Analysis Overview
SHA256
533e16e27044e4b3373290f23ffac3863481747bca5ae9de31c3b84396dee4e0
Threat Level: Shows suspicious behavior
The file MAS_AIO-CRC32_31F7FD1E.cmd was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Detected potential entity reuse from brand microsoft.
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 17:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 17:13
Reported
2024-06-20 17:28
Platform
win10v2004-20240611-es
Max time kernel
842s
Max time network
842s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe | N/A |
Loads dropped DLL
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT | C:\Windows\system32\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\System\sppcs.dll | C:\Windows\System32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\Dism.exe | N/A |
Launches sc.exe
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "60" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "0" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "32" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\signup.live.com | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\hsprotect.net | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "177" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "0" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "122" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "32" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "221" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "3693" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signup.live.com\ = "122" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "2" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\NumberOfSubdomains = "1" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "20" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "20" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "168" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3733" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.com | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "3693" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "0" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\Total = "40" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "177" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com\NumberOfSubdomains = "2" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "20" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "1" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "128" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "217" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com\NumberOfSubdomains = "1" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signup.live.com\ = "0" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "261" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "221" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com\ = "40" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "128" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633775353780673" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.microsoftedge.stable_8wekyb3d8bbwe\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.live.com\ = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\login.live.com | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.creddialoghost_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\Total = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.live.com | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoftwindows.client.cbs_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost\ = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\ = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\e2a4f912-2574-4a75-9bb0-0d023378592b_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.aad.brokerplugin_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\1527c705-839a-4832-9118-54d4bd6a0c89_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.ecapp_8wekyb3d8bbwe\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoftwindows.undockeddevkit_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\login.live.com\ = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "122" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.win32webviewhost_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{100BEB3C-74F3-45D0-9D48-EE8EE61E0779} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\NumberOfSubdomai = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "122" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.xgpuejectdialog_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.xboxgamecallableui_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com | C:\Windows\system32\wwahost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\ = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.accountscontrol_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.lockapp_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ncsiuwpapp_8wekyb3d8bbwe\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\f46d4000-fd22-4db4-ac8e-4e1ddde828fe_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.bioenrollment_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.apprep.chxapp_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.callingshellapp_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.printdialog_cw5n1h2txyewy\PackageStateRoamingCollectionId | C:\Windows\system32\SettingSyncHost.exe | N/A |
Modifies registry key
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" -qedit"
C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
C:\Windows\System32\find.exe
find "127.69"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
C:\Windows\System32\find.exe
find "127.69.2.6"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/S"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\mode.com
mode 110, 34
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $ExecutionContext.SessionState.LanguageMode
C:\Windows\System32\find.exe
find /i "Full"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc query UsoSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc query CryptSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc query BITS
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc query TrustedInstaller
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\System32\sc.exe
sc config DoSvc start= delayed-auto
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service DoSvc
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc query UsoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc query CryptSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc query BITS
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc query TrustedInstaller
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "9" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe {215EE2D0-1153-4CF5-92A8-3419BBB2F70A}
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
C:\Windows\System32\find.exe
find /i "windowsupdate"
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
C:\Windows\System32\findstr.exe
findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo: "
C:\Windows\System32\find.exe
find /i "wuauserv"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
C:\Windows\System32\find.exe
find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Nation
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Set-WinHomeLocation -GeoId 244"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
C:\Windows\System32\find.exe
find "AAAA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Restart-Service ClipSVC
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem126A.tmp
C:\Windows\System32\ClipUp.exe
clipup -v -o
C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem1345.tmp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Set-WinHomeLocation -GeoId 217"
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\mode.com
mode 76, 25
C:\Windows\System32\choice.exe
choice /C:1230 /N
C:\Windows\System32\mode.com
mode 130, 32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $ExecutionContext.SessionState.LanguageMode
C:\Windows\System32\find.exe
find /i "Full"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "9" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe {6AAB1661-765A-48DB-B215-801BAE6016E8}
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""
C:\Windows\System32\find.exe
find /i "Office"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
C:\Windows\System32\sc.exe
sc query ClickToRunSvc
C:\Windows\System32\sc.exe
sc query OfficeSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
C:\Windows\System32\find.exe
find /i "Wow6432Node"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
C:\Windows\System32\findstr.exe
findstr /i "Retail Volume"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "" "
C:\Windows\System32\find.exe
find /i " ProPlusRetail.16 "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "
C:\Windows\System32\find.exe
find /i "2024"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "
C:\Windows\System32\find.exe
find /i "Subscription"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
C:\Windows\System32\find.exe
find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':hexedit\:.*';iex ($m[1]);"
C:\Windows\System32\find.exe
find /i "Error found"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext
C:\Windows\System32\findstr.exe
findstr /i "volume retail"
C:\Windows\System32\findstr.exe
findstr /i "0x2 0x3"
C:\Windows\System32\reg.exe
reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext
C:\Windows\System32\findstr.exe
findstr /i "volume retail"
C:\Windows\System32\findstr.exe
findstr /i "0x2 0x3"
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-18\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"
C:\Windows\System32\reg.exe
reg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
C:\Windows\System32\reg.exe
reg query "HKCU\Volatile Environment"
C:\Windows\System32\reg.exe
reg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "
C:\Windows\System32\find.exe
find /i "Volume"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "
C:\Windows\System32\find.exe
find /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"
C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /upk 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "
C:\Windows\System32\find.exe
find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebaf6ab58,0x7ffebaf6ab68,0x7ffebaf6ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2056 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3648 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3980 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4720 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3496 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3448 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4412 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3092 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4452 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3636 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1536 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1620 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5208 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5200 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Windows\system32\SettingSyncHost.exe
C:\Windows\system32\SettingSyncHost.exe -Embedding
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {72C984BA-0666-4D3F-A0DE-96BF43838E6E} /I {0CB6E812-BD37-4416-BFAE-E44A7C15B453} /X 0x1
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\mode.com
mode 76, 25
C:\Windows\System32\choice.exe
choice /C:1230 /N
C:\Windows\System32\mode.com
mode 130, 32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $ExecutionContext.SessionState.LanguageMode
C:\Windows\System32\find.exe
find /i "Full"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "9" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe {8985BFB9-C941-4C84-AA2F-DF718FE46BCF}
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""
C:\Windows\System32\find.exe
find /i "Office"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
C:\Windows\System32\sc.exe
sc query ClickToRunSvc
C:\Windows\System32\sc.exe
sc query OfficeSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
C:\Windows\System32\find.exe
find /i "Wow6432Node"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
C:\Windows\System32\findstr.exe
findstr /i "Retail Volume"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "" "
C:\Windows\System32\find.exe
find /i " ProPlusRetail.16 "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "
C:\Windows\System32\find.exe
find /i "2024"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "
C:\Windows\System32\find.exe
find /i "Subscription"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
C:\Windows\System32\find.exe
find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext
C:\Windows\System32\findstr.exe
findstr /i "volume retail"
C:\Windows\System32\findstr.exe
findstr /i "0x2 0x3"
C:\Windows\System32\reg.exe
reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext
C:\Windows\System32\findstr.exe
findstr /i "volume retail"
C:\Windows\System32\findstr.exe
findstr /i "0x2 0x3"
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-18\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"
C:\Windows\System32\reg.exe
reg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
C:\Windows\System32\reg.exe
reg query "HKCU\Volatile Environment"
C:\Windows\System32\reg.exe
reg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "
C:\Windows\System32\find.exe
find /i "Volume"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "
C:\Windows\System32\find.exe
find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\mode.com
mode 76, 25
C:\Windows\System32\choice.exe
choice /C:1230 /N
C:\Windows\System32\mode.com
mode 130, 32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $ExecutionContext.SessionState.LanguageMode
C:\Windows\System32\find.exe
find /i "Full"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "10" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe {212E4BE1-937E-4A06-9235-5B2CCB6A2403}
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""
C:\Windows\System32\find.exe
find /i "Office"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
C:\Windows\System32\sc.exe
sc query ClickToRunSvc
C:\Windows\System32\sc.exe
sc query OfficeSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
C:\Windows\System32\find.exe
find /i "Wow6432Node"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
C:\Windows\System32\findstr.exe
findstr /i "Retail Volume"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "" "
C:\Windows\System32\find.exe
find /i " ProPlusRetail.16 "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "
C:\Windows\System32\find.exe
find /i "2024"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "
C:\Windows\System32\find.exe
find /i "Subscription"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "
C:\Windows\System32\find.exe
find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':hexedit\:.*';iex ($m[1]);"
C:\Windows\System32\find.exe
find /i "Error found"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext
C:\Windows\System32\findstr.exe
findstr /i "volume retail"
C:\Windows\System32\findstr.exe
findstr /i "0x2 0x3"
C:\Windows\System32\reg.exe
reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\System32\reg.exe
reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext
C:\Windows\System32\findstr.exe
findstr /i "volume retail"
C:\Windows\System32\findstr.exe
findstr /i "0x2 0x3"
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-18\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-19\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Volatile Environment"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"
C:\Windows\System32\reg.exe
reg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
C:\Windows\System32\reg.exe
reg query "HKCU\Volatile Environment"
C:\Windows\System32\reg.exe
reg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "
C:\Windows\System32\find.exe
find /i "Volume"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "
C:\Windows\System32\find.exe
find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5004 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6076 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5620 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5672 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updatecheck.massgrave.dev | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | l.root-servers.net | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 13.74.138.254:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.138.74.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kv501.prod.do.dsp.mp.microsoft.com | udp |
| SE | 23.34.234.75:443 | kv501.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp501.prod.do.dsp.mp.microsoft.com | udp |
| SE | 23.34.234.75:443 | cp501.prod.do.dsp.mp.microsoft.com | tcp |
| SE | 23.34.234.75:443 | cp501.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 75.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | purchase.mp.microsoft.com | udp |
| BE | 23.41.178.82:443 | purchase.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 82.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | odc.officeapps.live.com | udp |
| GB | 52.109.28.48:443 | odc.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 48.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| SE | 184.31.15.170:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | signup.live.com | udp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 13.107.42.22:443 | signup.live.com | tcp |
| US | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 170.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fpt.live.com | udp |
| US | 8.8.8.8:53 | msft.hsprotect.net | udp |
| US | 52.167.30.171:443 | fpt.live.com | tcp |
| SE | 2.21.96.91:443 | msft.hsprotect.net | tcp |
| US | 8.8.8.8:53 | client.hsprotect.net | udp |
| SE | 2.21.96.106:443 | client.hsprotect.net | tcp |
| US | 8.8.8.8:53 | fpt2.microsoft.com | udp |
| US | 52.167.30.171:443 | fpt2.microsoft.com | tcp |
| US | 8.8.8.8:53 | collector-pxzc5j78di.hsprotect.net | udp |
| US | 35.190.10.96:443 | collector-pxzc5j78di.hsprotect.net | tcp |
| US | 8.8.8.8:53 | 91.96.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.30.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.96.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | fpt.microsoft.com | udp |
| US | 52.167.30.171:443 | fpt.microsoft.com | tcp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | 96.10.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 13.107.42.22:443 | signup.live.com | tcp |
| US | 8.8.8.8:53 | iframe.arkoselabs.com | udp |
| US | 104.18.33.170:443 | iframe.arkoselabs.com | tcp |
| US | 8.8.8.8:53 | 170.33.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | client-api.arkoselabs.com | udp |
| US | 172.64.154.86:443 | client-api.arkoselabs.com | tcp |
| US | 8.8.8.8:53 | 86.154.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 52.96.214.50:443 | outlook.com | tcp |
| US | 52.96.214.50:443 | outlook.com | tcp |
| US | 8.8.8.8:53 | www.outlook.com | udp |
| GB | 40.99.213.34:443 | www.outlook.com | tcp |
| US | 8.8.8.8:53 | 50.214.96.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | outlook.live.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| SE | 23.34.233.128:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 34.213.99.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.233.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | play.vidyard.com | udp |
| US | 151.101.193.181:443 | play.vidyard.com | tcp |
| US | 8.8.8.8:53 | cdn-dynmedia-1.microsoft.com | udp |
| BE | 23.41.178.89:443 | cdn-dynmedia-1.microsoft.com | tcp |
| BE | 23.41.178.89:443 | cdn-dynmedia-1.microsoft.com | tcp |
| US | 8.8.8.8:53 | 181.193.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mem.gfx.ms | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.189.173.25:443 | browser.events.data.microsoft.com | tcp |
| US | 20.189.173.25:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | fpt.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 52.167.30.171:443 | fpt.microsoft.com | tcp |
| US | 8.8.8.8:53 | assets.adobedtm.com | udp |
| SE | 23.34.232.228:443 | assets.adobedtm.com | tcp |
| US | 52.167.30.171:443 | fpt.microsoft.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 20.189.173.25:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.232.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fpt2.microsoft.com | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logincdn.msftauth.net | udp |
| US | 8.8.8.8:53 | acctcdn.msauth.net | udp |
| US | 8.8.8.8:53 | acctcdn.msftauth.net | udp |
| US | 152.199.21.175:443 | acctcdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | acctcdnmsftuswe2.azureedge.net | udp |
| US | 152.199.21.175:443 | acctcdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | acctcdnvzeuno.azureedge.net | udp |
| US | 8.8.8.8:53 | lgincdnmsftuswe2.azureedge.net | udp |
| US | 8.8.8.8:53 | lgincdnvzeuno.azureedge.net | udp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| GB | 40.99.213.34:443 | outlook.live.com | udp |
| US | 8.8.8.8:53 | signup.live.com | udp |
| US | 13.107.42.22:443 | signup.live.com | tcp |
| US | 8.8.8.8:53 | fpt.live.com | udp |
| US | 8.8.8.8:53 | msft.hsprotect.net | udp |
| SE | 2.21.96.106:443 | msft.hsprotect.net | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.187.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | client.hsprotect.net | udp |
| SE | 2.21.96.106:443 | client.hsprotect.net | tcp |
| US | 8.8.8.8:53 | collector-pxzc5j78di.hsprotect.net | udp |
| US | 35.190.10.96:443 | collector-pxzc5j78di.hsprotect.net | tcp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 35.190.10.96:443 | collector-pxzc5j78di.hsprotect.net | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 142.250.187.234:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | aka.ms | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | iframe.arkoselabs.com | udp |
| US | 104.18.33.170:443 | iframe.arkoselabs.com | tcp |
| US | 8.8.8.8:53 | client-api.arkoselabs.com | udp |
| US | 104.18.33.170:443 | client-api.arkoselabs.com | udp |
| US | 8.8.8.8:53 | msft.hsprotect.net | udp |
| US | 8.8.8.8:53 | signup.live.com | udp |
| US | 8.8.8.8:53 | iframe.arkoselabs.com | udp |
| US | 8.8.8.8:53 | msft.hsprotect.net | udp |
| US | 13.107.42.22:443 | signup.live.com | tcp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| IE | 20.50.73.13:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logincdn.msftauth.net | udp |
| US | 8.8.8.8:53 | acctcdn.msauth.net | udp |
| US | 8.8.8.8:53 | acctcdn.msftauth.net | udp |
| US | 152.199.21.175:443 | acctcdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | acctcdnmsftuswe2.azureedge.net | udp |
| US | 152.199.21.175:443 | acctcdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | lgincdnmsftuswe2.azureedge.net | udp |
| US | 152.199.21.175:443 | acctcdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| IE | 20.50.73.13:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | outlook.live.com | udp |
| GB | 52.97.219.242:443 | outlook.live.com | udp |
| GB | 52.97.219.242:443 | outlook.live.com | tcp |
| US | 8.8.8.8:53 | 242.219.97.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | res.cdn.office.net | udp |
| SE | 184.31.15.227:443 | res.cdn.office.net | tcp |
| SE | 184.31.15.227:443 | res.cdn.office.net | udp |
| US | 8.8.8.8:53 | 227.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 104.208.16.90:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| SE | 184.31.15.227:443 | res.cdn.office.net | udp |
| US | 8.8.8.8:53 | csp.microsoft.com | udp |
| GB | 52.109.28.48:443 | odc.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | eu-office.events.data.microsoft.com | udp |
| IE | 20.50.73.9:443 | eu-office.events.data.microsoft.com | tcp |
| IE | 20.50.73.9:443 | eu-office.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.16.234:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| GB | 52.97.219.242:443 | outlook.live.com | udp |
| GB | 52.97.219.242:443 | outlook.live.com | tcp |
| GB | 52.97.219.242:443 | outlook.live.com | tcp |
| US | 8.8.8.8:53 | ecs.office.com | udp |
| US | 52.113.194.132:443 | ecs.office.com | tcp |
| US | 8.8.8.8:53 | 132.194.113.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logincdn.msftauth.net | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| US | 152.199.21.175:443 | logincdn.msftauth.net | tcp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | lgincdnvzeuno.azureedge.net | udp |
| US | 152.199.21.175:443 | lgincdnvzeuno.azureedge.net | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | acdn.adnxs.com | udp |
| US | 8.8.8.8:53 | c.live.com | udp |
| US | 151.101.129.108:443 | acdn.adnxs.com | tcp |
| IE | 68.219.88.97:443 | c.live.com | tcp |
| US | 8.8.8.8:53 | c.bing.com | udp |
| US | 204.79.197.237:443 | c.bing.com | tcp |
| US | 8.8.8.8:53 | storage.live.com | udp |
| US | 8.8.8.8:53 | amcdn.msftauth.net | udp |
| NL | 13.104.158.183:443 | storage.live.com | tcp |
| BE | 23.41.178.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 108.129.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.88.219.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.158.104.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eb2.3lift.com | udp |
| US | 8.8.8.8:53 | m.adnxs.com | udp |
| US | 76.223.111.18:443 | eb2.3lift.com | tcp |
| NL | 185.89.211.84:443 | m.adnxs.com | tcp |
| US | 76.223.111.18:443 | eb2.3lift.com | tcp |
| US | 8.8.8.8:53 | consent.config.office.com | udp |
| GB | 20.77.247.178:443 | consent.config.office.com | tcp |
| US | 8.8.8.8:53 | cdn.adnxs.com | udp |
| US | 8.8.8.8:53 | ams3-ib.adnxs.com | udp |
| BE | 23.41.178.104:443 | www.bing.com | udp |
| US | 151.101.1.108:443 | cdn.adnxs.com | tcp |
| US | 8.8.8.8:53 | admin.microsoft.com | udp |
| US | 13.107.9.156:443 | admin.microsoft.com | tcp |
| US | 8.8.8.8:53 | 18.111.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.211.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.247.77.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.9.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| NL | 20.50.201.205:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 205.201.50.20.in-addr.arpa | udp |
| US | 151.101.129.108:443 | cdn.adnxs.com | tcp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | windows.policies.live.net | udp |
| IE | 40.90.128.17:443 | windows.policies.live.net | tcp |
| US | 8.8.8.8:53 | www.windowssearch.com | udp |
| US | 150.171.28.10:443 | www.windowssearch.com | tcp |
| US | 8.8.8.8:53 | substrate.office.com | udp |
| GB | 40.99.202.66:443 | substrate.office.com | tcp |
| US | 8.8.8.8:53 | 17.128.90.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.202.99.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | continuum.dds.microsoft.com | udp |
| IE | 20.82.217.86:443 | continuum.dds.microsoft.com | tcp |
| US | 8.8.8.8:53 | odc.officeapps.live.com | udp |
| IE | 52.109.76.144:443 | odc.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 86.217.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | directory.services.live.com | udp |
| GB | 40.99.202.66:443 | substrate.office.com | tcp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | ocws.officeapps.live.com | udp |
| IE | 52.109.76.62:443 | ocws.officeapps.live.com | tcp |
| IE | 52.109.76.62:443 | ocws.officeapps.live.com | tcp |
| IE | 52.109.76.62:443 | ocws.officeapps.live.com | tcp |
| IE | 52.109.76.62:443 | ocws.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage.live.com | udp |
| IE | 40.90.128.17:443 | storage.live.com | tcp |
| US | 8.8.8.8:53 | outlook.office365.com | udp |
| GB | 52.98.201.82:443 | outlook.office365.com | tcp |
| GB | 52.98.201.82:443 | outlook.office365.com | udp |
| US | 8.8.8.8:53 | 82.201.98.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | directory.services.live.com | udp |
| US | 8.8.8.8:53 | exo.nel.measure.office.net | udp |
| US | 8.8.8.8:53 | m365cdn.nel.measure.office.net | udp |
| IE | 2.18.24.10:443 | m365cdn.nel.measure.office.net | tcp |
| IE | 2.18.24.25:443 | m365cdn.nel.measure.office.net | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.24.18.2.in-addr.arpa | udp |
| NL | 185.89.211.84:443 | ib.adnxs.com | tcp |
| US | 8.8.8.8:53 | outlook.office365.com | udp |
| US | 8.8.8.8:53 | substrate.office.com | udp |
| GB | 40.100.174.210:443 | outlook.office365.com | tcp |
| GB | 52.98.207.50:443 | substrate.office.com | tcp |
| US | 8.8.8.8:53 | 50.207.98.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.174.100.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | ocws.officeapps.live.com | udp |
| SE | 184.31.15.242:443 | metadata.templates.cdn.office.net | tcp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | directory.services.live.com | udp |
| FR | 52.109.68.87:443 | ocws.officeapps.live.com | tcp |
| FR | 52.109.68.87:443 | ocws.officeapps.live.com | tcp |
| FR | 52.109.68.87:443 | ocws.officeapps.live.com | tcp |
| FR | 52.109.68.87:443 | ocws.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | messaging.engagement.office.com | udp |
| NL | 52.111.243.12:443 | messaging.engagement.office.com | tcp |
| US | 8.8.8.8:53 | 12.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| US | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 136.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | directory.services.live.com | udp |
| US | 8.8.8.8:53 | odc.officeapps.live.com | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| NL | 52.109.89.119:443 | odc.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | directory.services.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 119.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | directory.services.live.com | udp |
| US | 8.8.8.8:53 | csp.microsoft.com | udp |
| US | 8.8.8.8:53 | res.cdn.office.net | udp |
| SE | 184.31.15.227:443 | res.cdn.office.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
Files
memory/1872-0-0x000002A1BB990000-0x000002A1BBA12000-memory.dmp
memory/1872-10-0x000002A1B96E0000-0x000002A1B96F0000-memory.dmp
memory/1872-11-0x000002A1BB900000-0x000002A1BB922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izr3agk2.zwg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1872-12-0x000002A1BBC30000-0x000002A1BBD32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5caad758326454b5788ec35315c4c304 |
| SHA1 | 3aef8dba8042662a7fcf97e51047dc636b4d4724 |
| SHA256 | 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391 |
| SHA512 | 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8857491a4a65a9a1d560c4705786a312 |
| SHA1 | 4f3caf2ad5d66a2410c9cca0381d26a46e832cb4 |
| SHA256 | b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360 |
| SHA512 | d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4edc5d8588de3394e8a8d79ae5b943dc |
| SHA1 | f79737afd4a1e21580ec1a165334b416911345ad |
| SHA256 | a81d7b3bd76b4a17da3876d10b186920939834c8c877ad13ce475a8f07bd56d6 |
| SHA512 | b294a1b8eb74f6a33fee7371429755662c4620b051cf909b056e72f8c0088dc0d0c7651aa8fc4af1bd78559551a3984ca4a6ab816b8ab956b290c192df557d15 |
memory/2808-48-0x000002A359680000-0x000002A35969E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | edb423df3e785acde9dda9cc85d37d6b |
| SHA1 | 456da55e581b285d2057c6bb19f43620d2805184 |
| SHA256 | a3450ad8b20ccf2a84ec4da112b01caa26825734010641f6ac08c59f27d1a90f |
| SHA512 | aeda3c7bedcf9def748e0b3edb9a7afd5f7067d468db3741896512e5171536cdc520a45ce79f9c6d9f76ab3028dd6cdcc382f347f740255b7b98941269a06e7c |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\AssocProvider.dll
| MD5 | 94dc379aa020d365ea5a32c4fab7f6a3 |
| SHA1 | 7270573fd7df3f3c996a772f85915e5982ad30a1 |
| SHA256 | dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907 |
| SHA512 | 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DmiProvider.dll
| MD5 | ea8488990b95ce4ef6b4e210e0d963b2 |
| SHA1 | cd8bf723aa9690b8ca9a0215321e8148626a27d1 |
| SHA256 | 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98 |
| SHA512 | 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\MsiProvider.dll
| MD5 | 9a760ddc9fdca758501faf7e6d9ec368 |
| SHA1 | 5d395ad119ceb41b776690f9085f508eaaddb263 |
| SHA256 | 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f |
| SHA512 | 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SetupPlatformProvider.dll
| MD5 | 1ae66f4524911b2728201fff6776903c |
| SHA1 | 68bea62eb0f616af0729dbcbb80dc27de5816a83 |
| SHA256 | 367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3 |
| SHA512 | 7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\UnattendProvider.dll.mui
| MD5 | 7601ef496c3f171373605aca6299eb4b |
| SHA1 | 92c25a096a96c690cb405b2d5e2df35a06044104 |
| SHA256 | e2988f7e6ad35863b56534824069aaaf34fadd2d27524e5d030b706576fd359c |
| SHA512 | 0729514091ed0e0468a9466ba3d6b73bfd10eb0a60e1905671c443f66121d84fab57f511bf989580a715e4ea9ff9172aebfe2cc177674c8c14adce5b8a8de157 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\IBSProvider.dll
| MD5 | 120f0a2022f423fc9aadb630250f52c4 |
| SHA1 | 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7 |
| SHA256 | 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0 |
| SHA512 | 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\IntlProvider.dll
| MD5 | 510e132215cef8d09be40402f355879b |
| SHA1 | cae8659f2d3fd54eb321a8f690267ba93d56c6f1 |
| SHA256 | 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52 |
| SHA512 | 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\WimProvider.dll.mui
| MD5 | 263b263e5fe8c078a3866eadf7b2bf79 |
| SHA1 | 9dad2d78e5f130b72a39c15fc548935dc9b96005 |
| SHA256 | 43bc4c6ed713d8f04d359151edd47d6d63eb64a87ec37fb95c0fc8f056c8c023 |
| SHA512 | d8ba69b15420aaa6c1afb1bded5d0afb821c73e1ef538f06dff0f4d87520622cf0a5a989a480755a3cb35b9949098575c6beb51bb747352c280916e87fbf68cf |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\WimProvider.dll
| MD5 | 229df404d67e69e57f9e284a66f2adeb |
| SHA1 | 7f4f703dbe8c274f5104d4d104dafcadf0c3857b |
| SHA256 | 8b7821a1fb9170c6aa1ec25eea378f43661812eba25064bb95999156b472c377 |
| SHA512 | 917912cdfcf1d46f691cadc6e7aaae1a302a66721beec0e9b22e394592b290605caf410221045f2ce89896e5d9602ee4946202f2de9390e92c8aaa5a609b3a54 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\VhdProvider.dll.mui
| MD5 | bc6b19d90559744702c1687b0e5b376f |
| SHA1 | a3752de9ad56f2256a5190b01c641f173b60bfed |
| SHA256 | 631d6c84c00fcf1e7260734e92bee36243b8c40e97b853be1723dcae277ffaef |
| SHA512 | 9be6cdcbfb665a57e132388a0045a5ce6560740cf2d2d0537acaa7331cf1db2c6d0e1b2200d7cb892c7b6be47b73073a38e1ed6296631b7550a474110ef10800 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\VhdProvider.dll
| MD5 | c6488a9b3569230669c72f3239cbc108 |
| SHA1 | 87b9b2ab5de52f246c1936480463bd402ad519b9 |
| SHA256 | 4ed23b46188dae12523f96a2755434c0574cd27584f9921133b0b4c1017b8a36 |
| SHA512 | 47ae886893032306e9b69b2d1c736ce23061b5be7552d2ed1d680b91e45fe0225b5acb12b83f6d572ef0b270dbaa47af3320516f4bfadb0a2889a9ffed45a66f |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\UnattendProvider.dll
| MD5 | f7bd21c4170b1397eb098fa18ef45d4b |
| SHA1 | 05d36abc4853eda468eab68d289337962c76195f |
| SHA256 | 05da5af89fafe492adf5255a7dbf16468be6d130ee8a9d713ab2182c72346db0 |
| SHA512 | 8a804bfe27f25b9d7c87cfb6951e1f1254e984ff9eada0b1547c30352397438d2c9e2f1c3b42c2db43f693b08224e0c7b7a17cd0b21ced893e12c330b91355ff |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\TransmogProvider.dll.mui
| MD5 | dd549e06e8b1a71eef97ebcd494fcc10 |
| SHA1 | b020953e0bb6dd6ae80f881f59591d067e75c63a |
| SHA256 | 1be0b61e8978639eb2f66956a1604f6f0a2d668f868a9ff48b5db33dea812901 |
| SHA512 | 0d3f4700bd676a03d39460a7af08780eb06bfba2c9bbb6827ff8a39f37d0dc946de057ec2fd70715ce8839f55927cbea57c7d8b85a859252b0dc8d9a23c7b540 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\TransmogProvider.dll
| MD5 | 84ae9659e8d28c2bd19d45dbe32b6736 |
| SHA1 | 2a47058eafab4135a55575a359fbd22390788e93 |
| SHA256 | 943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4 |
| SHA512 | d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\en-US\SysprepProvider.dll.mui
| MD5 | 93d076056dd01dfc64d95d4c552a2dff |
| SHA1 | a90fd06a62c6d63d87e00f5f7e9646b44d2c726a |
| SHA256 | 4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4 |
| SHA512 | b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SysprepProvider.dll
| MD5 | 8bd67d87dbdcf881fb9c1f4f6bf83f46 |
| SHA1 | 10bd2e541b6a125c29f05958f496edf31ff9abb1 |
| SHA256 | f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204 |
| SHA512 | 258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\SmiProvider.dll.mui
| MD5 | fe9a7502d09360933fec35a1dd9cb46e |
| SHA1 | 58721b66c428b32619d7f09568e86fa1a9339849 |
| SHA256 | ee5a25b54776a63bc5bdd9a5ac3c6cacc7bf2b7f3761d2b489ef0060e5ac031c |
| SHA512 | 9f8c752a19e8404c7c9497fc9b457404eeaed2d6a071aeb4927fea7c2d3fabb1547e479d8525547f4c190a56113a26a53575b4a7e4bb76c65ea656304b753a0a |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SmiProvider.dll
| MD5 | ad7bbb62335f6dc36214d8c9fe1aaca0 |
| SHA1 | f03cb2db64c361d47a1c21f6d714e090d695b776 |
| SHA256 | ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb |
| SHA512 | 4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\SetupPlatformProvider.dll.mui
| MD5 | 54e7735303befc4017c8f7f79c70ac7a |
| SHA1 | 0e165c98d94ccadb80aaa8bba7644f50dd16c119 |
| SHA256 | 79bd40a61064b856fa169d2ab92e0f41202f08fe78b5c749c9bfb96f471792fd |
| SHA512 | 125cff3faea70c3a7e0a3279022685d23bd0829ae7316ee2dc9afb568d03cdad4ce5d948776a736fecfc4f90d9dd655639ab4f2ab7610ad1ee41c48959ab71e0 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\ProvProvider.dll.mui
| MD5 | 465ff43b338a4059ee0308a8de105a98 |
| SHA1 | 0811614122cf0b8e23f805789b1910f788b20ffb |
| SHA256 | 49d4ef65391503ab867354dceeb241e7690c92383458fd3349a85c669b80bd49 |
| SHA512 | 05ccaeea8e613ca50612b73b16175d77f68171a1e5af5111d382fccc88ecc41f83ae84f4c4d91885649197557e0b4c19bee3b23adfd13022b482cb8a92c3b728 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\ProvProvider.dll
| MD5 | 70c34975e700a9d7e120aaecf9d8f14b |
| SHA1 | e24d47f025c0ec0f60ec187bfc664e9347dc2c9c |
| SHA256 | a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7 |
| SHA512 | 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\OSProvider.dll.mui
| MD5 | d1f7a1ea380d32e97056793baba7cb6b |
| SHA1 | f5bae8cfdff3e45aaea570d0425b47833e2da197 |
| SHA256 | 344d70160791fa6d5e4b39afa0ebe996a4e6092672ce1e0750b4c640ca8e6a18 |
| SHA512 | 95def4c80bf43a8e9e7cf6dc272e4eb7e1847e5fa997c8a3f2ba53b9bb337289bacd8fd8a719b75818d44ae33ff817fdbf572296b258254543aaff98792a4649 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\OfflineSetupProvider.dll.mui
| MD5 | 19575370d599f89404fe876b132fd170 |
| SHA1 | 968fdaee7daed95a62cfa33cd03c42804dc96652 |
| SHA256 | 2ca9f61d307e874e29fbfcc90645a797c82a0891d9ecfd7c3aefa8ea759a2bc5 |
| SHA512 | d35a383e49e2614019fdfdf585b607caab3ecaee6e577793863b8a1b84df2bc76de09577c9474b098d026523539f6e7b7d63071dfdc601821b5aad73f060e00a |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\OfflineSetupProvider.dll
| MD5 | 9cd7292cca75d278387d2bdfb940003c |
| SHA1 | bab579889ed3ac9cb0f124842c3e495cb2ec92ac |
| SHA256 | b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f |
| SHA512 | ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\MsiProvider.dll.mui
| MD5 | 8cf549ca23aa04d862ebf6e6e607cc54 |
| SHA1 | 6348fbe4f32a01460de297e472343b3c0b32e34b |
| SHA256 | 634ca4c93f54c358d1c541059a2e60fdc4a11f38ab676ed379a9e38a2fb3797d |
| SHA512 | 5cb719abbaac3498cdded40ea191158621255f1fb958835e01809ef7532e5e8b3ad03af1170f0464dc7bdcf49230457e86c8c58640716c629fe659e94112fce9 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\LogProvider.dll.mui
| MD5 | 49546b639236f0f120a4982ba840f563 |
| SHA1 | cc080e0ce4cfc5a5e1bcc02823875234c05759f6 |
| SHA256 | bf2d54f231f3e814a401b6598793dc3604e2d381c3b3d9b5479c9fea87dad2bb |
| SHA512 | 8e6f8cd409a601be098fb1e61e733e5ce7fc06e365442e7a2ec508dd44bad2b10bd45288419bb672be5a278501da965831c8e92da545af8a3070ba66a4b01a8a |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\IntlProvider.dll.mui
| MD5 | 7a667def21a5d84e95c0153e463667e5 |
| SHA1 | f980aab6026c343c535441fd52283713183e128b |
| SHA256 | db2888717225eb457283c28424f1ce53397d0aa321b7619ebe0884cd10fe6c15 |
| SHA512 | dde58035cf1e53d4afe66aa69fee934ca31264fb4c12dff62c39a4bd47381e4c07a977b58dd4020d41f0c7bbc502d5ee6f3c43628d4fba8261a82662ea4c666a |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\ImagingProvider.dll.mui
| MD5 | cc4d83d9206a2352295b036204b1e1bb |
| SHA1 | 89647c71480550dbd8ed0fe5039d53996715be9f |
| SHA256 | 116a74db2b5024a38307080651aeeb98d15212b1c2547822421f38dd43699714 |
| SHA512 | 87285d309a6410e006eb5b3277de4219bc836f531211677e615e875ea903462a38ac8be66ed08dce804d7b782eb4f4c01f73de5c3a0f90a36859b87b56fa0c4b |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\ImagingProvider.dll
| MD5 | 35e989a1df828378baa340f4e0b2dfcb |
| SHA1 | 59ecc73a0b3f55e43dace3b05ff339f24ec2c406 |
| SHA256 | 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d |
| SHA512 | c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\en-US\IBSProvider.dll.mui
| MD5 | d4b67a347900e29392613b5d86fe4ac2 |
| SHA1 | fb84756d11bfd638c4b49268b96d0007b26ba2fb |
| SHA256 | 4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5 |
| SHA512 | af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\GenericProvider.dll.mui
| MD5 | 5699303a2d4970f89360068b6dde8674 |
| SHA1 | 371a7b79e71bad4d7da3fc5d79b0be08251fd7b6 |
| SHA256 | 26995bef958d5c2b5748f3f17d2767a9918ef8f2a82b98859913656b70e23358 |
| SHA512 | 8a8d07a4127510950a96701870aca16e315732c88a3d359133c08820a4f0fc4df8eb62364b80af1e7792da5a5bb4c453938c96acea208434f9e6995efc7002bf |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\GenericProvider.dll
| MD5 | ef7e2760c0a24453fc78359aea3d7869 |
| SHA1 | 0ea67f1fd29df2615da43e023e86046e8e46e2e1 |
| SHA256 | d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a |
| SHA512 | be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\FolderProvider.dll.mui
| MD5 | c514bf1f906c4505b159ac558b3192d2 |
| SHA1 | 0c97fa7adda3da788f6cdbec0aef00e68bc46402 |
| SHA256 | 09eb31cca48ab46aa3ffeb1efa50ee1a0bb58fef66328fa2f71e06e9f0ef5a2e |
| SHA512 | e9b6c78179f394d5c69718d9ce82bd6f6b278067b68a79e9138cf92d48554ffd65c47a722dc02b9031a89ed23065c5fffb529f2ff35856c20c41d5d849fbe915 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\FolderProvider.dll
| MD5 | 4f3250ecb7a170a5eb18295aa768702d |
| SHA1 | 70eb14976ddab023f85bc778621ade1d4b5f4d9d |
| SHA256 | a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461 |
| SHA512 | e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\FfuProvider.dll.mui
| MD5 | 4fe1ece3b234048791d5d97844fe3304 |
| SHA1 | dba744f5c41dd136e498acc442da8bd5e0455ba8 |
| SHA256 | a7a6297f75e30830ddde1f5dded0a9131a1e9d9dba0182ce7d9f5fb8fdb72726 |
| SHA512 | 74e74eb1c561be31edb1c944838170e9ffc554ed0484fd7a99381e4cd61bb559e4ce7aa6a785f294df991b0d76b4bec841032e1f9e4c23217051017c3fbf5feb |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\FfuProvider.dll
| MD5 | df785c5e4aacaee3bd16642d91492815 |
| SHA1 | 286330d2ab07512e1f636b90613afcd6529ada1e |
| SHA256 | 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271 |
| SHA512 | 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\DmiProvider.dll.mui
| MD5 | f1414df5b1c4c9aa010b60fc0f49c28a |
| SHA1 | 75649556f45c3c0e4566307598472937f994b725 |
| SHA256 | 3717e900e1490eab331474a0cf20010a5f775d6c45bd6d3406cfda8e6241f864 |
| SHA512 | d0b33c06fbbaf9a721803e7ecf1130c91e2234fd3dcedff291fae1d828a6c486229f670d8d3fa0143bb2604bc7b370f71e9f618fd7aa609acdfdf1667d014fc1 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\dismprov.dll.mui
| MD5 | bc47aa123dc9506548cade2321707cc7 |
| SHA1 | dd401731adcb6623d37e35dcbe8bcdf6b6adee7e |
| SHA256 | b9c42d0a45fbdf2db979922d60e3f3dea41c2dbccae80de432674758fb23bc0f |
| SHA512 | 4d3cc7027323020c6c6bdaf6c52541ffbfe144d2285b549004ae6b724f24b9efddb7d3a7ca5053786d67e6181e1a3ff2acc9b231ba42e36113603dd6402204db |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\DismCore.dll.mui
| MD5 | f91875c04330d1f8cbb6bcfa1637be8c |
| SHA1 | abb88cf8347b02b9a3939d8eaa0a762f09520e9a |
| SHA256 | 4ca363ac6299a3eff6f099c6897ad45793fe0e2093f6f2782614b7a98bc40ff1 |
| SHA512 | c1439fb8c0ac0872247d64fb98ad49b158cb0d742f40d836e2086c97606b6bec0ad29b8c5fae6ea72c6695cf34efe2e3dacf87be5874fcadacd0439ca19d08f2 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismCore.dll
| MD5 | b1f793773dc727b4af1648d6d61f5602 |
| SHA1 | be7ed4e121c39989f2fb343558171ef8b5f7af68 |
| SHA256 | af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e |
| SHA512 | 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\CbsProvider.dll.mui
| MD5 | e5fe9e638b4744b799579563e433aeaf |
| SHA1 | 380b3f0fb659fc43f5fadfbcccb4fee049a668c4 |
| SHA256 | b6517203d9dde04a3b8a715cf47f83825928e4316e09763fe3cf0f6e1b1d8cd3 |
| SHA512 | 5bc2100c11847c4744673e894d3c8722053271f3bf15788e4f25bcc2a14089cffb761784b260af593463abbf3a9efaf7988f946005f94be016743b8369e695b2 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\AssocProvider.dll.mui
| MD5 | 2168d71b7fd5330ab5fcfcb5ab1b1c07 |
| SHA1 | 2d8042e479875499aa2093c8bd245c2291739144 |
| SHA256 | f4b88cb87179472655041518d123149eb49f1f484fe581805e3a2e35c4b1e344 |
| SHA512 | 409ee809194bbc5bbfa5081a368f8834828f396e56d00436ac8f1c30bf7b0974bbae1b8790dfc08a1b6d83f771493ef7b0372cce4feb079533254f5ed665e360 |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\AppxProvider.dll.mui
| MD5 | 842ef8185050a821269f5e2ed5f0490a |
| SHA1 | b39d06f75aa4b9b46f342d07f26c84f64ba517d9 |
| SHA256 | 41c8b7200845f5ffd7466dcae1db7b8c25833f2f8118593f8c2770246a322a4d |
| SHA512 | 0ce48d990885e90a06f9829e626a73c3be7a8b214816d2792af75ff7c708ac55d047895d773052a2b67f80e3c61def222a0b78450ae3e48b5ad7c20faaeafc6e |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
memory/4160-411-0x000002327A5A0000-0x000002327A5AA000-memory.dmp
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket
| MD5 | 67a8abe602fd21c5683962fa75f8c9fd |
| SHA1 | e296942da1d2b56452e05ae7f753cd176d488ea8 |
| SHA256 | 1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411 |
| SHA512 | 70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6 |
memory/744-470-0x000002182DB50000-0x000002182DB60000-memory.dmp
memory/744-469-0x000002182DB50000-0x000002182DB60000-memory.dmp
memory/2936-472-0x000001D80AC80000-0x000001D80AC90000-memory.dmp
memory/2936-471-0x000001D80AC80000-0x000001D80AC90000-memory.dmp
memory/2936-475-0x000001D80AC80000-0x000001D80AC90000-memory.dmp
memory/744-476-0x000002182DB50000-0x000002182DB60000-memory.dmp
memory/1244-484-0x0000016973FC0000-0x0000016973FD0000-memory.dmp
memory/1244-483-0x0000016973FC0000-0x0000016973FD0000-memory.dmp
memory/1368-486-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmp
memory/1368-485-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmp
memory/1368-489-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmp
memory/1244-490-0x0000016973FC0000-0x0000016973FD0000-memory.dmp
memory/1456-873-0x000001F42BFB0000-0x000001F42BFC4000-memory.dmp
memory/1456-874-0x000001F42C1A0000-0x000001F42C1B6000-memory.dmp
memory/1456-875-0x000001F42BFD0000-0x000001F42BFDA000-memory.dmp
memory/1456-876-0x000001F42C230000-0x000001F42C256000-memory.dmp
memory/1300-904-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp
memory/1300-906-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp
memory/1300-905-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp
memory/1300-907-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp
memory/1300-908-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp
memory/1300-909-0x00007FFE874B0000-0x00007FFE874C0000-memory.dmp
memory/1300-910-0x00007FFE874B0000-0x00007FFE874C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD9A6.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7KRX8WJ8\signup.live[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A3FZEC79\msft.hsprotect[1].xml
| MD5 | 72aeabca3cba8aa087e9d28257a11f1a |
| SHA1 | 7365f0a2d6bc306724bcd9da2f67f65f47583f3c |
| SHA256 | f8ee819650ca1ad05c24278815663fe0419bbe16724c639824bf1c54920b2987 |
| SHA512 | 2cf83edfd53f0b34361983115e3a8208c9691b3d92d34f5f2045fc5ece5def2057a58066b0ee3de2eb322a06284e548693a31ddb273ca625b83b39d3420212f0 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A3FZEC79\msft.hsprotect[1].xml
| MD5 | 93f8a291161a802b6bb55bd373dfda56 |
| SHA1 | 0ed92541156096f211af20775ca2809e44ae8c76 |
| SHA256 | 7db754d23c2dc73c1f964a3e27858809f40673e8e1440c586e681cda1aae5c93 |
| SHA512 | 5611f88dd31c02a1b992e8a26392f63f916918ce4f11f4e8b2ba506ebebb9d042bcea5ef9b3fed8ff6586a7799546ffa14d316fa4d2afe273200b1072eff7289 |
memory/1300-1512-0x00000199F18C0000-0x00000199F19C0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 303c052341340d8144d681a50979d595 |
| SHA1 | ee5c989933117ac5f03151e3bb0aae846ad7ad91 |
| SHA256 | b8679fe579a4af2a0d822656109fb155d1e1da1186fa1aeaa9f4b328fafe17e2 |
| SHA512 | afe0ca32a36f66796424bef9cd65a27ad5dabf423b2fbe9c4e49fe43f0e5c92d82928b47f005a389bf6474ce6a39fc654fa00f22e122766fbeea3e9a7e6ff311 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 301e1fd4d45425aea725be0eddceac9c |
| SHA1 | c6182d7484970ec775dcbea25c039c2bcb89a957 |
| SHA256 | 45bdd0ed15d0c34c39f8600c82acece058567b6d5b984d71b6101dccf72cf483 |
| SHA512 | 712710dcae9cca31faad9163c7aab25b1b16a7ffe601157f454e7cbeb5ed02e319494494dc476b8de06c2d0a8e6e351422101ef27c89de524c296b345fbd68ad |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fc901c1e9b138ce528c62bb43cd29f31 |
| SHA1 | 393eca1906c6e9930d22216e7c50d2aa63acd532 |
| SHA256 | 39e70ed2ffb5660281cd7074f9bc9cc8b53455ad886d60d09201bdb5725ebbdf |
| SHA512 | e6a20a6ea8bb7f94d601f033491a91909d4797745fb4ce394399f501e0d3b057335a46133f51090efae10fe8a15dfefa5059d8353d0077964603e397d5937e22 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 5efe7d641c8844e82cc16832c8353354 |
| SHA1 | 260c184935b9bf497bea43ad4c1290b7320c357e |
| SHA256 | 0bb308da1d2fe52a86e47c7feb9efa841b5e6db7bd3e7343abb44ef22c62f52f |
| SHA512 | 6b32c544e1964f281a62e83a62ff3aab4b2831c723d50708546c5f2fbfae213a334d487e531da7e7bf3d757e62a3ba184e2536ee4e31cc1174c914cd9190e898 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 70e8aa5436668fb83c00dce1a307131e |
| SHA1 | 4e7b68eaea1f20f8fa793933d06a3ff8d18c70d8 |
| SHA256 | 35f51f4a1d504be1ad7b1485c164d056935afaad44df5569fd31a708a8c787a2 |
| SHA512 | 832959dd3ed5ebcee648114fa544c2521c90d107900b8a44c958f3b1e3b789b05ebd1915f1a181227f45f386cb45d3ef07d741a9b69cda8746e4f51eb2632aaf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fc5b7bb6e085d5fb074978a0ffcd841c |
| SHA1 | 6d4bf57ee964b04b9851c54270ac03df21c133eb |
| SHA256 | ae05b2a1ed1cd5055206ea165a641595b492b6c26ccbc03d2c57a6b17d84a890 |
| SHA512 | 114e70693dadf0cd8a08c64edc6cbe8fe7ded1044ef63f8b7377fd88eae32ab0e289cb906d2dbca4dd2896c4dfb51e717586b975ee3213e433131a593d8ec188 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 42b7b6d870516836392c550ee8f6213a |
| SHA1 | 2278ae456620f35da7f25fb57241726320d0be05 |
| SHA256 | 34337592d4f8f544e6dec300ce2de99cc17626ecec07af3b89e355841f65b18e |
| SHA512 | b9b7704edcdfebacdd4bae36b424087dd61be3017dd2adb815d1045dcb56255d56bdfacb81eebabd769818b86d8cce9f5668c1b13823a03f76a99465f509b066 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d1cd9fea1c5a0457512133349fd63afb |
| SHA1 | 8a9138d0e68bd7030906a181681f8d69b0e3c8a4 |
| SHA256 | e6f8a473cf45f85944c728cac3cd40072ecbc3eb62da00a59778d794afe66ddc |
| SHA512 | ba1dcc28e06aca5c18290d485d404c31b5bb75fe20932b497afdbe1e6166b262ae002cde7458d3cab99df1b9750e8feb1317963ee1d3a7585b813a26c083ae0c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | bd29a8a07e15487074c75d500ef5ed4f |
| SHA1 | 852faf1b0b9d2228f76fa0e15484c926cfdc41ed |
| SHA256 | 9acbdb73b42b05f8aceabd04dde43a46d1388841fad9812f113ec7e7176d294a |
| SHA512 | 9c8071b8ce8bac1e1b19611b8b5477db4d455921566bcf93be54dd9cc95a95616f28cb6ce853d84e4b8657eda68d7de1f36a4ffc99ce14c83706d688024f6c06 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5be730.TMP
| MD5 | 46056e22cb4b9008fe226a070dd02072 |
| SHA1 | a0a72f53c1b0ab075b1209c7f1e874351b96d791 |
| SHA256 | 9eb68dd370c3883279d58f7e6456343103d19fbd039e77ebef3d2bf6359abd03 |
| SHA512 | 11ccec7ad54723f99c129600d97322a68d1d8a5977044be496fa062fc411ef8777f65dc92c9bed643b071d0e44faaf447b27a4de62af06671fc8c699df55e512 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 18ca2e4e551656f02f293544799c2ca2 |
| SHA1 | aadfd0b9296bf4b60c991039e2f40c583bbc13a0 |
| SHA256 | b965048f6b4903774ff6bf6bac99f6705e27f6b27576b175017f37dd9e74d82d |
| SHA512 | 8a759351b8ee8919169185cb9ff78cca8108a5301d53a14005bab13ff21124813c5836ab6c90e5dc93fcf0ca134d06c592b1e3da595fb6d0a0416f9f4d0d6271 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2a59ba562dc6290a4ae77a9aab43d66d |
| SHA1 | 8b84e9f43355e8eade7f258f93562befae18b755 |
| SHA256 | e20d418dbc6a50c89e496f6c2a638092a39012d954614586472d671d557a3213 |
| SHA512 | 8e10661912bd3ec7cbac07ae9c022008f4d7ef711cb3e7fea9eb86876ca6132b0c846a62ab8e15a65d9c185c51db2d12cc0c25590f4132e9089b7e847a791071 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | dd9369538c842b55ece4fb02deb2b643 |
| SHA1 | c109579c55184a2b52584f9105e084be612f9fc4 |
| SHA256 | 9dcb3ff17105e0f481cf397e1c0467ffd5a69a16a62d04de7a99bafbdd4adeaa |
| SHA512 | e4c0de4986d01f55f2b72cbea0737940d09e56432459728e6f4f592809649cf662a030a90d1254417eda07edbdc3c252ad3eb39ef1fc1386a747a36c8c893a7b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | b7f96d9831b6e0d2a14e3bedb11a7c2d |
| SHA1 | 4dca452a8b2e91cc0f8435a74dcc5a4a06a436c4 |
| SHA256 | f8a54731366f07de408226738e3a553a680a215c71c14df7fb102009c19716ae |
| SHA512 | 94fb971a570f626286823849d4f96155ab5410042d17a156f2427946c8a1dea96d7f218f6c93053a810ffd76853930e23a72c8c8182fec4379b5363a1934131d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4f6dc5154371ba678a4d4771368567dd |
| SHA1 | 7fc326dbc0200db32ec22627cf099b9087ab39fc |
| SHA256 | 7d841d6f58f199571ebb204bb0ecfd187eef533f516e447b64ff541d32fa4b06 |
| SHA512 | 3ee1f215c36f7ef5aedc4b985cdffa8347fc4ef8509e9bc009ae41b97c916895b3be1930f2b9ddcd2d77de7c4da4e144835fab1c7403f6fd8cca388e20540759 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 935d8c14c191025d9da96e2acfc6dbc4 |
| SHA1 | 051b298913c354ca92fe5371505cbdd924f0af76 |
| SHA256 | 0096064594f398d03fe620a62f01e779dcd28b88eb4e8154dd35944929590f8d |
| SHA512 | f8efb774febd88e4e20c3a245001a5676c027974ba13326663217497042aaaf16ab2295be491033aebe1dd10ad33cdb71ad281f0cdffc5aab0c2bb92ee6da47d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 6d0eda8f93b85eb8ace48430272f6953 |
| SHA1 | 74606774bbafb978413100377c4dc4b005922973 |
| SHA256 | e3b7f7340d785697a11af84a30648363b64a31b122b08de75ac7c8abd63d17f0 |
| SHA512 | 1708c8990fc4501868595d684147c2a05010c5499bb8d38c07d9b099919b41153dc595446ed56f3119af2c6dd9eacb6a3eb41bc70dc7bb491e57051809542986 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ae36da0c9e0e5aa26647c2dba3df5467 |
| SHA1 | fd2591f8d8f4d2cfc97d365fed6aa403146fd15f |
| SHA256 | 8de05d66f132ddc0b26da9a6418047a75e8fb141bddc8011906a6148fe8774f8 |
| SHA512 | a65b99148df4c265ea3e330861fe865e90335a07dc5a4962d9f4324ed234b86b7d3c783ab58f68f4e4bfe84b0a30ae9a153061d11a7728bb17e7c383183197bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 8fb9a36a23f1379bd980652fa9fccda5 |
| SHA1 | bb6e3320e7a940e678c73abc3b0bf44d0ed6cfd6 |
| SHA256 | 79c800c2a1ed220d7e9ae9b2edcfc4ca0f6e4215d3ef009efd77e84edde13e54 |
| SHA512 | f1f42fd70fee75a8045e9170093026ae01279a54308d304db48fc8f8dc75d9bc5febef9ee7d405417ab8580e396af1b6ad2f3fdcf3c7a40b7114861af5c493a4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0038c68a4dadf4559dc01863e6554892 |
| SHA1 | 4d98a8e40d2273e5f8387a44622883c18c24de3e |
| SHA256 | 46cc3849180e78d5f3f81f5cc5c296002281cdf84709aa78a43e4aabd937d8e6 |
| SHA512 | f01b81aba450e429a7f39908e63366749472eb4f6e1a667310bec5e38bc40fb20f7a3c47e462b69d5e7a531cd2c6e5df9c4628de0f4bfedbc3593ec71cbc1c92 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 51821f35a1a6699b60ded647ec3d378a |
| SHA1 | f10868940e5a5a5576aef6bc3ee4a5b891f054d8 |
| SHA256 | 64ba02c1fa6b1dc874cbdf04f5979527391bc6b9f14141b58ff67427823cc718 |
| SHA512 | 4d1b67a356c8028c8b178775259199bfb182c85dca4f61a6e3e86be583c72c43496108a490706a2afae49ab66d7567cc657f590f9b0f89e158a9aba7655e98b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0354b2717c763d33f8fe4a5f363f8c42 |
| SHA1 | 51f407bec254ab7fc5a54f4322f9a8aad6cb6860 |
| SHA256 | a686594ef3691e5a27dcc1b9392cd4710435f4087a23a97df29f6c45ccf19cb0 |
| SHA512 | 8e4ab304ac7cc8969f3d624bc0ae1f890fd7e13d9b97de8eb8ed1def31f99c8ecdb7a066a9d4ae3985a6f280a72c796f6c3ba8cf0c3d7c1b358e9aae1923ea21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fa5af976ae0e6416202ad0c52f28fc7f |
| SHA1 | 7f4711e6b656036e4e54179f0e97d53cb227b545 |
| SHA256 | 50d8f61f5544f45bfb176740f72ec00fffa7c60b8ea3ff8445c9c60d9dc70aae |
| SHA512 | f67c2b8b00c23c2a9658364c5a96fa1acb10a1e26749e21a760c655d173e3630118e64ad96b80a500c0c4a99c0548d77919f2f5e17c715b5714add3fcb21db73 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 3a4ee881a0b288fd2461f78fb34189a1 |
| SHA1 | 9c4f21f2fff246a935c1d76d7a30ccf5458c497d |
| SHA256 | b206272f101ce50bbea0923f1c669b3953d893bc7f3c063386c9bcaf9924f18d |
| SHA512 | 35a2d20b6f55358403fb9ae1cd027c84cc750b06e14e4bded70090d889632f55ed8b9de256c1957ffb3fd92fd67262b7215b168048842739ed88d4bc58635041 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ba0a3540ea2fe28450d4ad6ab5748758 |
| SHA1 | 46953243e7db683b7568902cad43463cb524cf82 |
| SHA256 | 599788933c8b8ba4deca1a501b5fcafddb5c2e10dd79a0e26685c2092779001b |
| SHA512 | 8b31b1a2e329032db8334ea7d3492571c3a10912a96cd66a7c709c45d9e2cc5a0e862dd6444e16de63554aa288951cf11015c3cf78d4ef793631efac70caebc2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | aba2f40fd333f9eae61cd70da1838043 |
| SHA1 | 4bb213b49d3fc7c2f661ed944e40514036d7be58 |
| SHA256 | 006e0e56397a7d275b60a1e8e1101ea366a5e9d348342034e9cd0295f4d07b3e |
| SHA512 | 02d0ce0f3a09900f2586debb89fe1047118ca30723585255c4e3756a8e822e53473ea04485038798e19d26f74d06a9bfb60c1fc3703a0383e74a43c207d5a8c0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 2cf0c24bf54ce99a553624e9ab6eb0e7 |
| SHA1 | 74f14d353202c96480d441ed5aefe3ac8f7fbf52 |
| SHA256 | 4b4a342201dc1845283c25314633e23d6c73773194ad45cabb5dceeebcc90e8d |
| SHA512 | b15477afcbd15487901db9f72c18c5d60bed1203ab031ff4ba33cb4098304b49e6f59d3a764c9fe6104cdfc717ce252849a41bbd5a35dbc4d68d3f4e18d5c6c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 56bb923ee1d4ca34449bb85b7de85e68 |
| SHA1 | 1328adff2be30b62d25260c0f39ec5946033f064 |
| SHA256 | 6f9452c3198e1e31d3335d971984cd4d78b152d4f046061015f4f3f2048d5592 |
| SHA512 | cb47fcc7bd697371337740edead6aea18dd25abf1cb4634d533cf8bc0d0e4deb6e777f394534bb09805e14bed6f622182ac36f07d4cfd4c9e530b0b816db1ee2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 044f9e76e553a4c5839f000259ce96eb |
| SHA1 | d510cf1457fddde4fb57e71f1d85191e123bde5c |
| SHA256 | c9a2b97e24b81077d612473e87966047b82bbfe5b80b7cf6b80fa160ff5c4595 |
| SHA512 | 1edf192012616dd70b8fc5e4147f4aaca3bdb7af2072785438e04f001c7e58e94694106fa7b82164752e1a89d950f0c4b39840780fbf41722248a32ff5c2cdc8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a58a97326c8be3aada16ad6421da12c3 |
| SHA1 | d29e17b29ff2f7b3f987591e75eff2b083e77f0b |
| SHA256 | a22afc56b94bf4ebf02ede27d24f12defb3eb1715adb969ab980d6b56e581304 |
| SHA512 | 6f9fd6f4847d47268b096f6f9603781f45988c9338ea8a6064b437823d9a4c1d80bf73683276c9bde3261a7dd4316d605c99919b0612333c33295745363a8190 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 12a75beda9f246e828cb0c96e70d032d |
| SHA1 | a2b358a105ee1311205d8b8b3d63610107815726 |
| SHA256 | 82715038550ffa97523737031013a7996e2071140a459e41c2666408c80848d6 |
| SHA512 | c5abbaff3c56f090d3b9f671f84e988c8bb0810b8b8c20412bdc67b6cabe37dab0db0b4675b34594554a88ea9970d91cae34c2b6718f6d08cdead09be0b1acfa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 98e23bf2e9013eb09d90d044f2f6fe62 |
| SHA1 | fd4f0d2e0bd634e858480d6f40c41e503f5e0ef0 |
| SHA256 | b5bb644ed9a5592d807b06450565234e335e9f8dabd5478ad84c8c434a6fa712 |
| SHA512 | 9a5e9f5fa23166c29ab2f4f91383acb55e25b6a473cce76f6a5c713d97d4e32f17e0780e46b5c383313f72c500099d83b95ef242a19dcb99303c94d0c56fcf38 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a51d9ba58f9d1de8cdfa4017d5a26ed3 |
| SHA1 | b46a2d04ef6b7b3ceece2911742ff517eeaf8684 |
| SHA256 | c87efd7399e9fc18910612d3ecb2d6c374fb49af42b2cd1f33b72dcc09fef3af |
| SHA512 | c7f1dbd0933c2754f11540db104ae26b7f5cf8a95c4d6b0dbc2dbb5dd75e04c548ebc4c3ae2f8a4d9508deccbf7aa7aaf85b47d5ad16943c989a12e078e98736 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 12b7b2aa79a2377d17af09385b7d07bf |
| SHA1 | ad0c7cc1fce55abb4a3973e142d7d4afff26cf70 |
| SHA256 | cc05fe4b8ed4bf5c2a421d6838bb29a695db965425c99a84c82b24a45ba09174 |
| SHA512 | 859af3995e390c460a02d9a68caa90a20f17b50ebe1e543abbd78b59104e599687578fd6e31ee4af0e0df20dbb38091da4707387f394c39ccf5e379264db47a9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 394b9e5ca67e79b96013c6fec7e7fe0c |
| SHA1 | 6c254bd09e978e9d2f910aed610c71763bdbd2ee |
| SHA256 | 38d2dc5d63fe78464b241aac1285d063b3a12054ac24bdd10eb805f2dff733f7 |
| SHA512 | e42a55dc9282668251f5441b573659ba09f9ff11ff274b456c8ae5fc0cc5263cdd2b1bd3d10721c325ca7abb0524ca77854b27c6166ebfb31434140fcd0f5158 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\hrd[1].css
| MD5 | 8fa25b1b1147660a775d31cb82ae4b4c |
| SHA1 | 4c2e4f2f11e843a47b472cee9cec331c5b40bc92 |
| SHA256 | a179bad5af9f3240b7d0a9858eeca55def89872332b11d9190b3489be77ff440 |
| SHA512 | d3d92c13c7ac4a2d3931cf038a27c5226b9c9e9c068f63ecf291d9d6407b06450ed245c5bc0ef953e9cbe2fe112bc5080c190dcb311bb3a62b3f3a9bfed03226 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\jquery-1.12.4.1.min[1].js
| MD5 | dbd7b1d283bb02ccfb777c11d73d9056 |
| SHA1 | 31459140706b1a8a5ba0db3ec72b2184eb4ed64e |
| SHA256 | 3ac82b5a773ea82258a30c60d277acffa832ce446397fcb6abf39726c4330fb5 |
| SHA512 | bd46b6a103733f2320ed8c9b140602c2dc56a0cc35a6a0d300dee303a8194b464b23b8795efb406fd44ca0a3e94ee342d3d9c4a0d533730d11d4a1749c14fae6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\hrd.min[1].js
| MD5 | e051edec194749aab43851567a27c286 |
| SHA1 | ae34370f5f74ce740be0aab15c5231042094147f |
| SHA256 | 282e4d51d2b827c4d52d7219febb54e8068aa1f9e5981a2ca4d9fc1ef89892ae |
| SHA512 | f3da52ed0df9a417f6d3eb936d8dac906de6a43bafc381a42094ed25322ecbaccf7c8652c0323f0b8edd7eda0c918d501281760d473d956fd8bfa8991efb8c93 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\jsonstrings[1].js
| MD5 | 7bf7077081c36cd1c279edd956e28e12 |
| SHA1 | 75f18bcb3dcbd851791db887baf6d2e7f822d1d3 |
| SHA256 | bc813f4e19b7c3a0d0df54256ba40cd8a935f7561c84501ef0281ad732d92c6f |
| SHA512 | fb8a882a5a8180f678b64f976802ba470609b94eb96d55b866549c5a47e6b7035067b0066899ea3180bd5a311155982f7f6ec8c950af225b2a48ceb42a1fea34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\CommonDiagnostics[1].js
| MD5 | 08fbff79b5eec28ddff4d772223b81a9 |
| SHA1 | aaabd7e0b32698e8295139c4868e9aee5edbd112 |
| SHA256 | 773a678845579e6334f19d4e62f29446e7898bd816359c74574e37884503f909 |
| SHA512 | f94a2c8d756313a616f4e3dbdb9661af3cc843f74cf066243c649f943e4aeab696e01e37e33cc57df16f73504b529702d28c779931adc2630c6d4fd318ffddc7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\knockout-3.4.2[1].js
| MD5 | e956a74c005b7a243f0884d67e60f8f3 |
| SHA1 | c4fda6eee21550785a1c89ce291a2d3072e0ed9b |
| SHA256 | a305fbb2ba223bf3b56bb8776b85f6f40d60dd082a74dbe28d143b5794c7e393 |
| SHA512 | eca283f482092f7793b4c1580cc834f59bd1f958b61b20af05ac1c5c20499676dfb99b58bffcf8ef0b166fa0481850bf78b1f4f4e5450116a0361d6cce950b34 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 736cd3475e87f0db7f2fe8c3b8e15d0a |
| SHA1 | 051a35833c245f806362f44a52a92197c6c5c8da |
| SHA256 | 64bbc7951902b6ff10a835b6dd0dafb102bbf1d6a6279f1e691c066d22b75a03 |
| SHA512 | 5338709b4c103d19e15451b1d16dbe3d2440f7e53ba15d9623516759903da2634680c6a5ac951ea063c251757a0c15e07d85e7fc6f7442fa737eb633b167e454 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 9c866c417474bfcb040a7bedc60212aa |
| SHA1 | 6d7e9a9ddfc685de61426af3ba6798b91d543fd1 |
| SHA256 | b07be1699c7398f6a16bdaa7f39175fa932e26c45acfdfbdf3e603077a0d2e2f |
| SHA512 | 3ffcd030aa60ce964f5b4e7fcc0031d4aa57161cb49003a2af0f8aaab4709ff1f16bb5930ad39c24589c7ad50a0edd63c1cdffe4feff0cf69bb7971db25c47b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_outlook.live.com_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
memory/5332-2612-0x000002619A2B0000-0x000002619A2D0000-memory.dmp
memory/2240-2682-0x000001C2D2C40000-0x000001C2D2C50000-memory.dmp
memory/2240-2698-0x000001C2D2D40000-0x000001C2D2D50000-memory.dmp
memory/2240-2714-0x000001C2DB320000-0x000001C2DB321000-memory.dmp
memory/2240-2715-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2716-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2717-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2718-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2722-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2723-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2724-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2726-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2727-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
memory/2240-2728-0x000001C2DB350000-0x000001C2DB351000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a0b4b9f24e50d08b6332b965d8deddd1 |
| SHA1 | 634bbdc4b9a3ef537f6d3c3d2fa936327462288a |
| SHA256 | efe02cc052d6e5121d905fa5e8bd762ab3c7bce40b6ed010f8f1e77d763b35f7 |
| SHA512 | 07cf239e72566c147b81f4e724d27b164d5c43dfa08826ca49cc2bc17e78a81dfbbdf33756847e42b46506805312ebff8a80dfae8065b5d65d8b65dee6f76b00 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4d0f2f590c8938cb24e1403c693af314 |
| SHA1 | b1c14a19b49a3e76a3474089d1d00815ba64ad93 |
| SHA256 | 1f4cda04d50522f5de78e48ce83dd01b7991ea686eb30c8f7e7b79c0e275127c |
| SHA512 | b14aeabc0cd55cacbee0a25a636e8c54fca81b9a0d8c68de9a6385fef907e42b42d84e87c504f157bb0ee0bba07113e0c8b8ec2f750c61dc97ea012dac73afdc |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\b515e778236d075fb60ed7266f260eaf90fab988.tbres
| MD5 | a71b58190ec957a901493aad0aee9376 |
| SHA1 | 74725d0b0d56f59652726c02353e380f22b20f95 |
| SHA256 | f640f3be4e2923aa3ee64b82a7be4ff77559adfc77182bdce1d9aa1ecb5970d1 |
| SHA512 | 284b49d1dfdee691270ba3c01e847e13744907a60deccd28d73a9ee9a44fc48bea645f87147a20854a8b806f1783884e9a8e3e379d452274ee633116090a3d60 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\6386bdd51a3972bfe10f158d594c808af29a2432.tbres
| MD5 | 9aec6dd5aeac90b41b839a362f7d41d5 |
| SHA1 | aaf698a061bc54ab73f397347fd494c5fa8c1d23 |
| SHA256 | ee1ca9aa1de5492b413ab1dc2213fbddba858b93e192e6aa9e51db1ac65e99a5 |
| SHA512 | afd34183d28d21c97ab65baf1f5d13d08f0442378fa2ffc0b83020e393894dc06eb2444928604910a25b8a170610135115061dbc32d5edec1de0e52e8546599d |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e35b480af2edfe0aaf0a0d8204630ad8db7dce6b.tbres
| MD5 | 4b65b241c19ed576a7091dd414136a54 |
| SHA1 | 497e95c2d7de74d5994ca8f7ad2ec7ae61494437 |
| SHA256 | 03ce65972a7cb816536b4b17d662ce53b55640418d301f0fafcfd50f6cca66fb |
| SHA512 | f78a70b6574a8133ad141d979a12c5c9b3e79e1f7a1892bdde854c13da001a2ab57d3bc46c8d068206ad4ba191e9b1204208e27707b7aab4a0d72c59a96d1da1 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\427a833a6fd8c60b323447dd7e7cbf9705d67d5f.tbres
| MD5 | e795bb071ae45bcafb34d26b6979635b |
| SHA1 | 6f0643459d037f0cb1227eca6562a35f6f08081b |
| SHA256 | 18ff082f8e51c3edd00518f7136e60f9029cc8b0ca642b8121e610a1639cb7b2 |
| SHA512 | a4d96e96a57c6f4f20e1e4cce5272aeec9796917cbdb36710d5a3af69f00a669f6aaae7a499e3077119e9631f6769d90d6b738107a508064511e171672c42598 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9b0c889ff339813be4d0dafa66cc5844226f38e2.tbres
| MD5 | 1eddc4a4f525a2b364cd2e9ab76f9d3d |
| SHA1 | 0d1662ef6d64ecd1f8408de1e7309a804d6de22f |
| SHA256 | f56ee404dabba29bf1a1a4d889e61511992d86059757f40bab3fed6fb5132ee9 |
| SHA512 | 4959075dfa4ba2fb1b2e45ecc4b552271b75dced9b94c644f8d0831a4e0de8ea6fd187073cee9d60fa908db8c8c6417edd25305760932173d8374ca59f10e704 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\edb.log
| MD5 | 4f4d4d09efe62331cd4224a217863422 |
| SHA1 | 93920aab0ce893bd6ca92b7608094af6dc50fb0f |
| SHA256 | 078eadea7e5d8ad2741c8eaa1462c28094864ca2362153718ba562bbe9bf3f95 |
| SHA512 | 62a7c400d1832090d9498941b7a12228b11453f3b673f558bdb93591c6192db0e2dcd400698c42537e5f914b27a73f285fa23be1b1fbafd15b0e6aa96850ec76 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb.log
| MD5 | fc53efc8046748a1708e527dfd2c28c7 |
| SHA1 | b57b22b10cd3db380dcdef6436b592d8561cd25d |
| SHA256 | e2e7af783840333e1356601dc4b4afffd4e7edd874a4fdbd5f659bd7c5f2dee6 |
| SHA512 | 1c6faa46bdb7a3ced6ae0840e62598e07bb226dceefe06ec768ac40c3eb989a4e3f596cfd89b275bdf17a583953dea79781c6e9d24e8f5631e97ee3e2c567aaa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 36e62fbe08b0a7466ed7d581b30bb291 |
| SHA1 | 203665a2e979c020d3b7e4eb8b65d88fc583bb0a |
| SHA256 | 402d9866ee19776ebcbf5e1585048c2806beaf554fe925af490a174ff233dc85 |
| SHA512 | 8fc2efa1a282c2e1ccd658380ef385fcfb978ab435dd034aa3d2014cc5fcab161602db6151c29d2ac7a1497c9e25f46301e6202b727fa96974eac7685be63599 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 1348e4e8fc451e8021f935f4b1376c95 |
| SHA1 | c6fecb47e09a1a255cbe9a9f03d91d2100cd1737 |
| SHA256 | cdf0440a375c4d4a180a358ea3c87448482622fbc71833bc797ec1410e54bb01 |
| SHA512 | ef23469825048d1fdc7f693a9efce5a1bdb8472743917288fa06244c7172d933347d8403440598a9f4062b3514ee313462655e21bc1c1a8dde78cfb607796703 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | a2d5c41311177bf18a795638cc4e2777 |
| SHA1 | 40625aa169f3bceb6b96060b8a0634bf8cf5eac1 |
| SHA256 | 63b9d5b599c016878ea7fa9de88fd0a6e89b09210475f4869b0d8e5a71946c23 |
| SHA512 | e5c5cacd31a05a67449ea44fd403f4585960ff3a45104bc1044d2cac2acdc1a3e309241092a327df4f186367cde75355c7622d213925efbbd813cdb22fdc7ec0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 861844a1e60337f63283dd46f927efe7 |
| SHA1 | 58d8936597bc3f4486ad80a30009c5e7d0afec82 |
| SHA256 | 40343f8b1fb6d58b69502eb2c7bb660484f6e8c2b9bb188576465debb6067227 |
| SHA512 | 7feb5b6bc8d9b465da384b5865c3a2d20c3079ebb44891da4915dab637ad3ef3ad35f7a489d9b5fd1c634ffa2b448e19c957c639ddf94e9d610dd6272162dc6c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | c75fb6c2f7d4bce3e92e71212aa9f908 |
| SHA1 | 2fe10fb75576fd0835f9e8cc7787fc9cf6f44957 |
| SHA256 | ef0026722623f63e93c756aea62689193afec567768013c438c3283e53d2fe3c |
| SHA512 | 47f9b982ef1f5970ab9028e5647c16c8d3b547541e6b8f80404c25c7a3d1d0ede2e1c184cf40186e26e735f5d8bf8a3eb5eec4363f38c2d5c6f4f4b07730ec63 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 878f1b9f64e4fb5fb252a5e9c4165ba3 |
| SHA1 | 5fde0f04f6f2d5e871059897877ce7ef54280411 |
| SHA256 | 3dba58f72ddf8c89e652b88de57b0cd4c10f3de0a5e6b459351e6709302a8ef9 |
| SHA512 | cc9399d06047efc6e91de71a4a3b2a0e3601fb10b2ea0589847885a0849dd145f525f239d00ee0a5cf423c9e6cfb2ea3f89f4e19c249a42aae00b825acc209a4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | b1967c3d3ddfdd9d53833305d8892aaa |
| SHA1 | 0d3ac5311d921f4bba94b84c49eb6e6c858afb05 |
| SHA256 | fccfaa31a572f29bc74e62b33d00e01453c086912bdd4c397039988d703f5cbf |
| SHA512 | 51ccc21759b7ff7df4e91ad464e89479a23a17079d9ef072f3c8846bdf47a50fc2ff14e174acde3ba75bd90d47b15b8e9baf23bd4c291905e7ae4edcdb77cdf4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 9c32516132d3fb495845fc6d80d03be9 |
| SHA1 | b0f9a7898309c2fbc5538bd10065cced3f6d7114 |
| SHA256 | a0533c03fe02f9d7956c3b3f1e1a85fa9da7ac5004f881f15dc2a793abc52a22 |
| SHA512 | e1a8488d25e72557007211b49c0606bded23b04e7d0844611cbe7e9b6cd090c35758fa56c08fe48f4f3b118fe939926a30db24b4cb513d14a8a64200a8caa051 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | b742e2b02e010e4507d59ab375513174 |
| SHA1 | 05458811335e96fd069dd3d164927513041c7b4b |
| SHA256 | e8d103e92fbaf535f09c8328980ef1f9740a5eec44c1e5fddd8c8586a969c44b |
| SHA512 | 38538de76e552f7ac059e3697ceaee9f64a55aca7d7ed667d584dc07b99d057f93dd91b768ed54c846eb884034da5e85f6497eb9876338586bcdf93ecf5b1536 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 1ef45d5fbc69215234805a431a6b631e |
| SHA1 | 52eda8754e902c7f746a7e3d27bc1dd6c576efe7 |
| SHA256 | 1374c3682d657eceab5ef8fbd5a8e5656e25e88d5ac5c695ede082d287237e8f |
| SHA512 | 5f74313320525fa24d65b0b99d63556943d68cf233b230e7a162becb45e49f38851243215eaf23df0577e1c4578ce3d44a0f346ee7925938a929af60a6314a16 |
C:\Users\Admin\AppData\Local\Temp\TP_3A77.tmp
| MD5 | 11b8a58e4630b73c48180c5e812dfc1d |
| SHA1 | d79ab1567d0dd76985f18c337aec6fa9e14b375f |
| SHA256 | da68ef21bbee40fd047143031d56ab3197d7a4e5f9be63d60e7aaa643d90ecb6 |
| SHA512 | bddb041ddd3cac8cbef1fb3ef5ccc71b011847dd6ce021c9f83dad68cff1fe53ecfbf36a20efb14d79b21e5ccdfbff01e97c51fe9c4229f0d5f15093847291ef |
C:\Users\Admin\AppData\Local\Temp\TP_3A77.tmp
| MD5 | 0aa0806ecc2f4db6888f0b6055c551a6 |
| SHA1 | 792ff3cd4c37e77ec7c94e7cb5c380e5516ba5c5 |
| SHA256 | b3473c2c13089b77ec4a7cd1fbdb5ee42ebc10bcd5361a339e5378e3094b0865 |
| SHA512 | b935daa3a2fcf2361a24ed5160e8c021045176b31e516e9de6036dbf406f199e3b384becadca83dc60b721b8018cdbb255ecf50a66611650ed0b3aa80a36f758 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-index
| MD5 | d97ad49ac1d46f679503a535eb6b0156 |
| SHA1 | 5728e67169b78a54b2e1dfc8da0b29256fb0897e |
| SHA256 | 0c3e5886f456d8d0cc2358276cb6b650982750ac47b5252eb182fcdc8ccbdaff |
| SHA512 | 642c2884bc5e29e563154a561a2ecda2b2950939e2a8b42798924ee81673712d3dc8a385134f1e58f868155f17f901d279d508adc6ccac026669f59b56088a53 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-index~RFe613cf9.TMP
| MD5 | a3dd97c608c032d3e79bf108d8f1500f |
| SHA1 | 3c8f836e8ba640418687ea8e8f81ba4acbe952e9 |
| SHA256 | 87370627f0e009e2a2739429a2854e2491c0325350811fb4d36b087f533e9d30 |
| SHA512 | d5f91476a3eaa8576a7bf2879afbb34c9f5d522e37b32211a45d2c20b5f825bdf33afb5fa6ed86777e1664d8d41e2008994ad8a8811e9c3cce0eef0c624e6054 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txt
| MD5 | 66d2cebb55cbdcf9ccc8635cd56c0c5f |
| SHA1 | 4cb0722b4f53dc4f03d4ca630ed3489638ab62ce |
| SHA256 | bca2e98693e231f372ff811d1ee558d3790b7e6c6d48c0340e5dc4cf68a7f19b |
| SHA512 | 8dcc6431a2b402376c08b387a445e86464c95cae16dd3aca48e094e7384e984ad118979dccfc7f41166228ed9bd7b71e6295ddf85e989e25cb42c30aac50d48d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txt~RFe613d27.TMP
| MD5 | cc7b03102ca98962821c1feec5b833bf |
| SHA1 | f8e7dcd7662af6c7eefe731f415a1352a41bc904 |
| SHA256 | 26d505b6c7eeaa9ab806d5050cdbad6cc8021fa3bac1ba85ed1d82e0aa3260f2 |
| SHA512 | 89c2a93cbb7f85916baa721d8f646df84b137d3be5c2faa137b1119f0e7667513a46d4cf630a8656c4f0453a40cb869185cbb4ac09af24cf2effe8ef411354c8 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres
| MD5 | f90121b08e70c4ad8cb1670f4a527fe0 |
| SHA1 | c7320b27a68a09096d0499eb60c14c1c506e1518 |
| SHA256 | 23e2025142db1d38a5304d52125825c4ceb13766c3a0ebb32f1ffbeab8d9a087 |
| SHA512 | 024bd78e31e16cb452b9d5d8ac2f1da2cfe062c5691d220a98f08807461f2f005d699584aebfa90f6dc7369b8bbaafc4aab83e76169b2f47c4d564dc96a41dee |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt
| MD5 | 378276438abf4b12461b5575e175733f |
| SHA1 | 82a6b2c3a7ae702b72beae6236cba5f10a79cfee |
| SHA256 | ecc825ddde07c7b981fcdd825a2d9820e3c21460ba1ec409468c088cdeef95a1 |
| SHA512 | 97d8b5e3af0cd531c54ba5de7273d95d5c070220a6384c3be9ed150198f06498f3829260ae1c7c38816b9a623e285319499318767268e49ceea9f74e250c71db |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt~RFe614862.TMP
| MD5 | 0fea942f43803cb87fa48442a5c90c34 |
| SHA1 | c99d9b82a78c61d33f5988332a424a93b8a5a071 |
| SHA256 | 0394c9b9aa3a1ea3c7b5e523a7b5738e52889f12d41bbfe23ef0b9213139d9d0 |
| SHA512 | 9198ff12aa6fcd167ba8c5e436c3e30266144592f3b3544e75952d9a1ca216fda5d2f5c8a757ac25871d7ae6f837e96e3b71623eb4939c94956de473957a60cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt
| MD5 | b44bc8bc0db9431c30193a77bccf2f1b |
| SHA1 | f7c41ccbc7ef13596ace28e3762ebdd94af5319c |
| SHA256 | be0a572425d0f41823ff2a6cd0e26f30f82b5db7de65d776e236684298685d18 |
| SHA512 | 2eb8caf795f0de22784d460adff9bd084707496bf7aa1d8b23382f2d0f2b570e81b0e8e04a3988c816e0778933ff21f88083422c1c51e923069b857180cfe508 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt
| MD5 | 60792ace472681e4e7af06ea7311e2e6 |
| SHA1 | f3559a5432a78334e9ef427300f25882cf98726d |
| SHA256 | 6d8e491eb0036c2466e67ca60ae33c6bb7480cd46cd974d7a9ebcf418bcadd71 |
| SHA512 | 2635a3e6e52fe1632bede2fd19210405733d65005fd4784833fb0226345a1c62a1f5fb93a20cf95b1bf18a8e2e1e9f4b0d2b7e2aae91e1f6dfb6044935ed1085 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt
| MD5 | 342568911a0c69f88d977c579dca65eb |
| SHA1 | 21205c31c2cefc7689caa612b92bbe59c69e76cf |
| SHA256 | 31c61250923f7a0d1dd71e3180bc62f0f8fcea59af3ea403399c9b2ce61a522d |
| SHA512 | 5b0e20b8e78ed5cb414a8f968faf6153a52d53e3026f10ebf7ec0b7cb8e20a522ce2a1149d86453a32e12dc5431b4c0a9c094aee970cf6b0a441b15f40d83d6e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt
| MD5 | 1c400a98ba1985e15dd9b66ef46851fd |
| SHA1 | 3360163c876f8fedf944378d956c1e9cb2dc3d84 |
| SHA256 | 9ad8af62597cd6b904cf43fcdb4ad7054cde38eca2175f4393f1ea8c90b3a81d |
| SHA512 | 7c9e4675990fb8f0e97f0b6ea884e7e9e9088243703d7fb5b8b2bbbba67ebc8e32c0b9b6c39fc69903be394117050d2ec74d323d167202653c0a95b581778930 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt
| MD5 | 75bbf54f26efab926ba975f24262f4aa |
| SHA1 | e594adfc5cece11a6962b87aa54e7eeb095d57d3 |
| SHA256 | 84aa77d07f05c613d3ea60969b990a42c7f797c341ffa719fa512e22bc2e4a30 |
| SHA512 | 02aedf9fbe9c5906b8718ee0ee518f9715c88b4f596246cc3c81d71232953363ee41ff0b162c31e8672c1c074fddddba32a3e0410747639914a646606598ab52 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000073
| MD5 | 1784d82edabfbc66aca767eb7becc500 |
| SHA1 | 6b5e78f735d0d09fec5ff94efc3374af2a75ad74 |
| SHA256 | 7ea81e7c911e5ba134b67278f0d7f2baf4e652243c57bb699030ecc77e85619a |
| SHA512 | 852dbdb202cd0e83dcd4b2e83a9875db060cc2202d55b9b37c3514e8e63f1d12178a3ba24ea6e2cd10b57888c56477d18a6883e520bbf7092c3f9b2d33746849 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\96ada297-d9c8-4138-bebd-29db841be4c7.tmp
| MD5 | c8b49426fe1210ce89741d17bc603b0f |
| SHA1 | eaa86f4b435364e8c6da32e800bb1d890d25f249 |
| SHA256 | a2ba83321fae2e4c878fd3acd512752d0bdf21d1007873e2d755ea119c72a2f7 |
| SHA512 | a4c94b45c648fdb59e9b9cd889f1a0ed282e78e037a267e103ee6a8cb6ed9d41768c8f51431eac523f60d4c355559101705cc51ab4cdba61127e0a483369a793 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000d9
| MD5 | 1ddfad63e0fe9b8f7fc8f5c0a50380ef |
| SHA1 | 0e10fe40a9757af729195af1afaf826c6b1d277d |
| SHA256 | d63a4170e2e50c23971a8b98381fc2afd9488998737e147a5a130e431b708980 |
| SHA512 | ef5989bc749208a0de56e14048276132eeb5d945c8d92f7922ba5476747ebf02dfc0959a06e1ee21beb31cec044b69591db04145789bbe54af7763c67f3de4b9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 9cff2861e70e46a581c46580bc0cc64a |
| SHA1 | bfb77ac471e29df39a4d0f908f977e51914975d5 |
| SHA256 | a06aef3700510e2ccce1cd60f4b4ab12c60bf2297abcef90ceca7894f931bdf0 |
| SHA512 | 38448eee75c38d57f14e4d5aa3726135f517f602e8b77dedbdba2a05055c6afe91c5c88baa9cd331d82c283763d43ff0f24cce80b3841b0ac40356532b44bdb6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b3590e172b42df49d99767291c76e925 |
| SHA1 | c3044490806af5b806c4c976bbb0d1a212408ec9 |
| SHA256 | 82c6861e246830e9b7c8fbd252442811a42ef405b1347de16bbba88b03bab158 |
| SHA512 | d73d5d02c9011e4a2cd45ac8323a59a067c39e2ec27faefae442e9dc973f58775697b3a15f0c149aaba379629025829e965ccd6f87824cef1afc96f0a5388804 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 23073689bf885e2f6a8f477c97d79f61 |
| SHA1 | 1348c084677f13adee8c753093b922459fbf02e7 |
| SHA256 | 23f82c123fb43aa3a1509fb7e4b6fff32e6eb657cca6e61460b07924873d23a5 |
| SHA512 | 89f0fb6b60c65d13dbe42df259a95bc3b6fa0c1ce42a954f7301dc9fe7e57fa144a2e48cfbec28b406b9e3940d2ed6550d9579780d3407b20fff8d538a997b8b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\6742526c-4550-4ded-bdb3-e284e891eecd\index-dir\the-real-index
| MD5 | 4bdbe9f036c51fa27bef75cd51662bc7 |
| SHA1 | fd3b804ccdf95337a49bf4df9e507dc7665e5933 |
| SHA256 | f3f1f69241c037ddb2cbfc9c51b6bfd3d66c3cad1d8825d946b8f3a4b8e7a68a |
| SHA512 | 9f76938db9202427102bf451cdb9d7b5c2ee8338601e8af825de63b50d725a6e768e87391c31877651951e93de3831316fb946db75f66d16fdccdd6146e0ce0e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\6742526c-4550-4ded-bdb3-e284e891eecd\index-dir\the-real-index~RFe6196e0.TMP
| MD5 | 0f987e9bc585b500f093fc57dcccdead |
| SHA1 | b48e81f9c2fdb2b9baf30a04f776ab2fa33e18db |
| SHA256 | bc65325c1bad7eab010ed20371d24fe02c4b34331b5d867cca61376aabbca6f4 |
| SHA512 | 83523684a387728e3685b98e7126226a3d976a8a78a76869aaafe14baf60a9c56284a0b7ffaa07795e4eee47923d68c6dfff6037366839b79083d37674a60f92 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\2B15BCF5-27C4-47C0-BB1E-B34F330E721B
| MD5 | 2f82426450332b558a61ae9ca551abd9 |
| SHA1 | abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d |
| SHA256 | 57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52 |
| SHA512 | dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\EDE1A75C-3BF4-4CE5-94C9-2D5E10C38D60
| MD5 | 85ad173999ed440af6120f3b4fd436fa |
| SHA1 | eebe3bae40b0c82db581b905e2a4c4a90055c9b3 |
| SHA256 | 2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165 |
| SHA512 | 3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\index-dir\the-real-index~RFe61a96e.TMP
| MD5 | 51bf0864496dd1c6766df5ac6d8f4423 |
| SHA1 | a8a0929ff9386c79c93d98b39247b2ef6f8b56ba |
| SHA256 | 296237b87601d70f6cab7c618e4abd1a6850f34f8e86a099e6e3ef21b37bf6e0 |
| SHA512 | d6f3e64fc9261e5218bf84fc0a0da8642429a41a9988b7eec46b06153f68b6e1cc0502aea1ecd2c4408904302e79e38df4521a9c67c0707133f7a70f0d863007 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\index-dir\the-real-index
| MD5 | 79a3e83a5f85d233ee8057c5ab11bd38 |
| SHA1 | de307ae53c184fece4666ccdb32dd68b3db33c7e |
| SHA256 | 4f6e3cdd7faac1e812554a28371c036f70bdbe50116d419a2f70a7a37731ee67 |
| SHA512 | 3b08cf0bb911c8720f2631f9ece83f239d8166f06bfc11ee8e5fcb6ccc9bec788dc29bbc8e42df378f5b538b0e0f868ef94dddb1f4d96badc44fbaf5a238256a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-index~RFe61ac7b.TMP
| MD5 | 7d708560d7c48eaf77e5edf8a6d31338 |
| SHA1 | dd750aa801c193c80829349ca1738862c530407b |
| SHA256 | 8bea4a6fa07eaa72b6ee1d5100e977f40d9874db617d6b183b2eb071d3e5fc08 |
| SHA512 | 31dc78b0dbe0c262e995f8eda49a39cc959f76b1cab0d134147935be3f2b68625a04495fb8eeb0b8ad052fdbfb5739bc979d7dcae54e8538a3007eb3ac9b4124 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-index
| MD5 | ca64c5e4cf2949ef9b81e9bfd2570708 |
| SHA1 | aee486ec2a6cc77d349a391e7757dddc4766feaa |
| SHA256 | 7fcd5cb39378bba9b9a88d3c790432b596e7426791a91c17208375510ec70c04 |
| SHA512 | 01f1ca256ca7f5267198184c7aec019abf3f806671a0ee08358c012d913e8e3f4f75b055c8de6b5436700816c0f0a274f7209da9e889f3fa3cf3bf0c1411bd8f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt
| MD5 | 0ce6042cb591fec35169d1c4007c1b87 |
| SHA1 | fccf7e0822f6536f4281ac44d90a331f3f8caa27 |
| SHA256 | f6cf29495f5a6c54b8f6d14e63e79522aeb88ed45a7331138bbeaa04c78cd29d |
| SHA512 | 1cf15685f1cf68a934b452c1f553b273a456b3a4e3e924f03d8efa53c9ed5ae6aa70d7259ba9e5a914b39b80e7894af98ce782984c290152364b75c9c1ce2646 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 593a3e4e0e9a50485833bca9e3eb2ec5 |
| SHA1 | a2bcde9909a04ddc71b31512e880cac32f6b01c8 |
| SHA256 | ba28c6bdc71efb704a6a2c48da79cd78e4e170c39af27f51b552a93bbe878681 |
| SHA512 | 1cc6bf852c5e6d10d96b255960a96dedbccfd6de75d03d994ada8191d764d3dce7dbdee5db162b86fe851f5792ebeae843dde0c9b679f8b9210044c2c54f091e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 678089ac5f0ebc80ac98acee9ac27841 |
| SHA1 | 6e377f6df307a3f3b9ce618bdcf5603772216519 |
| SHA256 | 4adcd0e43afb8b5785382be2e9bd56389e8eb1660d3f4cf42bf8e846c80e330c |
| SHA512 | a0ca2d378b33fbd3942296abcf145471e34cff11f2c174793b157bb4dc7c2de0ef4773ea0238c5e68f84c1bcb2242819bb0929343dfc58d1a7e16611bc28e5f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8bcca50d36a1d8e3e20f09c64178b59b |
| SHA1 | e8ad3eec32d4193892c2416ed831bf1307362902 |
| SHA256 | 125e7780f9579fbfcc40a5d1f70f4236a7473e711e3aa7b816de0ad56ed47684 |
| SHA512 | fc018182d1bf64e1733d8f0cc7dc570d785cc150fa01369edf1366a3a3d690d9bcdc1b60ad1655aedc689c0b4727a0b6185a4e5583257bb4527812c06d630b20 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 84393f6249b14b6e0f5801a026892665 |
| SHA1 | 3a2ae966b62a49095be2364066b1faf30146409d |
| SHA256 | bfd358a00c62ebb647a9f8ef4852c0bb67b8340444f9f6c8d8804fee7bc23d7d |
| SHA512 | c1d08f94b93e04a8a37a8db73bbc175dfadf33864b17f66544b1df309048822b1e5e0c3328bfdef4b02763007f24dada09b68cbe3dda5ea55149c6862a4010ab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-index
| MD5 | 6cb762347e9e87aae96f4a5a2448513a |
| SHA1 | 2a4d9380cfe7cab9e7de790c34db4e13675e1432 |
| SHA256 | 0954574ff443d12efbc7b57d48cf51ac63992770423bc876f99c26d40df1b70a |
| SHA512 | 83fd1b41fb2a1701b8f55366dff8b73f8040231fc5eb8c59071845e8b9a2dbb372c85ccff54883114da458e6376b63bef5a494359f4adfc4c69228ae24e0bb49 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0fd363c28f48d10795b5025db8cbade3 |
| SHA1 | b540f44e2b8d67e1749a5b7152f95c63d9bc7df9 |
| SHA256 | 7004537ea710f2a6a3398d2429930406993052525a92a32853ca3da5f4328d81 |
| SHA512 | faabd5f57bfbecdf4accfbba5f915a05ad49c109b97b0fa417cfaf4b2efea1a403b0efaed3a79ba6fce18b35f33cb237082807c8561a66e3ed68ab016037265e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 27d6feb11e97cce605182ca0ca821c7a |
| SHA1 | d393f7e9c4017c12c4e1f2c54400fd6e14eb3aac |
| SHA256 | 9a504e11771fe54dc8ea2554595e22d0a9959240919c97e9769ce0b0e65b61cd |
| SHA512 | 2576471d1a57f51e593f50c70c08f75b199258097ce6535ab06d22650b7c4a66b3e36347eb678ebcc40787e0d2b593ab1a76fdae51f054f4d266127559d2eb3c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txt
| MD5 | 4c938d6eb665658e7275cfd722726e4d |
| SHA1 | 0c8de1ac38aeac9d4e299c0b6383b880e98f055a |
| SHA256 | d37cc09a6470ded4f8b56b90e54094ea5e99dab8f605bb388c3b5e48206c5ed5 |
| SHA512 | b03712310148c9c181fbc9bd3fc55ac2a374074d7cfcae17977bb73890202599b01dfaa6de7161b4a09dd76e6c540bdb6c92e4da0dbd075c68e23c394180151a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fd197c24f5db8f68c34fcaa823aa1cfb |
| SHA1 | e731220406002ef30bfc04d6287b6adb66d7440a |
| SHA256 | bcc036b8a233dfa4292bfdd47903ee8141eedb25c289c15db5928e588caa5692 |
| SHA512 | 62941d60407baef0d502fcdc2d3ac185c81395804e653366a3ce3e6576b5249a2fdd52b528e16570fea1a3dd6156e7d48dc3e37299c560d22b9170f5a08bcd3d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7bb4abd9808fa1239fbb08061fa90d04 |
| SHA1 | 32b3a8e94c28137148f038179ff12890630c0b9e |
| SHA256 | 7f42c279494da7b5a4dc9c3eeb9dce0c16bb2b5c251f1f9afcbde522032d8b4c |
| SHA512 | 4f005f32957a7d3d1115e4677fbce2b21a7f391c3e1aa87bc68789d7e5a3bce8ace9ca940119cb5f0384d3033b56e39f31dbfee3762ea1a26cabe0be8748385e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3d09c308514b4293740f16a7e94fa953 |
| SHA1 | 4939c879b7bf497c554cbd76891d02c5a48e6b73 |
| SHA256 | e5ff2cfecfa9ce6391c98994369216a15037253b4c50c2533a5cbaf6ba3300de |
| SHA512 | bbfc7cb0b9593c9526b84328936bb9ee095493e1be587fb8894e682f222f22f74ae58a664cd4918fe6b05541fa8aa641873e406b80fe1d53c6363aa236c42803 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e8ab30682a6621d761eac609abc45c3e |
| SHA1 | b155bfcb5bc5633298a1adb800c1cead775768f2 |
| SHA256 | 4a2b7301fcbb1e3ea80fbcbb46ac605d10573bc663490b0687ac6c992858fde9 |
| SHA512 | 610be783e0c840862cb5c759a37d7b963efc90a1082d9fffd9991a48bbc81e7388e1c2ff00883ab424e00b75607b6a8f1e546d62e41feb9f736d1aca67eebecd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-index
| MD5 | 82302bb17ba05dceca8a4b2f64a32d63 |
| SHA1 | 701095341fda0309a1f65939dafe8e22b09fcb7e |
| SHA256 | 90e18370f8ccfa2aa8aa5fbd848a1b11fd87986a21c6dcc6a5710f75d61d473b |
| SHA512 | 72fcd9f6fa0496821922c736fe049ff3f7b4045fbbaa497f99791316fc06bb39d2896fdaebfd6e1df202d18f809eefbc0889b976ed767a26b6be76bb2107485d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt
| MD5 | 519e3b6864f0c65b308aa491028ebf51 |
| SHA1 | 4ba0d6f37045aa5e5df4ce34eb73d26f3d96bc88 |
| SHA256 | d684f5b1eda9a073502582d572e3a1869e6a1e5f6b7cabfb3b554d939a95e4ea |
| SHA512 | 12f7b6db65a06230202cddcbd26ffb78fecad1619627c1335c41d476d82844617a43c21d7415e283e76df3235bc30fdff89478364449ad1ce56328ef3017ee16 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f4fcce1495995658fef7e8836f8303a9 |
| SHA1 | 2fac1b22b1d31713090a31bb9f39791b32ccd183 |
| SHA256 | 3f947a891b8f8af11d64613aa3bf17174eea1cf69b7f7a16d71dfb8c65e3aac2 |
| SHA512 | 19357e9b1700f7c67260cb5f2c87bb8246c6c335e3ac6043d10012f2209420b50ae5e07995e0298f69393c7df56080f71c978a038023ed22bd911d42eb213fd6 |