d12bedc215d7c4a8f69f393e93056019ac785665db8f926da0409e3c24be309e9ac1f22a353e49a02 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\1bc0861f-9227-4839-9813-19825bd15a56
| MD5 | af9a429d851e48cf198b80f3cd64b5ea |
| SHA1 | f48a5345c8083bce66627f5564eaef30556f8484 |
| SHA256 | 1ad59fbd52f4c28f8fe7f4c4d72410825bc5f7cbd4c45da984f25e65030f4d18 |
| SHA512 | 13048907592d1e1d756602facd85a464875c34c558e5e221f8bc37e2939823494405eeb1a41cdaa28ceb15326d45ef87085dc7c10cf96ce555f7387d57607a6b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 6d47e38923323ae0d211dbfba2c0c5d5 |
| SHA1 | 7b87ff4109bd3c60afcc4ff18f04312203e283ee |
| SHA256 | 999677f6cabf7baff9858823ebd4c99862452fede41905dd02c88bcbfb22242d |
| SHA512 | 74698fd256d6c270ae60d6c7716cfa7a781068bc540ad726b183dbc902d66134208295b08780eae7bd25e5c6b38d2861c2f576e231306c23ec7900b0ce373bb8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js
| MD5 | 9f57ecfe8615cf66d793f1cf20b22248 |
| SHA1 | 5ce3f6405d9afb35462991f3ab03e2821d7ee1c9 |
| SHA256 | 363b053d65ae203df0020a562f910bb1d6d02f5090bfb924839ccc21ac41c881 |
| SHA512 | 0c25ffa528c3ef72931762d5d68b6068a6e0cc82c5e1dd149a92f71371bd5d992ed18f158db376c85ef8100e1a39a7506f925325f57f5723de0eb61c4e5bd966 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\AlternateServices.bin
| MD5 | 425a9b3c9de914633dedb0006cffa9f5 |
| SHA1 | b6c6b920a37d75beb7b0f6e0ded80e322b4821bc |
| SHA256 | ae0b859782644ad23480e84dc2bef58169ac548cf3bacfdafc760e6be7b9c4ff |
| SHA512 | c7057a8a4582fee154a7d23aa0f29fbd5019dfdc41ebb7c961db7b99f8cb3d64e0e0411dd85074b2e293aa69ef5376ee25dfecee3d35c929f68b18c11f9f4c72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js
| MD5 | 57296fa3fe6922e7781c711af2506703 |
| SHA1 | 08ef7293b8945d39508cf4cf12405a57bf02ced8 |
| SHA256 | 0e025cfee2adc8a11c804c46e6548ba392802ddad2e5f627ed768413c219ffc0 |
| SHA512 | 9753740362f7283295769ebc9f41a379cc976160c22900537ef03e1e9881f6a4074ef9f3bdf5df321c1ce8ec70136abf2253e7f4089b0b32fe2eca228c88d9e4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 4d07de2999467bf723a2a589a7c45050 |
| SHA1 | 8f971d3b50f98a7419cf17a2eb4f6ca91b5581f7 |
| SHA256 | f5c3c9038c696c94d207e509a1b4902676b5220ee6da078fafdb0ee46bbbf67c |
| SHA512 | a81e28518db5430de2052bad59aa7a68a2632d6bf4dc3ab78d6871228a2802c3b53e1489da1ceaf595b234cf60cda22f035082e01c9d34eae254b36448a25adc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 053c77d04ab743da6fd8c54f3e7486ae |
| SHA1 | 2213101ddebdd7dc6fcbc9fe9344f4ded0ffeb6b |
| SHA256 | 6e7acff71c3db6dafd23db76e89aa17e9203ead60fc898da235297047e116a38 |
| SHA512 | 5353f832a03e91d1cf65a8f4e21742b4d8181e983b5b7e42362a5ffd195ff37539a810bbc3eaecb066778fe9c6467dc2cefb031ad52a3385257be3a724a86945 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs-1.js
| MD5 | 3eb8040b7502a706e7a985882cb0aa60 |
| SHA1 | 8d8b7fc08807f1732031bd62b7b0cf057590c9f3 |
| SHA256 | 6bcff12ed87c1900546602c88796eb1a8a935eb1a4ced8fcf31aebf9bb240f9a |
| SHA512 | ea3ac82bb0f6c4b8abf5463ead365a598f094dcf74cd71c2daa49ac26f03ded06c4efd974eee058f44ad4fbe34c61f0e0bb8a47bfef33bab37dbb8a0101b4949 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js
| MD5 | 8e0f642a4d775443428d7d1d54f343db |
| SHA1 | 37dbaad4d61d9e0a728d100a5d79ce3e10be8a7c |
| SHA256 | edf8e50d11a96a405555ec1dcf318fcc4fb4e7574160af83f936e755023a25ba |
| SHA512 | c4d6a006bb7b05fa6bfd3ce2d43f4ec96deb003d593b6df208d0e35caab26f1c75dbcbc356d3d9648ab1ab442f60686a3bbb54254effb57832228ce4783ead12 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 84579d4688eb996d59ea5bca7b736d8e |
| SHA1 | 4e7315d67f2c7ca0f11934702da2e454b612cd0d |
| SHA256 | b9cc919ff5bfa52d922d47d2ff8c0095d8dbb2a8573910d6a42708bdd7519d65 |
| SHA512 | 62427ae2402c3e71a525bb326b2934abdf03d37c8c9afad4d1ed535512c25c0dc304efcaaceba307c250ca2a61d7ba0a9165a96c398167870e3deb43858caea7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\cache2\entries\79B0DDE3FA8DCB1BD2B4CA2ED3EB8F3088226A6C
| MD5 | 0916e2f6c9ab73ed88f2b624bfc365e1 |
| SHA1 | 4ffe35b85bda2b5e4fba060b0205d35e59274f2a |
| SHA256 | f232368b44d93d3ef4447e7cd25fb9b70b0b45a820afad91e4a039aead3ea6dd |
| SHA512 | c1eab5a25a29ac4cd5a4a123e96b81a533cb739ef0e0607b572728f0f154112170524458c487dbdb2ac48ba78c4a7c057e2e4f7803a3e491647bffd8de55690e |
C:\Users\Admin\Downloads\winrar-x64-700.3oyFPkuJ.exe.part
| MD5 | 48deabfacb5c8e88b81c7165ed4e3b0b |
| SHA1 | de3dab0e9258f9ff3c93ab6738818c6ec399e6a4 |
| SHA256 | ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24 |
| SHA512 | d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js
| MD5 | de6b17af1cb6ab111fc369f37dc69ca8 |
| SHA1 | ceeeb96010fe93ed5c37ed62db9be216d8b74ab0 |
| SHA256 | edc37ee6d047f6bb2abbfde409e2c1799a286f32dc12ae49bf45c6f658de2a78 |
| SHA512 | 2943e67d986bceaf9f31c7a26d6ef9dddf828298e1fe8d81f9d5a40b501279f03e8ad19b9295c572fdf8a16d3ebbfb77bca560c68f49cd47d87d43bf72214bd9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 13191531ae735a34b47878e5bc4d73a7 |
| SHA1 | d03b0ce640c5315c98d0460465e49bdda620664c |
| SHA256 | 14aa5038f057ea453b2aeab65c4db6374e2fe5d856c878497cb8c6acbaf8a1ec |
| SHA512 | b9a935a794ebbf8be1e5e038f685a65551809323352a835fc3a03db7957f53a7f4bb8774c3c25c64bf32b1dd5906ab6ab6a023317fd3bb4ed74915ba1439f5c1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4
| MD5 | dab002d29eb760a728c266894090ce0e |
| SHA1 | ef917f3a124108f02a16d229b4c9b770d1355700 |
| SHA256 | 31991fa46442653aa799a465ca134edad4a43382ec29926a614bfec447ef943a |
| SHA512 | 3a940bc9d3f0d7a5808bcdebf37137affe29917b9c8ac32f23b7b3cf875d5d69c5cda37ff4fcc3893126e804753cbe195cf3130fec241aa3c8f7d1a05f976fea |
memory/3816-1263-0x00000169EFDD0000-0x00000169EFDF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2e2prxdm.nlf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3816-1268-0x00000169EFE70000-0x00000169EFEB4000-memory.dmp
memory/3816-1269-0x00000169F03A0000-0x00000169F0416000-memory.dmp
memory/3816-1271-0x00000169F05F0000-0x00000169F07B2000-memory.dmp
C:\Windows\Temp\MAS_16873150.cmd
| MD5 | d0c2664bed8979aca50d19d904149e87 |
| SHA1 | 71814a7115898cac08467530fb27c46a034bd151 |
| SHA256 | 22fdadf75c5d400937e9c43be16ddf6c8730b05a46b32de20968af9ba8a21c19 |
| SHA512 | 4cf680da813e5629fc53ea25caf35ef3f5efec845779d7586be8af592217216c37d946b599cfb5fde1f220db2980296086e9f20cdb41793ccd7e7db5c948594d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 30fd5d42510a93133bb58b5194342bf9 |
| SHA1 | e40fd897e6f6634cf29bcc78a406d6714891ceb7 |
| SHA256 | eca4283d561478bc11c9f59bfec68b51559a15445274ab49de73bb8eb41dd216 |
| SHA512 | 60f436e03a0d7510ce8cb221daf81bcd5163a0f169c03e6627de30f53a77f12b6cfba351f43e9e7e0b24547c7be90a6fcef3be718eba26bea9db44dde8f6c302 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 0c48e2ccb0e4fb1ba8a58964c3bc0128 |
| SHA1 | 317012b51b4cfdf0ec9bba10e1413bf53bf80cfc |
| SHA256 | 42c21eecb811e9303cee33edd6690f2485f3fbf2613b35cd5c9df00c541cae3c |
| SHA512 | d6d855083db0daa6cc573dafcc0edcb0152642040cbcfd5125c00adb8fabc90c3c4e5218644cc4716dde86094112e3947c60de43cdb1b53fe18ea99781a3c766 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs-1.js
| MD5 | 4f1ece32c4aa57c9ef674d1dd4b9cbed |
| SHA1 | bbaffdfe6a7dc908b06f4995f962373afa8873bc |
| SHA256 | 24f8ff7540e853b39dd5e3f092d8009a176acbcf2c0fbd7e05bfb8feb4961958 |
| SHA512 | 4f53f97c404717f90e715da4e1921665a0aceabd92202e8e7b7f59b1eb828ba20842015a3285acfbb0eb124cbde24d750a4bb6279e669c8c1c61ea56b9573f83 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionCheckpoints.json.tmp
| MD5 | c8dc58eff0c029d381a67f5dca34a913 |
| SHA1 | 3576807e793473bcbd3cf7d664b83948e3ec8f2d |
| SHA256 | 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17 |
| SHA512 | b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8857491a4a65a9a1d560c4705786a312 |
| SHA1 | 4f3caf2ad5d66a2410c9cca0381d26a46e832cb4 |
| SHA256 | b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360 |
| SHA512 | d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2ad33642f863ae14ee53bc6853ee330e |
| SHA1 | ca81cc7d8c33a46ebe97bc1d3db55e41a813029e |
| SHA256 | 17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19 |
| SHA512 | 52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 235a8eb126d835efb2e253459ab8b089 |
| SHA1 | 293fbf68e6726a5a230c3a42624c01899e35a89f |
| SHA256 | 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686 |
| SHA512 | a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 3a34ce4ddeb992ad7fe291b1002b7843 |
| SHA1 | 9efb7bc799366cbace7e2ba7e8c87e26327aa73e |
| SHA256 | c2176b8b065c91bdd51e4e01a994a59cde08d315e6cf882cebefd1635f712dcb |
| SHA512 | 98bc16cefa189d0dfada568fd9e9db7fe0f9b2b9132b3d39d6db50ab1e5f50a0d976f798622caf6b99fd3fd2285316944a94a295f2fc78120f0540f599a92abf |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\CbsProvider.dll.mui
| MD5 | 6c51a3187d2464c48cc8550b141e25c5 |
| SHA1 | a42e5ae0a3090b5ab4376058e506b111405d5508 |
| SHA256 | d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199 |
| SHA512 | 87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\AssocProvider.dll.mui
| MD5 | 8833761572f0964bdc1bea6e1667f458 |
| SHA1 | 166260a12c3399a9aa298932862569756b4ecc45 |
| SHA256 | b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5 |
| SHA512 | 2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\DismCore.dll
| MD5 | b1f793773dc727b4af1648d6d61f5602 |
| SHA1 | be7ed4e121c39989f2fb343558171ef8b5f7af68 |
| SHA256 | af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e |
| SHA512 | 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\FolderProvider.dll
| MD5 | 4f3250ecb7a170a5eb18295aa768702d |
| SHA1 | 70eb14976ddab023f85bc778621ade1d4b5f4d9d |
| SHA256 | a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461 |
| SHA512 | e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\ImagingProvider.dll
| MD5 | 35e989a1df828378baa340f4e0b2dfcb |
| SHA1 | 59ecc73a0b3f55e43dace3b05ff339f24ec2c406 |
| SHA256 | 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d |
| SHA512 | c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\SysprepProvider.dll
| MD5 | 8bd67d87dbdcf881fb9c1f4f6bf83f46 |
| SHA1 | 10bd2e541b6a125c29f05958f496edf31ff9abb1 |
| SHA256 | f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204 |
| SHA512 | 258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\SysprepProvider.dll.mui
| MD5 | 93d076056dd01dfc64d95d4c552a2dff |
| SHA1 | a90fd06a62c6d63d87e00f5f7e9646b44d2c726a |
| SHA256 | 4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4 |
| SHA512 | b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\SmiProvider.dll.mui
| MD5 | f32e38247d0b21476bbfb49989478f7e |
| SHA1 | b950fd72ea2a6a94ee049454df562aed79ca1e35 |
| SHA256 | a1a302e940f6d6718700737b787af7a2053ef68b5ea2ec61497e7ae2444c5835 |
| SHA512 | f483807d790a4bc3e68d6d1f986bd4a57b4a67c91fb3dbef88220a4b510f11d1190cdd98a857eb1937e921e668dff2bcb5e4a7df640b1f3639ce6d2239ff8106 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\SmiProvider.dll
| MD5 | ad7bbb62335f6dc36214d8c9fe1aaca0 |
| SHA1 | f03cb2db64c361d47a1c21f6d714e090d695b776 |
| SHA256 | ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb |
| SHA512 | 4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\SetupPlatformProvider.dll.mui
| MD5 | 73e78fbbf6e6679fa643441c66628d37 |
| SHA1 | 57b70e6226c0cf3f8bc9a939f8b1ec411dedeff5 |
| SHA256 | 5d4dfc9bde18be1ec0b3834a65de6abab581e04c8c4f66ee14a62fb4b1b4cd06 |
| SHA512 | a045a6cdf9ca989b3ed9a50cda208affa17372f65b1d86e1bf4c10b5d5e3fee58c5d4b8ec0749a54e2e2156ed0e9776b59a8d3b78f062349873cb574ab3f77fa |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\SetupPlatformProvider.dll
| MD5 | 1ae66f4524911b2728201fff6776903c |
| SHA1 | 68bea62eb0f616af0729dbcbb80dc27de5816a83 |
| SHA256 | 367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3 |
| SHA512 | 7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\ProvProvider.dll.mui
| MD5 | b8a8c6c4cd89eeda1e299c212dc9c198 |
| SHA1 | f88c8a563b20864e0fc6f3d63fadda507aa2e96e |
| SHA256 | 50ad19e21b6425d12aa57cd4656748877db1f147189ec44abb19ba90be8505ea |
| SHA512 | 4a6f0dac5b3b18e4942ce5f51b566ce3ba465baa43457384ee785d1c0e7c33f9b9396a143aac0398a34e4e2f7d704ba06d3cc68761fd3cb6f53f4043a906e475 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\ProvProvider.dll
| MD5 | 70c34975e700a9d7e120aaecf9d8f14b |
| SHA1 | e24d47f025c0ec0f60ec187bfc664e9347dc2c9c |
| SHA256 | a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7 |
| SHA512 | 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\OSProvider.dll.mui
| MD5 | 0633e0fccd477d9b22de4dd5a84abe53 |
| SHA1 | e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9 |
| SHA256 | b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706 |
| SHA512 | e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\OfflineSetupProvider.dll.mui
| MD5 | 015271d46ab128a854a4e9d214ab8a43 |
| SHA1 | 2569deff96fb5ad6db924cee2e08a998ddc80b2a |
| SHA256 | 692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec |
| SHA512 | 6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\OfflineSetupProvider.dll
| MD5 | 9cd7292cca75d278387d2bdfb940003c |
| SHA1 | bab579889ed3ac9cb0f124842c3e495cb2ec92ac |
| SHA256 | b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f |
| SHA512 | ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\MsiProvider.dll.mui
| MD5 | c5e60ee2d8534f57fddb81ffce297763 |
| SHA1 | 78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2 |
| SHA256 | 1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145 |
| SHA512 | ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\MsiProvider.dll
| MD5 | 9a760ddc9fdca758501faf7e6d9ec368 |
| SHA1 | 5d395ad119ceb41b776690f9085f508eaaddb263 |
| SHA256 | 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f |
| SHA512 | 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\LogProvider.dll.mui
| MD5 | 8933c8d708e5acf5a458824b19fd97da |
| SHA1 | de55756ddbeebc5ad9d3ce950acba5d2fb312331 |
| SHA256 | 6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6 |
| SHA512 | ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\IntlProvider.dll.mui
| MD5 | 2eb303db5753eb7a6bb3ab773eeabdcb |
| SHA1 | 44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4 |
| SHA256 | aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f |
| SHA512 | df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\IntlProvider.dll
| MD5 | 510e132215cef8d09be40402f355879b |
| SHA1 | cae8659f2d3fd54eb321a8f690267ba93d56c6f1 |
| SHA256 | 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52 |
| SHA512 | 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\ImagingProvider.dll.mui
| MD5 | f2e2ba029f26341158420f3c4db9a68f |
| SHA1 | 1dee9d3dddb41460995ad8913ad701546be1e59d |
| SHA256 | 32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3 |
| SHA512 | 3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\IBSProvider.dll.mui
| MD5 | d4b67a347900e29392613b5d86fe4ac2 |
| SHA1 | fb84756d11bfd638c4b49268b96d0007b26ba2fb |
| SHA256 | 4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5 |
| SHA512 | af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\IBSProvider.dll
| MD5 | 120f0a2022f423fc9aadb630250f52c4 |
| SHA1 | 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7 |
| SHA256 | 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0 |
| SHA512 | 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\GenericProvider.dll.mui
| MD5 | d6b02daf9583f640269b4d8b8496a5dd |
| SHA1 | e3bc2acd8e6a73b6530bc201902ab714e34b3182 |
| SHA256 | 9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0 |
| SHA512 | 189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\GenericProvider.dll
| MD5 | ef7e2760c0a24453fc78359aea3d7869 |
| SHA1 | 0ea67f1fd29df2615da43e023e86046e8e46e2e1 |
| SHA256 | d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a |
| SHA512 | be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\FolderProvider.dll.mui
| MD5 | 22b4a3a1ec3b6d7aa3bc61d0812dc85f |
| SHA1 | 97ae3504a29eb555632d124022d8406fc5b6f662 |
| SHA256 | c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105 |
| SHA512 | 9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\FfuProvider.dll.mui
| MD5 | dc826a9cb121e2142b670d0b10022e22 |
| SHA1 | b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9 |
| SHA256 | ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a |
| SHA512 | 038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\FfuProvider.dll
| MD5 | df785c5e4aacaee3bd16642d91492815 |
| SHA1 | 286330d2ab07512e1f636b90613afcd6529ada1e |
| SHA256 | 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271 |
| SHA512 | 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\DmiProvider.dll.mui
| MD5 | b7252234aa43b7295bb62336adc1b85c |
| SHA1 | b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f |
| SHA256 | 73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c |
| SHA512 | 88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\DmiProvider.dll
| MD5 | ea8488990b95ce4ef6b4e210e0d963b2 |
| SHA1 | cd8bf723aa9690b8ca9a0215321e8148626a27d1 |
| SHA256 | 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98 |
| SHA512 | 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\dismprov.dll.mui
| MD5 | 7d06108999cc83eb3a23eadcebb547a5 |
| SHA1 | 200866d87a490d17f6f8b17b26225afeb6d39446 |
| SHA256 | cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311 |
| SHA512 | 9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002 |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\DismCore.dll.mui
| MD5 | 7a15f6e845f0679de593c5896fe171f9 |
| SHA1 | 0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4 |
| SHA256 | f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419 |
| SHA512 | 5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\AssocProvider.dll
| MD5 | 94dc379aa020d365ea5a32c4fab7f6a3 |
| SHA1 | 7270573fd7df3f3c996a772f85915e5982ad30a1 |
| SHA256 | dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907 |
| SHA512 | 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\en-US\AppxProvider.dll.mui
| MD5 | bd0dd9c5a602cb0ad7eabc16b3c1abfc |
| SHA1 | cede6e6a55d972c22da4bc9e0389759690e6b37f |
| SHA256 | 8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3 |
| SHA512 | 86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\278BC14F-7838-4FD8-832B-3BC6108A3B66\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 7e387d5d0707be9fa47073c133cedb08 |
| SHA1 | 5043e03d1843c66d992aeefdabec3b2d613b15c0 |
| SHA256 | a2c2588e98b076c7feb39fdd596c083a3d7d5964e7d1d2454a87b22f986af6b2 |
| SHA512 | 55f7fc5bb0ade2708756a4c4f0c3229500c80b37454518ca6a8c8ec1fd3f5369ebb07ff8129544709101f32a6b98d2f4566da78aaa75b31cb32782e107d8cbf3 |
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket
| MD5 | 67a8abe602fd21c5683962fa75f8c9fd |
| SHA1 | e296942da1d2b56452e05ae7f753cd176d488ea8 |
| SHA256 | 1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411 |
| SHA512 | 70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6 |
memory/2456-1827-0x000001A975DF0000-0x000001A975E00000-memory.dmp
memory/2456-1828-0x000001A975DF0000-0x000001A975E00000-memory.dmp
memory/5156-1829-0x000001F87BD60000-0x000001F87BD70000-memory.dmp
memory/5156-1830-0x000001F87BD60000-0x000001F87BD70000-memory.dmp
memory/5156-1833-0x000001F87BD60000-0x000001F87BD70000-memory.dmp
memory/2456-1834-0x000001A975DF0000-0x000001A975E00000-memory.dmp
memory/5160-1841-0x000001E510860000-0x000001E510870000-memory.dmp
memory/5160-1842-0x000001E510860000-0x000001E510870000-memory.dmp
memory/5260-1843-0x000001C9001A0000-0x000001C9001B0000-memory.dmp
memory/5260-1844-0x000001C9001A0000-0x000001C9001B0000-memory.dmp
memory/5260-1847-0x000001C9001A0000-0x000001C9001B0000-memory.dmp
memory/5160-1848-0x000001E510860000-0x000001E510870000-memory.dmp