Malware Analysis Report

2024-09-09 11:22

Sample ID 240620-vrt18sydlc
Target MAS_AIO-CRC32_31F7FD1E.cmd
SHA256 533e16e27044e4b3373290f23ffac3863481747bca5ae9de31c3b84396dee4e0
Tags
microsoft phishing
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

533e16e27044e4b3373290f23ffac3863481747bca5ae9de31c3b84396dee4e0

Threat Level: Shows suspicious behavior

The file MAS_AIO-CRC32_31F7FD1E.cmd was found to be: Shows suspicious behavior.

Malicious Activity Summary

microsoft phishing

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Detected potential entity reuse from brand microsoft.

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 17:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 17:13

Reported

2024-06-20 17:28

Platform

win10v2004-20240611-es

Max time kernel

842s

Max time network

842s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT C:\Windows\system32\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\System\sppcs.dll C:\Windows\System32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\System32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\System32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\System32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\System32\Dism.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\SettingSyncHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\System32\clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\SettingSyncHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\SettingSyncHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\SettingSyncHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\SettingSyncHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\SettingSyncHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\SettingSyncHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\SettingSyncHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\clipup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "60" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "32" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\signup.live.com C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\hsprotect.net C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "177" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "122" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "32" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "221" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "3693" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signup.live.com\ = "122" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "2" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\NumberOfSubdomains = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "20" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "20" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "168" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3733" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.com C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "3693" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\Total = "40" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "177" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com\NumberOfSubdomains = "2" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "20" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "128" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "217" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\arkoselabs.com\NumberOfSubdomains = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signup.live.com\ = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "261" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hsprotect.net\Total = "221" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fpt2.microsoft.com\ = "40" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msft.hsprotect.net\ = "128" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633775353780673" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.microsoftedge.stable_8wekyb3d8bbwe\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\login.live.com C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.creddialoghost_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\Total = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.live.com C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoftwindows.client.cbs_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost\ = "1" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\e2a4f912-2574-4a75-9bb0-0d023378592b_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.aad.brokerplugin_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\1527c705-839a-4832-9118-54d4bd6a0c89_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.ecapp_8wekyb3d8bbwe\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoftwindows.undockeddevkit_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\login.live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "122" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.win32webviewhost_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200" C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{100BEB3C-74F3-45D0-9D48-EE8EE61E0779} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\NumberOfSubdomai = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "122" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.xgpuejectdialog_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.xboxgamecallableui_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.accountscontrol_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.lockapp_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ncsiuwpapp_8wekyb3d8bbwe\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\f46d4000-fd22-4db4-ac8e-4e1ddde828fe_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.bioenrollment_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.apprep.chxapp_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.callingshellapp_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.printdialog_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Windows\system32\wwahost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\sc.exe
PID 1832 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\sc.exe
PID 1832 wrote to memory of 624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 1832 wrote to memory of 624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 1832 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\findstr.exe
PID 1832 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\findstr.exe
PID 1832 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1832 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1832 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 1832 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 1832 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4636 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4636 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4636 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4636 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1832 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 1832 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 1832 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fltMC.exe
PID 1832 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fltMC.exe
PID 1832 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1832 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1832 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 1832 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\find.exe
PID 1832 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1832 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1832 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1832 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3116 wrote to memory of 4548 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 3116 wrote to memory of 4548 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 3116 wrote to memory of 1384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3116 wrote to memory of 1384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3116 wrote to memory of 4364 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 3116 wrote to memory of 4364 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 3116 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\findstr.exe
PID 3116 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\findstr.exe
PID 3116 wrote to memory of 4824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 3116 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 3116 wrote to memory of 4988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 3116 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 3116 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 3116 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 3116 wrote to memory of 1896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 1896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1896 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3116 wrote to memory of 744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 2156 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 3116 wrote to memory of 2156 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\find.exe
PID 3116 wrote to memory of 2984 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\fltMC.exe
PID 3116 wrote to memory of 2984 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\fltMC.exe
PID 3116 wrote to memory of 3852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 3116 wrote to memory of 3852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\reg.exe

reg query HKCU\Console /v QuickEdit

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\reg.exe

reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f

C:\Windows\System32\cmd.exe

cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" -qedit"

C:\Windows\System32\reg.exe

reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" "

C:\Windows\System32\find.exe

find /i "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\reg.exe

reg query HKCU\Console /v QuickEdit

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\System32\PING.EXE

ping -4 -n 1 updatecheck.massgrave.dev

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "

C:\Windows\System32\find.exe

find "127.69"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "

C:\Windows\System32\find.exe

find "127.69.2.6"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "

C:\Windows\System32\find.exe

find /i "/S"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "

C:\Windows\System32\find.exe

find /i "/"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\System32\mode.com

mode 76, 30

C:\Windows\System32\choice.exe

choice /C:123456780 /N

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\mode.com

mode 110, 34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $ExecutionContext.SessionState.LanguageMode

C:\Windows\System32\find.exe

find /i "Full"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net

C:\Windows\System32\PING.EXE

ping -n 1 l.root-servers.net

C:\Windows\System32\reg.exe

reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start DoSvc

C:\Windows\System32\sc.exe

sc query DoSvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type

C:\Windows\System32\sc.exe

sc start UsoSvc

C:\Windows\System32\sc.exe

sc query UsoSvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type

C:\Windows\System32\sc.exe

sc start CryptSvc

C:\Windows\System32\sc.exe

sc query CryptSvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type

C:\Windows\System32\sc.exe

sc start BITS

C:\Windows\System32\sc.exe

sc query BITS

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type

C:\Windows\System32\sc.exe

sc start TrustedInstaller

C:\Windows\System32\sc.exe

sc query TrustedInstaller

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type

C:\Windows\System32\sc.exe

sc start wuauserv

C:\Windows\System32\sc.exe

sc query wuauserv

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type

C:\Windows\System32\sc.exe

sc start WaaSMedicSvc

C:\Windows\System32\sc.exe

sc query WaaSMedicSvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc start DoSvc

C:\Windows\System32\sc.exe

sc start UsoSvc

C:\Windows\System32\sc.exe

sc start CryptSvc

C:\Windows\System32\sc.exe

sc start BITS

C:\Windows\System32\sc.exe

sc start TrustedInstaller

C:\Windows\System32\sc.exe

sc start wuauserv

C:\Windows\System32\sc.exe

sc start WaaSMedicSvc

C:\Windows\System32\sc.exe

sc config DoSvc start= delayed-auto

C:\Windows\System32\sc.exe

sc query ClipSVC

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start ClipSVC

C:\Windows\System32\sc.exe

sc query wlidsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wlidsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query KeyIso

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start KeyIso

C:\Windows\System32\sc.exe

sc query LicenseManager

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start LicenseManager

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query DoSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Start-Service DoSvc

C:\Windows\System32\sc.exe

sc query DoSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start DoSvc

C:\Windows\System32\sc.exe

sc query UsoSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start UsoSvc

C:\Windows\System32\sc.exe

sc query CryptSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start CryptSvc

C:\Windows\System32\sc.exe

sc query BITS

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start BITS

C:\Windows\System32\sc.exe

sc query TrustedInstaller

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start TrustedInstaller

C:\Windows\System32\sc.exe

sc query wuauserv

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start wuauserv

C:\Windows\System32\sc.exe

sc query WaaSMedicSvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start WaaSMedicSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "9" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\Dism.exe

DISM /English /Online /Get-CurrentEdition

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismhost.exe {215EE2D0-1153-4CF5-92A8-3419BBB2F70A}

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID

C:\Windows\System32\cscript.exe

cscript //nologo C:\Windows\system32\slmgr.vbs /dlv

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility

C:\Windows\System32\find.exe

find /i "windowsupdate"

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s

C:\Windows\System32\findstr.exe

findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo: "

C:\Windows\System32\find.exe

find /i "wuauserv"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "

C:\Windows\System32\find.exe

find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul

C:\Windows\System32\reg.exe

reg query "HKCU\Control Panel\International\Geo" /v Nation

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Set-WinHomeLocation -GeoId 244"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "

C:\Windows\System32\find.exe

find "AAAA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Restart-Service ClipSVC

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem126A.tmp

C:\Windows\System32\ClipUp.exe

clipup -v -o

C:\Windows\System32\clipup.exe

clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem1345.tmp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value

C:\Windows\System32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Set-WinHomeLocation -GeoId 217"

C:\Windows\System32\mode.com

mode 76, 30

C:\Windows\System32\choice.exe

choice /C:123456780 /N

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\mode.com

mode 76, 25

C:\Windows\System32\choice.exe

choice /C:1230 /N

C:\Windows\System32\mode.com

mode 130, 32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $ExecutionContext.SessionState.LanguageMode

C:\Windows\System32\find.exe

find /i "Full"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "9" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\Dism.exe

DISM /English /Online /Get-CurrentEdition

C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\26F76E0A-CA61-40C0-8C5E-1F10B463D1BC\dismhost.exe {6AAB1661-765A-48DB-B215-801BAE6016E8}

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID

C:\Windows\System32\cscript.exe

cscript //nologo C:\Windows\system32\slmgr.vbs /dlv

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""

C:\Windows\System32\find.exe

find /i "Office"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path

C:\Windows\System32\sc.exe

sc query ClickToRunSvc

C:\Windows\System32\sc.exe

sc query OfficeSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "

C:\Windows\System32\find.exe

find /i "Wow6432Node"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k

C:\Windows\System32\findstr.exe

findstr /i "Retail Volume"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "" "

C:\Windows\System32\find.exe

find /i " ProPlusRetail.16 "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "

C:\Windows\System32\find.exe

find /i "2024"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "

C:\Windows\System32\find.exe

find /i "Subscription"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "

C:\Windows\System32\find.exe

find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':hexedit\:.*';iex ($m[1]);"

C:\Windows\System32\find.exe

find /i "Error found"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext

C:\Windows\System32\findstr.exe

findstr /i "volume retail"

C:\Windows\System32\findstr.exe

findstr /i "0x2 0x3"

C:\Windows\System32\reg.exe

reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext

C:\Windows\System32\findstr.exe

findstr /i "volume retail"

C:\Windows\System32\findstr.exe

findstr /i "0x2 0x3"

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-18\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"

C:\Windows\System32\reg.exe

reg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Volatile Environment"

C:\Windows\System32\reg.exe

reg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "

C:\Windows\System32\find.exe

find /i "Volume"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "

C:\Windows\System32\find.exe

find /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"

C:\Windows\System32\cscript.exe

cscript //nologo C:\Windows\system32\slmgr.vbs /upk 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "

C:\Windows\System32\find.exe

find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"

C:\Windows\System32\mode.com

mode 76, 30

C:\Windows\System32\choice.exe

choice /C:123456780 /N

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebaf6ab58,0x7ffebaf6ab68,0x7ffebaf6ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2056 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3648 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3980 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4720 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3496 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3448 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4412 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3092 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4452 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3636 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1536 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1620 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5208 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Windows\system32\wwahost.exe

"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5200 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Windows\system32\SettingSyncHost.exe

C:\Windows\system32\SettingSyncHost.exe -Embedding

C:\Windows\system32\verclsid.exe

"C:\Windows\system32\verclsid.exe" /S /C {72C984BA-0666-4D3F-A0DE-96BF43838E6E} /I {0CB6E812-BD37-4416-BFAE-E44A7C15B453} /X 0x1

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\mode.com

mode 76, 25

C:\Windows\System32\choice.exe

choice /C:1230 /N

C:\Windows\System32\mode.com

mode 130, 32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $ExecutionContext.SessionState.LanguageMode

C:\Windows\System32\find.exe

find /i "Full"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "9" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\Dism.exe

DISM /English /Online /Get-CurrentEdition

C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\7C1832FA-2A19-457F-BC16-79923568128D\dismhost.exe {8985BFB9-C941-4C84-AA2F-DF718FE46BCF}

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID

C:\Windows\System32\cscript.exe

cscript //nologo C:\Windows\system32\slmgr.vbs /dlv

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""

C:\Windows\System32\find.exe

find /i "Office"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path

C:\Windows\System32\sc.exe

sc query ClickToRunSvc

C:\Windows\System32\sc.exe

sc query OfficeSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "

C:\Windows\System32\find.exe

find /i "Wow6432Node"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k

C:\Windows\System32\findstr.exe

findstr /i "Retail Volume"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "" "

C:\Windows\System32\find.exe

find /i " ProPlusRetail.16 "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "

C:\Windows\System32\find.exe

find /i "2024"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "

C:\Windows\System32\find.exe

find /i "Subscription"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "

C:\Windows\System32\find.exe

find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext

C:\Windows\System32\findstr.exe

findstr /i "volume retail"

C:\Windows\System32\findstr.exe

findstr /i "0x2 0x3"

C:\Windows\System32\reg.exe

reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext

C:\Windows\System32\findstr.exe

findstr /i "volume retail"

C:\Windows\System32\findstr.exe

findstr /i "0x2 0x3"

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-18\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"

C:\Windows\System32\reg.exe

reg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Volatile Environment"

C:\Windows\System32\reg.exe

reg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "

C:\Windows\System32\find.exe

find /i "Volume"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "

C:\Windows\System32\find.exe

find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"

C:\Windows\System32\mode.com

mode 76, 30

C:\Windows\System32\choice.exe

choice /C:123456780 /N

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\Console" /v ForceV2

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\System32\cmd.exe

cmd

C:\Windows\System32\mode.com

mode 76, 25

C:\Windows\System32\choice.exe

choice /C:1230 /N

C:\Windows\System32\mode.com

mode 130, 32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $ExecutionContext.SessionState.LanguageMode

C:\Windows\System32\find.exe

find /i "Full"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "

C:\Windows\System32\find.exe

find /i "Windows"

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\reg.exe

reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start

C:\Windows\System32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\System32\sc.exe

sc query sppsvc

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start sppsvc

C:\Windows\System32\sc.exe

sc query Winmgmt

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\sc.exe

sc start Winmgmt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "10" "

C:\Windows\System32\find.exe

find /i "Error Found"

C:\Windows\System32\Dism.exe

DISM /English /Online /Get-CurrentEdition

C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\50252C00-30F3-4922-8F62-87FD4B4745E5\dismhost.exe {212E4BE1-937E-4A06-9235-5B2CCB6A2403}

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID

C:\Windows\System32\cscript.exe

cscript //nologo C:\Windows\system32\slmgr.vbs /dlv

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\findstr.exe

findstr /i "0x800410 0x800440"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Get-AppxPackage -name "Microsoft.Office.Desktop""

C:\Windows\System32\find.exe

find /i "Office"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path

C:\Windows\System32\sc.exe

sc query ClickToRunSvc

C:\Windows\System32\sc.exe

sc query OfficeSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul

C:\Windows\System32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "

C:\Windows\System32\find.exe

find /i "Wow6432Node"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul | findstr /i "Retail Volume"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k

C:\Windows\System32\findstr.exe

findstr /i "Retail Volume"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "" "

C:\Windows\System32\find.exe

find /i " ProPlusRetail.16 "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo ProPlusRetail "

C:\Windows\System32\find.exe

find /i "2024"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "Retail" "

C:\Windows\System32\find.exe

find /i "Subscription"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo "26b394d7-7ad7-4aab-8fcc-6ea678395a91 339a5901-9bde-4f48-a88d-d048a42b54b1 5829fd99-2b17-4be4-9814-381145e49019 596bf8ec-7cab-4a98-83ae-459db70d24e4 60afa663-984d-47a6-ac9c-00346ff5e8f0 6755c7a7-4dfe-46f5-bce8-427be8e9dc62 6c1bed1d-0273-4045-90d2-e0836f3c380b 70d9ceb6-6dfa-4da4-b413-18c1c3c76e2e 84832881-46ef-4124-8abc-eb493cdcf78e 85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 aa64f755-8a7b-4519-bc32-cab66deb92cb c8ce6adc-ede7-4ce2-8e7b-c49f462ab8c3 de52bd50-9564-4adc-8fcb-a345c17f84f9 e1fef7e5-6886-458c-8e45-7c1e9daab00c" "

C:\Windows\System32\find.exe

find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="GM43N-F742Q-6JDDK-M622J-J8GDV"

C:\Windows\System32\cmd.exe

cmd /c exit /b 0

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':sppc64.dll\:.*';$encoded = ($f[1]) -replace '-', 'A' -replace '_', 'a';$bytes = [Convert]::FromBase64String($encoded); $PePath='"C:\Program Files\Microsoft Office\root\vfs\System\sppc.dll"'; $offset='"3076"'; $m=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':hexedit\:.*';iex ($m[1]);"

C:\Windows\System32\find.exe

find /i "Error found"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Split-Path -Path $_.PSPath -Leaf }"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext

C:\Windows\System32\findstr.exe

findstr /i "volume retail"

C:\Windows\System32\findstr.exe

findstr /i "0x2 0x3"

C:\Windows\System32\reg.exe

reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done

C:\Windows\System32\find.exe

find /i "0x1"

C:\Windows\System32\reg.exe

reg query HKCU\Software\Microsoft\Office\16.0\Common\Licensing\LicensingNext

C:\Windows\System32\findstr.exe

findstr /i "volume retail"

C:\Windows\System32\findstr.exe

findstr /i "0x2 0x3"

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-18\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-19\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-20\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg delete HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /f

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-18\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-19\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-20\Volatile Environment"

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Volatile Environment"

C:\Windows\System32\reg.exe

reg add HKU\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Volatile Environment"

C:\Windows\System32\reg.exe

reg add HKCU\Software\Microsoft\Office\16.0\Common\Licensing\Resiliency /v "TimeOfLastHeartbeatFailure" /t REG_SZ /d "2040-01-01T00:00:00Z" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo " ProPlusRetail " "

C:\Windows\System32\find.exe

find /i "Volume"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE" 2>nul

C:\Windows\System32\wbem\WMIC.exe

wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /VALUE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo " de52bd50-9564-4adc-8fcb-a345c17f84f9" "

C:\Windows\System32\find.exe

find /i "de52bd50-9564-4adc-8fcb-a345c17f84f9"

C:\Windows\System32\mode.com

mode 76, 30

C:\Windows\System32\choice.exe

choice /C:123456780 /N

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5004 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6076 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5620 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5672 --field-trial-handle=1960,i,15954504963449708264,11862987983431776197,131072 /prefetch:8

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 updatecheck.massgrave.dev udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 l.root-servers.net udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 13.74.138.254:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 254.138.74.13.in-addr.arpa udp
US 8.8.8.8:53 kv501.prod.do.dsp.mp.microsoft.com udp
SE 23.34.234.75:443 kv501.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp501.prod.do.dsp.mp.microsoft.com udp
SE 23.34.234.75:443 cp501.prod.do.dsp.mp.microsoft.com tcp
SE 23.34.234.75:443 cp501.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 75.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 purchase.mp.microsoft.com udp
BE 23.41.178.82:443 purchase.mp.microsoft.com tcp
US 8.8.8.8:53 82.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 odc.officeapps.live.com udp
GB 52.109.28.48:443 odc.officeapps.live.com tcp
US 8.8.8.8:53 48.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
SE 184.31.15.170:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 signup.live.com udp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 13.107.42.22:443 signup.live.com tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 170.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 fpt.live.com udp
US 8.8.8.8:53 msft.hsprotect.net udp
US 52.167.30.171:443 fpt.live.com tcp
SE 2.21.96.91:443 msft.hsprotect.net tcp
US 8.8.8.8:53 client.hsprotect.net udp
SE 2.21.96.106:443 client.hsprotect.net tcp
US 8.8.8.8:53 fpt2.microsoft.com udp
US 52.167.30.171:443 fpt2.microsoft.com tcp
US 8.8.8.8:53 collector-pxzc5j78di.hsprotect.net udp
US 35.190.10.96:443 collector-pxzc5j78di.hsprotect.net tcp
US 8.8.8.8:53 91.96.21.2.in-addr.arpa udp
US 8.8.8.8:53 171.30.167.52.in-addr.arpa udp
US 8.8.8.8:53 106.96.21.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 fpt.microsoft.com udp
US 52.167.30.171:443 fpt.microsoft.com tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 96.10.190.35.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 13.107.42.22:443 signup.live.com tcp
US 8.8.8.8:53 iframe.arkoselabs.com udp
US 104.18.33.170:443 iframe.arkoselabs.com tcp
US 8.8.8.8:53 170.33.18.104.in-addr.arpa udp
US 8.8.8.8:53 client-api.arkoselabs.com udp
US 172.64.154.86:443 client-api.arkoselabs.com tcp
US 8.8.8.8:53 86.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 outlook.com udp
US 52.96.214.50:443 outlook.com tcp
US 52.96.214.50:443 outlook.com tcp
US 8.8.8.8:53 www.outlook.com udp
GB 40.99.213.34:443 www.outlook.com tcp
US 8.8.8.8:53 50.214.96.52.in-addr.arpa udp
US 8.8.8.8:53 outlook.live.com udp
US 8.8.8.8:53 www.microsoft.com udp
SE 23.34.233.128:443 www.microsoft.com tcp
US 8.8.8.8:53 34.213.99.40.in-addr.arpa udp
US 8.8.8.8:53 128.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 play.vidyard.com udp
US 151.101.193.181:443 play.vidyard.com tcp
US 8.8.8.8:53 cdn-dynmedia-1.microsoft.com udp
BE 23.41.178.89:443 cdn-dynmedia-1.microsoft.com tcp
BE 23.41.178.89:443 cdn-dynmedia-1.microsoft.com tcp
US 8.8.8.8:53 181.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 89.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 134.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.25:443 browser.events.data.microsoft.com tcp
US 20.189.173.25:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 fpt.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 52.167.30.171:443 fpt.microsoft.com tcp
US 8.8.8.8:53 assets.adobedtm.com udp
SE 23.34.232.228:443 assets.adobedtm.com tcp
US 52.167.30.171:443 fpt.microsoft.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 aadcdn.msauth.net udp
US 20.189.173.25:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 228.232.34.23.in-addr.arpa udp
US 8.8.8.8:53 fpt2.microsoft.com udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msauth.net udp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 acctcdnvzeuno.azureedge.net udp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
GB 40.99.213.34:443 outlook.live.com udp
US 8.8.8.8:53 signup.live.com udp
US 13.107.42.22:443 signup.live.com tcp
US 8.8.8.8:53 fpt.live.com udp
US 8.8.8.8:53 msft.hsprotect.net udp
SE 2.21.96.106:443 msft.hsprotect.net tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.187.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 client.hsprotect.net udp
SE 2.21.96.106:443 client.hsprotect.net tcp
US 8.8.8.8:53 collector-pxzc5j78di.hsprotect.net udp
US 35.190.10.96:443 collector-pxzc5j78di.hsprotect.net tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 35.190.10.96:443 collector-pxzc5j78di.hsprotect.net udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 142.250.187.234:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 aka.ms udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 iframe.arkoselabs.com udp
US 104.18.33.170:443 iframe.arkoselabs.com tcp
US 8.8.8.8:53 client-api.arkoselabs.com udp
US 104.18.33.170:443 client-api.arkoselabs.com udp
US 8.8.8.8:53 msft.hsprotect.net udp
US 8.8.8.8:53 signup.live.com udp
US 8.8.8.8:53 iframe.arkoselabs.com udp
US 8.8.8.8:53 msft.hsprotect.net udp
US 13.107.42.22:443 signup.live.com tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
IE 20.50.73.13:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msauth.net udp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
IE 20.50.73.13:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 outlook.live.com udp
GB 52.97.219.242:443 outlook.live.com udp
GB 52.97.219.242:443 outlook.live.com tcp
US 8.8.8.8:53 242.219.97.52.in-addr.arpa udp
US 8.8.8.8:53 res.cdn.office.net udp
SE 184.31.15.227:443 res.cdn.office.net tcp
SE 184.31.15.227:443 res.cdn.office.net udp
US 8.8.8.8:53 227.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 104.208.16.90:443 browser.pipe.aria.microsoft.com tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
SE 184.31.15.227:443 res.cdn.office.net udp
US 8.8.8.8:53 csp.microsoft.com udp
GB 52.109.28.48:443 odc.officeapps.live.com tcp
US 8.8.8.8:53 eu-office.events.data.microsoft.com udp
IE 20.50.73.9:443 eu-office.events.data.microsoft.com tcp
IE 20.50.73.9:443 eu-office.events.data.microsoft.com tcp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.16.234:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
GB 52.97.219.242:443 outlook.live.com udp
GB 52.97.219.242:443 outlook.live.com tcp
GB 52.97.219.242:443 outlook.live.com tcp
US 8.8.8.8:53 ecs.office.com udp
US 52.113.194.132:443 ecs.office.com tcp
US 8.8.8.8:53 132.194.113.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
US 152.199.21.175:443 logincdn.msftauth.net tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 152.199.21.175:443 lgincdnvzeuno.azureedge.net tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 acdn.adnxs.com udp
US 8.8.8.8:53 c.live.com udp
US 151.101.129.108:443 acdn.adnxs.com tcp
IE 68.219.88.97:443 c.live.com tcp
US 8.8.8.8:53 c.bing.com udp
US 204.79.197.237:443 c.bing.com tcp
US 8.8.8.8:53 storage.live.com udp
US 8.8.8.8:53 amcdn.msftauth.net udp
NL 13.104.158.183:443 storage.live.com tcp
BE 23.41.178.104:443 www.bing.com tcp
US 8.8.8.8:53 108.129.101.151.in-addr.arpa udp
US 8.8.8.8:53 97.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 183.158.104.13.in-addr.arpa udp
US 8.8.8.8:53 104.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 eb2.3lift.com udp
US 8.8.8.8:53 m.adnxs.com udp
US 76.223.111.18:443 eb2.3lift.com tcp
NL 185.89.211.84:443 m.adnxs.com tcp
US 76.223.111.18:443 eb2.3lift.com tcp
US 8.8.8.8:53 consent.config.office.com udp
GB 20.77.247.178:443 consent.config.office.com tcp
US 8.8.8.8:53 cdn.adnxs.com udp
US 8.8.8.8:53 ams3-ib.adnxs.com udp
BE 23.41.178.104:443 www.bing.com udp
US 151.101.1.108:443 cdn.adnxs.com tcp
US 8.8.8.8:53 admin.microsoft.com udp
US 13.107.9.156:443 admin.microsoft.com tcp
US 8.8.8.8:53 18.111.223.76.in-addr.arpa udp
US 8.8.8.8:53 84.211.89.185.in-addr.arpa udp
US 8.8.8.8:53 178.247.77.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 156.9.107.13.in-addr.arpa udp
US 8.8.8.8:53 108.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
NL 20.50.201.205:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp
US 151.101.129.108:443 cdn.adnxs.com tcp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 windows.policies.live.net udp
IE 40.90.128.17:443 windows.policies.live.net tcp
US 8.8.8.8:53 www.windowssearch.com udp
US 150.171.28.10:443 www.windowssearch.com tcp
US 8.8.8.8:53 substrate.office.com udp
GB 40.99.202.66:443 substrate.office.com tcp
US 8.8.8.8:53 17.128.90.40.in-addr.arpa udp
US 8.8.8.8:53 66.202.99.40.in-addr.arpa udp
US 8.8.8.8:53 continuum.dds.microsoft.com udp
IE 20.82.217.86:443 continuum.dds.microsoft.com tcp
US 8.8.8.8:53 odc.officeapps.live.com udp
IE 52.109.76.144:443 odc.officeapps.live.com tcp
US 8.8.8.8:53 86.217.82.20.in-addr.arpa udp
US 8.8.8.8:53 144.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 directory.services.live.com udp
GB 40.99.202.66:443 substrate.office.com tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 ocws.officeapps.live.com udp
IE 52.109.76.62:443 ocws.officeapps.live.com tcp
IE 52.109.76.62:443 ocws.officeapps.live.com tcp
IE 52.109.76.62:443 ocws.officeapps.live.com tcp
IE 52.109.76.62:443 ocws.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 62.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 storage.live.com udp
IE 40.90.128.17:443 storage.live.com tcp
US 8.8.8.8:53 outlook.office365.com udp
GB 52.98.201.82:443 outlook.office365.com tcp
GB 52.98.201.82:443 outlook.office365.com udp
US 8.8.8.8:53 82.201.98.52.in-addr.arpa udp
US 8.8.8.8:53 directory.services.live.com udp
US 8.8.8.8:53 exo.nel.measure.office.net udp
US 8.8.8.8:53 m365cdn.nel.measure.office.net udp
IE 2.18.24.10:443 m365cdn.nel.measure.office.net tcp
IE 2.18.24.25:443 m365cdn.nel.measure.office.net tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
NL 185.89.211.84:443 ib.adnxs.com tcp
US 8.8.8.8:53 outlook.office365.com udp
US 8.8.8.8:53 substrate.office.com udp
GB 40.100.174.210:443 outlook.office365.com tcp
GB 52.98.207.50:443 substrate.office.com tcp
US 8.8.8.8:53 50.207.98.52.in-addr.arpa udp
US 8.8.8.8:53 210.174.100.40.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 ocws.officeapps.live.com udp
SE 184.31.15.242:443 metadata.templates.cdn.office.net tcp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 directory.services.live.com udp
FR 52.109.68.87:443 ocws.officeapps.live.com tcp
FR 52.109.68.87:443 ocws.officeapps.live.com tcp
FR 52.109.68.87:443 ocws.officeapps.live.com tcp
FR 52.109.68.87:443 ocws.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 87.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 242.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 messaging.engagement.office.com udp
NL 52.111.243.12:443 messaging.engagement.office.com tcp
US 8.8.8.8:53 12.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 directory.services.live.com udp
US 8.8.8.8:53 odc.officeapps.live.com udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
NL 52.109.89.119:443 odc.officeapps.live.com tcp
US 8.8.8.8:53 directory.services.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 119.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 directory.services.live.com udp
US 8.8.8.8:53 csp.microsoft.com udp
US 8.8.8.8:53 res.cdn.office.net udp
SE 184.31.15.227:443 res.cdn.office.net udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com udp

Files

memory/1872-0-0x000002A1BB990000-0x000002A1BBA12000-memory.dmp

memory/1872-10-0x000002A1B96E0000-0x000002A1B96F0000-memory.dmp

memory/1872-11-0x000002A1BB900000-0x000002A1BB922000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izr3agk2.zwg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1872-12-0x000002A1BBC30000-0x000002A1BBD32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8857491a4a65a9a1d560c4705786a312
SHA1 4f3caf2ad5d66a2410c9cca0381d26a46e832cb4
SHA256 b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360
SHA512 d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4edc5d8588de3394e8a8d79ae5b943dc
SHA1 f79737afd4a1e21580ec1a165334b416911345ad
SHA256 a81d7b3bd76b4a17da3876d10b186920939834c8c877ad13ce475a8f07bd56d6
SHA512 b294a1b8eb74f6a33fee7371429755662c4620b051cf909b056e72f8c0088dc0d0c7651aa8fc4af1bd78559551a3984ca4a6ab816b8ab956b290c192df557d15

memory/2808-48-0x000002A359680000-0x000002A35969E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismHost.exe

MD5 e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1 dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256 e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA512 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismCorePS.dll

MD5 a033f16836d6f8acbe3b27b614b51453
SHA1 716297072897aea3ec985640793d2cdcbf996cf9
SHA256 e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512 ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\dismprov.dll

MD5 490be3119ea17fa29329e77b7e416e80
SHA1 c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256 ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA512 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\OSProvider.dll

MD5 db4c3a07a1d3a45af53a4cf44ed550ad
SHA1 5dea737faadf0422c94f8f50e9588033d53d13b3
SHA256 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA512 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\LogProvider.dll

MD5 815a4e7a7342224a239232f2c788d7c0
SHA1 430b7526d864cfbd727b75738197230d148de21a
SHA256 a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA512 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

C:\Windows\Logs\DISM\dism.log

MD5 edb423df3e785acde9dda9cc85d37d6b
SHA1 456da55e581b285d2057c6bb19f43620d2805184
SHA256 a3450ad8b20ccf2a84ec4da112b01caa26825734010641f6ac08c59f27d1a90f
SHA512 aeda3c7bedcf9def748e0b3edb9a7afd5f7067d468db3741896512e5171536cdc520a45ce79f9c6d9f76ab3028dd6cdcc382f347f740255b7b98941269a06e7c

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\AssocProvider.dll

MD5 94dc379aa020d365ea5a32c4fab7f6a3
SHA1 7270573fd7df3f3c996a772f85915e5982ad30a1
SHA256 dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907
SHA512 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DmiProvider.dll

MD5 ea8488990b95ce4ef6b4e210e0d963b2
SHA1 cd8bf723aa9690b8ca9a0215321e8148626a27d1
SHA256 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98
SHA512 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\MsiProvider.dll

MD5 9a760ddc9fdca758501faf7e6d9ec368
SHA1 5d395ad119ceb41b776690f9085f508eaaddb263
SHA256 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f
SHA512 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SetupPlatformProvider.dll

MD5 1ae66f4524911b2728201fff6776903c
SHA1 68bea62eb0f616af0729dbcbb80dc27de5816a83
SHA256 367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3
SHA512 7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\UnattendProvider.dll.mui

MD5 7601ef496c3f171373605aca6299eb4b
SHA1 92c25a096a96c690cb405b2d5e2df35a06044104
SHA256 e2988f7e6ad35863b56534824069aaaf34fadd2d27524e5d030b706576fd359c
SHA512 0729514091ed0e0468a9466ba3d6b73bfd10eb0a60e1905671c443f66121d84fab57f511bf989580a715e4ea9ff9172aebfe2cc177674c8c14adce5b8a8de157

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\IBSProvider.dll

MD5 120f0a2022f423fc9aadb630250f52c4
SHA1 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7
SHA256 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0
SHA512 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\IntlProvider.dll

MD5 510e132215cef8d09be40402f355879b
SHA1 cae8659f2d3fd54eb321a8f690267ba93d56c6f1
SHA256 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52
SHA512 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\WimProvider.dll.mui

MD5 263b263e5fe8c078a3866eadf7b2bf79
SHA1 9dad2d78e5f130b72a39c15fc548935dc9b96005
SHA256 43bc4c6ed713d8f04d359151edd47d6d63eb64a87ec37fb95c0fc8f056c8c023
SHA512 d8ba69b15420aaa6c1afb1bded5d0afb821c73e1ef538f06dff0f4d87520622cf0a5a989a480755a3cb35b9949098575c6beb51bb747352c280916e87fbf68cf

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\WimProvider.dll

MD5 229df404d67e69e57f9e284a66f2adeb
SHA1 7f4f703dbe8c274f5104d4d104dafcadf0c3857b
SHA256 8b7821a1fb9170c6aa1ec25eea378f43661812eba25064bb95999156b472c377
SHA512 917912cdfcf1d46f691cadc6e7aaae1a302a66721beec0e9b22e394592b290605caf410221045f2ce89896e5d9602ee4946202f2de9390e92c8aaa5a609b3a54

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\VhdProvider.dll.mui

MD5 bc6b19d90559744702c1687b0e5b376f
SHA1 a3752de9ad56f2256a5190b01c641f173b60bfed
SHA256 631d6c84c00fcf1e7260734e92bee36243b8c40e97b853be1723dcae277ffaef
SHA512 9be6cdcbfb665a57e132388a0045a5ce6560740cf2d2d0537acaa7331cf1db2c6d0e1b2200d7cb892c7b6be47b73073a38e1ed6296631b7550a474110ef10800

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\VhdProvider.dll

MD5 c6488a9b3569230669c72f3239cbc108
SHA1 87b9b2ab5de52f246c1936480463bd402ad519b9
SHA256 4ed23b46188dae12523f96a2755434c0574cd27584f9921133b0b4c1017b8a36
SHA512 47ae886893032306e9b69b2d1c736ce23061b5be7552d2ed1d680b91e45fe0225b5acb12b83f6d572ef0b270dbaa47af3320516f4bfadb0a2889a9ffed45a66f

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\UnattendProvider.dll

MD5 f7bd21c4170b1397eb098fa18ef45d4b
SHA1 05d36abc4853eda468eab68d289337962c76195f
SHA256 05da5af89fafe492adf5255a7dbf16468be6d130ee8a9d713ab2182c72346db0
SHA512 8a804bfe27f25b9d7c87cfb6951e1f1254e984ff9eada0b1547c30352397438d2c9e2f1c3b42c2db43f693b08224e0c7b7a17cd0b21ced893e12c330b91355ff

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\TransmogProvider.dll.mui

MD5 dd549e06e8b1a71eef97ebcd494fcc10
SHA1 b020953e0bb6dd6ae80f881f59591d067e75c63a
SHA256 1be0b61e8978639eb2f66956a1604f6f0a2d668f868a9ff48b5db33dea812901
SHA512 0d3f4700bd676a03d39460a7af08780eb06bfba2c9bbb6827ff8a39f37d0dc946de057ec2fd70715ce8839f55927cbea57c7d8b85a859252b0dc8d9a23c7b540

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\TransmogProvider.dll

MD5 84ae9659e8d28c2bd19d45dbe32b6736
SHA1 2a47058eafab4135a55575a359fbd22390788e93
SHA256 943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4
SHA512 d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\en-US\SysprepProvider.dll.mui

MD5 93d076056dd01dfc64d95d4c552a2dff
SHA1 a90fd06a62c6d63d87e00f5f7e9646b44d2c726a
SHA256 4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4
SHA512 b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SysprepProvider.dll

MD5 8bd67d87dbdcf881fb9c1f4f6bf83f46
SHA1 10bd2e541b6a125c29f05958f496edf31ff9abb1
SHA256 f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204
SHA512 258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\SmiProvider.dll.mui

MD5 fe9a7502d09360933fec35a1dd9cb46e
SHA1 58721b66c428b32619d7f09568e86fa1a9339849
SHA256 ee5a25b54776a63bc5bdd9a5ac3c6cacc7bf2b7f3761d2b489ef0060e5ac031c
SHA512 9f8c752a19e8404c7c9497fc9b457404eeaed2d6a071aeb4927fea7c2d3fabb1547e479d8525547f4c190a56113a26a53575b4a7e4bb76c65ea656304b753a0a

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\SmiProvider.dll

MD5 ad7bbb62335f6dc36214d8c9fe1aaca0
SHA1 f03cb2db64c361d47a1c21f6d714e090d695b776
SHA256 ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb
SHA512 4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\SetupPlatformProvider.dll.mui

MD5 54e7735303befc4017c8f7f79c70ac7a
SHA1 0e165c98d94ccadb80aaa8bba7644f50dd16c119
SHA256 79bd40a61064b856fa169d2ab92e0f41202f08fe78b5c749c9bfb96f471792fd
SHA512 125cff3faea70c3a7e0a3279022685d23bd0829ae7316ee2dc9afb568d03cdad4ce5d948776a736fecfc4f90d9dd655639ab4f2ab7610ad1ee41c48959ab71e0

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\ProvProvider.dll.mui

MD5 465ff43b338a4059ee0308a8de105a98
SHA1 0811614122cf0b8e23f805789b1910f788b20ffb
SHA256 49d4ef65391503ab867354dceeb241e7690c92383458fd3349a85c669b80bd49
SHA512 05ccaeea8e613ca50612b73b16175d77f68171a1e5af5111d382fccc88ecc41f83ae84f4c4d91885649197557e0b4c19bee3b23adfd13022b482cb8a92c3b728

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\ProvProvider.dll

MD5 70c34975e700a9d7e120aaecf9d8f14b
SHA1 e24d47f025c0ec0f60ec187bfc664e9347dc2c9c
SHA256 a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7
SHA512 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\OSProvider.dll.mui

MD5 d1f7a1ea380d32e97056793baba7cb6b
SHA1 f5bae8cfdff3e45aaea570d0425b47833e2da197
SHA256 344d70160791fa6d5e4b39afa0ebe996a4e6092672ce1e0750b4c640ca8e6a18
SHA512 95def4c80bf43a8e9e7cf6dc272e4eb7e1847e5fa997c8a3f2ba53b9bb337289bacd8fd8a719b75818d44ae33ff817fdbf572296b258254543aaff98792a4649

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\OfflineSetupProvider.dll.mui

MD5 19575370d599f89404fe876b132fd170
SHA1 968fdaee7daed95a62cfa33cd03c42804dc96652
SHA256 2ca9f61d307e874e29fbfcc90645a797c82a0891d9ecfd7c3aefa8ea759a2bc5
SHA512 d35a383e49e2614019fdfdf585b607caab3ecaee6e577793863b8a1b84df2bc76de09577c9474b098d026523539f6e7b7d63071dfdc601821b5aad73f060e00a

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\OfflineSetupProvider.dll

MD5 9cd7292cca75d278387d2bdfb940003c
SHA1 bab579889ed3ac9cb0f124842c3e495cb2ec92ac
SHA256 b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f
SHA512 ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\MsiProvider.dll.mui

MD5 8cf549ca23aa04d862ebf6e6e607cc54
SHA1 6348fbe4f32a01460de297e472343b3c0b32e34b
SHA256 634ca4c93f54c358d1c541059a2e60fdc4a11f38ab676ed379a9e38a2fb3797d
SHA512 5cb719abbaac3498cdded40ea191158621255f1fb958835e01809ef7532e5e8b3ad03af1170f0464dc7bdcf49230457e86c8c58640716c629fe659e94112fce9

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\LogProvider.dll.mui

MD5 49546b639236f0f120a4982ba840f563
SHA1 cc080e0ce4cfc5a5e1bcc02823875234c05759f6
SHA256 bf2d54f231f3e814a401b6598793dc3604e2d381c3b3d9b5479c9fea87dad2bb
SHA512 8e6f8cd409a601be098fb1e61e733e5ce7fc06e365442e7a2ec508dd44bad2b10bd45288419bb672be5a278501da965831c8e92da545af8a3070ba66a4b01a8a

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\IntlProvider.dll.mui

MD5 7a667def21a5d84e95c0153e463667e5
SHA1 f980aab6026c343c535441fd52283713183e128b
SHA256 db2888717225eb457283c28424f1ce53397d0aa321b7619ebe0884cd10fe6c15
SHA512 dde58035cf1e53d4afe66aa69fee934ca31264fb4c12dff62c39a4bd47381e4c07a977b58dd4020d41f0c7bbc502d5ee6f3c43628d4fba8261a82662ea4c666a

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\ImagingProvider.dll.mui

MD5 cc4d83d9206a2352295b036204b1e1bb
SHA1 89647c71480550dbd8ed0fe5039d53996715be9f
SHA256 116a74db2b5024a38307080651aeeb98d15212b1c2547822421f38dd43699714
SHA512 87285d309a6410e006eb5b3277de4219bc836f531211677e615e875ea903462a38ac8be66ed08dce804d7b782eb4f4c01f73de5c3a0f90a36859b87b56fa0c4b

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\ImagingProvider.dll

MD5 35e989a1df828378baa340f4e0b2dfcb
SHA1 59ecc73a0b3f55e43dace3b05ff339f24ec2c406
SHA256 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d
SHA512 c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\en-US\IBSProvider.dll.mui

MD5 d4b67a347900e29392613b5d86fe4ac2
SHA1 fb84756d11bfd638c4b49268b96d0007b26ba2fb
SHA256 4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5
SHA512 af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\GenericProvider.dll.mui

MD5 5699303a2d4970f89360068b6dde8674
SHA1 371a7b79e71bad4d7da3fc5d79b0be08251fd7b6
SHA256 26995bef958d5c2b5748f3f17d2767a9918ef8f2a82b98859913656b70e23358
SHA512 8a8d07a4127510950a96701870aca16e315732c88a3d359133c08820a4f0fc4df8eb62364b80af1e7792da5a5bb4c453938c96acea208434f9e6995efc7002bf

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\GenericProvider.dll

MD5 ef7e2760c0a24453fc78359aea3d7869
SHA1 0ea67f1fd29df2615da43e023e86046e8e46e2e1
SHA256 d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a
SHA512 be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\FolderProvider.dll.mui

MD5 c514bf1f906c4505b159ac558b3192d2
SHA1 0c97fa7adda3da788f6cdbec0aef00e68bc46402
SHA256 09eb31cca48ab46aa3ffeb1efa50ee1a0bb58fef66328fa2f71e06e9f0ef5a2e
SHA512 e9b6c78179f394d5c69718d9ce82bd6f6b278067b68a79e9138cf92d48554ffd65c47a722dc02b9031a89ed23065c5fffb529f2ff35856c20c41d5d849fbe915

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\FolderProvider.dll

MD5 4f3250ecb7a170a5eb18295aa768702d
SHA1 70eb14976ddab023f85bc778621ade1d4b5f4d9d
SHA256 a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461
SHA512 e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\FfuProvider.dll.mui

MD5 4fe1ece3b234048791d5d97844fe3304
SHA1 dba744f5c41dd136e498acc442da8bd5e0455ba8
SHA256 a7a6297f75e30830ddde1f5dded0a9131a1e9d9dba0182ce7d9f5fb8fdb72726
SHA512 74e74eb1c561be31edb1c944838170e9ffc554ed0484fd7a99381e4cd61bb559e4ce7aa6a785f294df991b0d76b4bec841032e1f9e4c23217051017c3fbf5feb

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\FfuProvider.dll

MD5 df785c5e4aacaee3bd16642d91492815
SHA1 286330d2ab07512e1f636b90613afcd6529ada1e
SHA256 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271
SHA512 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\DmiProvider.dll.mui

MD5 f1414df5b1c4c9aa010b60fc0f49c28a
SHA1 75649556f45c3c0e4566307598472937f994b725
SHA256 3717e900e1490eab331474a0cf20010a5f775d6c45bd6d3406cfda8e6241f864
SHA512 d0b33c06fbbaf9a721803e7ecf1130c91e2234fd3dcedff291fae1d828a6c486229f670d8d3fa0143bb2604bc7b370f71e9f618fd7aa609acdfdf1667d014fc1

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\dismprov.dll.mui

MD5 bc47aa123dc9506548cade2321707cc7
SHA1 dd401731adcb6623d37e35dcbe8bcdf6b6adee7e
SHA256 b9c42d0a45fbdf2db979922d60e3f3dea41c2dbccae80de432674758fb23bc0f
SHA512 4d3cc7027323020c6c6bdaf6c52541ffbfe144d2285b549004ae6b724f24b9efddb7d3a7ca5053786d67e6181e1a3ff2acc9b231ba42e36113603dd6402204db

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\DismCore.dll.mui

MD5 f91875c04330d1f8cbb6bcfa1637be8c
SHA1 abb88cf8347b02b9a3939d8eaa0a762f09520e9a
SHA256 4ca363ac6299a3eff6f099c6897ad45793fe0e2093f6f2782614b7a98bc40ff1
SHA512 c1439fb8c0ac0872247d64fb98ad49b158cb0d742f40d836e2086c97606b6bec0ad29b8c5fae6ea72c6695cf34efe2e3dacf87be5874fcadacd0439ca19d08f2

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\DismCore.dll

MD5 b1f793773dc727b4af1648d6d61f5602
SHA1 be7ed4e121c39989f2fb343558171ef8b5f7af68
SHA256 af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e
SHA512 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\CbsProvider.dll.mui

MD5 e5fe9e638b4744b799579563e433aeaf
SHA1 380b3f0fb659fc43f5fadfbcccb4fee049a668c4
SHA256 b6517203d9dde04a3b8a715cf47f83825928e4316e09763fe3cf0f6e1b1d8cd3
SHA512 5bc2100c11847c4744673e894d3c8722053271f3bf15788e4f25bcc2a14089cffb761784b260af593463abbf3a9efaf7988f946005f94be016743b8369e695b2

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\AssocProvider.dll.mui

MD5 2168d71b7fd5330ab5fcfcb5ab1b1c07
SHA1 2d8042e479875499aa2093c8bd245c2291739144
SHA256 f4b88cb87179472655041518d123149eb49f1f484fe581805e3a2e35c4b1e344
SHA512 409ee809194bbc5bbfa5081a368f8834828f396e56d00436ac8f1c30bf7b0974bbae1b8790dfc08a1b6d83f771493ef7b0372cce4feb079533254f5ed665e360

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\es-ES\AppxProvider.dll.mui

MD5 842ef8185050a821269f5e2ed5f0490a
SHA1 b39d06f75aa4b9b46f342d07f26c84f64ba517d9
SHA256 41c8b7200845f5ffd7466dcae1db7b8c25833f2f8118593f8c2770246a322a4d
SHA512 0ce48d990885e90a06f9829e626a73c3be7a8b214816d2792af75ff7c708ac55d047895d773052a2b67f80e3c61def222a0b78450ae3e48b5ad7c20faaeafc6e

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\AppxProvider.dll

MD5 a7927846f2bd5e6ab6159fbe762990b1
SHA1 8e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA512 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

C:\Users\Admin\AppData\Local\Temp\7E8716FE-4C4E-453F-B231-12C864D5B2A2\CbsProvider.dll

MD5 6ad0376a375e747e66f29fb7877da7d0
SHA1 a0de5966453ff2c899f00f165bbff50214b5ea39
SHA256 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA512 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

memory/4160-411-0x000002327A5A0000-0x000002327A5AA000-memory.dmp

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

MD5 67a8abe602fd21c5683962fa75f8c9fd
SHA1 e296942da1d2b56452e05ae7f753cd176d488ea8
SHA256 1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411
SHA512 70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

memory/744-470-0x000002182DB50000-0x000002182DB60000-memory.dmp

memory/744-469-0x000002182DB50000-0x000002182DB60000-memory.dmp

memory/2936-472-0x000001D80AC80000-0x000001D80AC90000-memory.dmp

memory/2936-471-0x000001D80AC80000-0x000001D80AC90000-memory.dmp

memory/2936-475-0x000001D80AC80000-0x000001D80AC90000-memory.dmp

memory/744-476-0x000002182DB50000-0x000002182DB60000-memory.dmp

memory/1244-484-0x0000016973FC0000-0x0000016973FD0000-memory.dmp

memory/1244-483-0x0000016973FC0000-0x0000016973FD0000-memory.dmp

memory/1368-486-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmp

memory/1368-485-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmp

memory/1368-489-0x000002C6DEDA0000-0x000002C6DEDB0000-memory.dmp

memory/1244-490-0x0000016973FC0000-0x0000016973FD0000-memory.dmp

memory/1456-873-0x000001F42BFB0000-0x000001F42BFC4000-memory.dmp

memory/1456-874-0x000001F42C1A0000-0x000001F42C1B6000-memory.dmp

memory/1456-875-0x000001F42BFD0000-0x000001F42BFDA000-memory.dmp

memory/1456-876-0x000001F42C230000-0x000001F42C256000-memory.dmp

memory/1300-904-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp

memory/1300-906-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp

memory/1300-905-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp

memory/1300-907-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp

memory/1300-908-0x00007FFE898D0000-0x00007FFE898E0000-memory.dmp

memory/1300-909-0x00007FFE874B0000-0x00007FFE874C0000-memory.dmp

memory/1300-910-0x00007FFE874B0000-0x00007FFE874C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD9A6.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7KRX8WJ8\signup.live[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A3FZEC79\msft.hsprotect[1].xml

MD5 72aeabca3cba8aa087e9d28257a11f1a
SHA1 7365f0a2d6bc306724bcd9da2f67f65f47583f3c
SHA256 f8ee819650ca1ad05c24278815663fe0419bbe16724c639824bf1c54920b2987
SHA512 2cf83edfd53f0b34361983115e3a8208c9691b3d92d34f5f2045fc5ece5def2057a58066b0ee3de2eb322a06284e548693a31ddb273ca625b83b39d3420212f0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A3FZEC79\msft.hsprotect[1].xml

MD5 93f8a291161a802b6bb55bd373dfda56
SHA1 0ed92541156096f211af20775ca2809e44ae8c76
SHA256 7db754d23c2dc73c1f964a3e27858809f40673e8e1440c586e681cda1aae5c93
SHA512 5611f88dd31c02a1b992e8a26392f63f916918ce4f11f4e8b2ba506ebebb9d042bcea5ef9b3fed8ff6586a7799546ffa14d316fa4d2afe273200b1072eff7289

memory/1300-1512-0x00000199F18C0000-0x00000199F19C0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 303c052341340d8144d681a50979d595
SHA1 ee5c989933117ac5f03151e3bb0aae846ad7ad91
SHA256 b8679fe579a4af2a0d822656109fb155d1e1da1186fa1aeaa9f4b328fafe17e2
SHA512 afe0ca32a36f66796424bef9cd65a27ad5dabf423b2fbe9c4e49fe43f0e5c92d82928b47f005a389bf6474ce6a39fc654fa00f22e122766fbeea3e9a7e6ff311

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 301e1fd4d45425aea725be0eddceac9c
SHA1 c6182d7484970ec775dcbea25c039c2bcb89a957
SHA256 45bdd0ed15d0c34c39f8600c82acece058567b6d5b984d71b6101dccf72cf483
SHA512 712710dcae9cca31faad9163c7aab25b1b16a7ffe601157f454e7cbeb5ed02e319494494dc476b8de06c2d0a8e6e351422101ef27c89de524c296b345fbd68ad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fc901c1e9b138ce528c62bb43cd29f31
SHA1 393eca1906c6e9930d22216e7c50d2aa63acd532
SHA256 39e70ed2ffb5660281cd7074f9bc9cc8b53455ad886d60d09201bdb5725ebbdf
SHA512 e6a20a6ea8bb7f94d601f033491a91909d4797745fb4ce394399f501e0d3b057335a46133f51090efae10fe8a15dfefa5059d8353d0077964603e397d5937e22

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5efe7d641c8844e82cc16832c8353354
SHA1 260c184935b9bf497bea43ad4c1290b7320c357e
SHA256 0bb308da1d2fe52a86e47c7feb9efa841b5e6db7bd3e7343abb44ef22c62f52f
SHA512 6b32c544e1964f281a62e83a62ff3aab4b2831c723d50708546c5f2fbfae213a334d487e531da7e7bf3d757e62a3ba184e2536ee4e31cc1174c914cd9190e898

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 70e8aa5436668fb83c00dce1a307131e
SHA1 4e7b68eaea1f20f8fa793933d06a3ff8d18c70d8
SHA256 35f51f4a1d504be1ad7b1485c164d056935afaad44df5569fd31a708a8c787a2
SHA512 832959dd3ed5ebcee648114fa544c2521c90d107900b8a44c958f3b1e3b789b05ebd1915f1a181227f45f386cb45d3ef07d741a9b69cda8746e4f51eb2632aaf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fc5b7bb6e085d5fb074978a0ffcd841c
SHA1 6d4bf57ee964b04b9851c54270ac03df21c133eb
SHA256 ae05b2a1ed1cd5055206ea165a641595b492b6c26ccbc03d2c57a6b17d84a890
SHA512 114e70693dadf0cd8a08c64edc6cbe8fe7ded1044ef63f8b7377fd88eae32ab0e289cb906d2dbca4dd2896c4dfb51e717586b975ee3213e433131a593d8ec188

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 42b7b6d870516836392c550ee8f6213a
SHA1 2278ae456620f35da7f25fb57241726320d0be05
SHA256 34337592d4f8f544e6dec300ce2de99cc17626ecec07af3b89e355841f65b18e
SHA512 b9b7704edcdfebacdd4bae36b424087dd61be3017dd2adb815d1045dcb56255d56bdfacb81eebabd769818b86d8cce9f5668c1b13823a03f76a99465f509b066

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d1cd9fea1c5a0457512133349fd63afb
SHA1 8a9138d0e68bd7030906a181681f8d69b0e3c8a4
SHA256 e6f8a473cf45f85944c728cac3cd40072ecbc3eb62da00a59778d794afe66ddc
SHA512 ba1dcc28e06aca5c18290d485d404c31b5bb75fe20932b497afdbe1e6166b262ae002cde7458d3cab99df1b9750e8feb1317963ee1d3a7585b813a26c083ae0c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 bd29a8a07e15487074c75d500ef5ed4f
SHA1 852faf1b0b9d2228f76fa0e15484c926cfdc41ed
SHA256 9acbdb73b42b05f8aceabd04dde43a46d1388841fad9812f113ec7e7176d294a
SHA512 9c8071b8ce8bac1e1b19611b8b5477db4d455921566bcf93be54dd9cc95a95616f28cb6ce853d84e4b8657eda68d7de1f36a4ffc99ce14c83706d688024f6c06

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5be730.TMP

MD5 46056e22cb4b9008fe226a070dd02072
SHA1 a0a72f53c1b0ab075b1209c7f1e874351b96d791
SHA256 9eb68dd370c3883279d58f7e6456343103d19fbd039e77ebef3d2bf6359abd03
SHA512 11ccec7ad54723f99c129600d97322a68d1d8a5977044be496fa062fc411ef8777f65dc92c9bed643b071d0e44faaf447b27a4de62af06671fc8c699df55e512

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 18ca2e4e551656f02f293544799c2ca2
SHA1 aadfd0b9296bf4b60c991039e2f40c583bbc13a0
SHA256 b965048f6b4903774ff6bf6bac99f6705e27f6b27576b175017f37dd9e74d82d
SHA512 8a759351b8ee8919169185cb9ff78cca8108a5301d53a14005bab13ff21124813c5836ab6c90e5dc93fcf0ca134d06c592b1e3da595fb6d0a0416f9f4d0d6271

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2a59ba562dc6290a4ae77a9aab43d66d
SHA1 8b84e9f43355e8eade7f258f93562befae18b755
SHA256 e20d418dbc6a50c89e496f6c2a638092a39012d954614586472d671d557a3213
SHA512 8e10661912bd3ec7cbac07ae9c022008f4d7ef711cb3e7fea9eb86876ca6132b0c846a62ab8e15a65d9c185c51db2d12cc0c25590f4132e9089b7e847a791071

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 dd9369538c842b55ece4fb02deb2b643
SHA1 c109579c55184a2b52584f9105e084be612f9fc4
SHA256 9dcb3ff17105e0f481cf397e1c0467ffd5a69a16a62d04de7a99bafbdd4adeaa
SHA512 e4c0de4986d01f55f2b72cbea0737940d09e56432459728e6f4f592809649cf662a030a90d1254417eda07edbdc3c252ad3eb39ef1fc1386a747a36c8c893a7b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b7f96d9831b6e0d2a14e3bedb11a7c2d
SHA1 4dca452a8b2e91cc0f8435a74dcc5a4a06a436c4
SHA256 f8a54731366f07de408226738e3a553a680a215c71c14df7fb102009c19716ae
SHA512 94fb971a570f626286823849d4f96155ab5410042d17a156f2427946c8a1dea96d7f218f6c93053a810ffd76853930e23a72c8c8182fec4379b5363a1934131d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4f6dc5154371ba678a4d4771368567dd
SHA1 7fc326dbc0200db32ec22627cf099b9087ab39fc
SHA256 7d841d6f58f199571ebb204bb0ecfd187eef533f516e447b64ff541d32fa4b06
SHA512 3ee1f215c36f7ef5aedc4b985cdffa8347fc4ef8509e9bc009ae41b97c916895b3be1930f2b9ddcd2d77de7c4da4e144835fab1c7403f6fd8cca388e20540759

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 935d8c14c191025d9da96e2acfc6dbc4
SHA1 051b298913c354ca92fe5371505cbdd924f0af76
SHA256 0096064594f398d03fe620a62f01e779dcd28b88eb4e8154dd35944929590f8d
SHA512 f8efb774febd88e4e20c3a245001a5676c027974ba13326663217497042aaaf16ab2295be491033aebe1dd10ad33cdb71ad281f0cdffc5aab0c2bb92ee6da47d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 6d0eda8f93b85eb8ace48430272f6953
SHA1 74606774bbafb978413100377c4dc4b005922973
SHA256 e3b7f7340d785697a11af84a30648363b64a31b122b08de75ac7c8abd63d17f0
SHA512 1708c8990fc4501868595d684147c2a05010c5499bb8d38c07d9b099919b41153dc595446ed56f3119af2c6dd9eacb6a3eb41bc70dc7bb491e57051809542986

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ae36da0c9e0e5aa26647c2dba3df5467
SHA1 fd2591f8d8f4d2cfc97d365fed6aa403146fd15f
SHA256 8de05d66f132ddc0b26da9a6418047a75e8fb141bddc8011906a6148fe8774f8
SHA512 a65b99148df4c265ea3e330861fe865e90335a07dc5a4962d9f4324ed234b86b7d3c783ab58f68f4e4bfe84b0a30ae9a153061d11a7728bb17e7c383183197bb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 8fb9a36a23f1379bd980652fa9fccda5
SHA1 bb6e3320e7a940e678c73abc3b0bf44d0ed6cfd6
SHA256 79c800c2a1ed220d7e9ae9b2edcfc4ca0f6e4215d3ef009efd77e84edde13e54
SHA512 f1f42fd70fee75a8045e9170093026ae01279a54308d304db48fc8f8dc75d9bc5febef9ee7d405417ab8580e396af1b6ad2f3fdcf3c7a40b7114861af5c493a4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0038c68a4dadf4559dc01863e6554892
SHA1 4d98a8e40d2273e5f8387a44622883c18c24de3e
SHA256 46cc3849180e78d5f3f81f5cc5c296002281cdf84709aa78a43e4aabd937d8e6
SHA512 f01b81aba450e429a7f39908e63366749472eb4f6e1a667310bec5e38bc40fb20f7a3c47e462b69d5e7a531cd2c6e5df9c4628de0f4bfedbc3593ec71cbc1c92

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 51821f35a1a6699b60ded647ec3d378a
SHA1 f10868940e5a5a5576aef6bc3ee4a5b891f054d8
SHA256 64ba02c1fa6b1dc874cbdf04f5979527391bc6b9f14141b58ff67427823cc718
SHA512 4d1b67a356c8028c8b178775259199bfb182c85dca4f61a6e3e86be583c72c43496108a490706a2afae49ab66d7567cc657f590f9b0f89e158a9aba7655e98b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0354b2717c763d33f8fe4a5f363f8c42
SHA1 51f407bec254ab7fc5a54f4322f9a8aad6cb6860
SHA256 a686594ef3691e5a27dcc1b9392cd4710435f4087a23a97df29f6c45ccf19cb0
SHA512 8e4ab304ac7cc8969f3d624bc0ae1f890fd7e13d9b97de8eb8ed1def31f99c8ecdb7a066a9d4ae3985a6f280a72c796f6c3ba8cf0c3d7c1b358e9aae1923ea21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fa5af976ae0e6416202ad0c52f28fc7f
SHA1 7f4711e6b656036e4e54179f0e97d53cb227b545
SHA256 50d8f61f5544f45bfb176740f72ec00fffa7c60b8ea3ff8445c9c60d9dc70aae
SHA512 f67c2b8b00c23c2a9658364c5a96fa1acb10a1e26749e21a760c655d173e3630118e64ad96b80a500c0c4a99c0548d77919f2f5e17c715b5714add3fcb21db73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3a4ee881a0b288fd2461f78fb34189a1
SHA1 9c4f21f2fff246a935c1d76d7a30ccf5458c497d
SHA256 b206272f101ce50bbea0923f1c669b3953d893bc7f3c063386c9bcaf9924f18d
SHA512 35a2d20b6f55358403fb9ae1cd027c84cc750b06e14e4bded70090d889632f55ed8b9de256c1957ffb3fd92fd67262b7215b168048842739ed88d4bc58635041

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ba0a3540ea2fe28450d4ad6ab5748758
SHA1 46953243e7db683b7568902cad43463cb524cf82
SHA256 599788933c8b8ba4deca1a501b5fcafddb5c2e10dd79a0e26685c2092779001b
SHA512 8b31b1a2e329032db8334ea7d3492571c3a10912a96cd66a7c709c45d9e2cc5a0e862dd6444e16de63554aa288951cf11015c3cf78d4ef793631efac70caebc2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 aba2f40fd333f9eae61cd70da1838043
SHA1 4bb213b49d3fc7c2f661ed944e40514036d7be58
SHA256 006e0e56397a7d275b60a1e8e1101ea366a5e9d348342034e9cd0295f4d07b3e
SHA512 02d0ce0f3a09900f2586debb89fe1047118ca30723585255c4e3756a8e822e53473ea04485038798e19d26f74d06a9bfb60c1fc3703a0383e74a43c207d5a8c0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2cf0c24bf54ce99a553624e9ab6eb0e7
SHA1 74f14d353202c96480d441ed5aefe3ac8f7fbf52
SHA256 4b4a342201dc1845283c25314633e23d6c73773194ad45cabb5dceeebcc90e8d
SHA512 b15477afcbd15487901db9f72c18c5d60bed1203ab031ff4ba33cb4098304b49e6f59d3a764c9fe6104cdfc717ce252849a41bbd5a35dbc4d68d3f4e18d5c6c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 56bb923ee1d4ca34449bb85b7de85e68
SHA1 1328adff2be30b62d25260c0f39ec5946033f064
SHA256 6f9452c3198e1e31d3335d971984cd4d78b152d4f046061015f4f3f2048d5592
SHA512 cb47fcc7bd697371337740edead6aea18dd25abf1cb4634d533cf8bc0d0e4deb6e777f394534bb09805e14bed6f622182ac36f07d4cfd4c9e530b0b816db1ee2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 044f9e76e553a4c5839f000259ce96eb
SHA1 d510cf1457fddde4fb57e71f1d85191e123bde5c
SHA256 c9a2b97e24b81077d612473e87966047b82bbfe5b80b7cf6b80fa160ff5c4595
SHA512 1edf192012616dd70b8fc5e4147f4aaca3bdb7af2072785438e04f001c7e58e94694106fa7b82164752e1a89d950f0c4b39840780fbf41722248a32ff5c2cdc8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a58a97326c8be3aada16ad6421da12c3
SHA1 d29e17b29ff2f7b3f987591e75eff2b083e77f0b
SHA256 a22afc56b94bf4ebf02ede27d24f12defb3eb1715adb969ab980d6b56e581304
SHA512 6f9fd6f4847d47268b096f6f9603781f45988c9338ea8a6064b437823d9a4c1d80bf73683276c9bde3261a7dd4316d605c99919b0612333c33295745363a8190

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 12a75beda9f246e828cb0c96e70d032d
SHA1 a2b358a105ee1311205d8b8b3d63610107815726
SHA256 82715038550ffa97523737031013a7996e2071140a459e41c2666408c80848d6
SHA512 c5abbaff3c56f090d3b9f671f84e988c8bb0810b8b8c20412bdc67b6cabe37dab0db0b4675b34594554a88ea9970d91cae34c2b6718f6d08cdead09be0b1acfa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 98e23bf2e9013eb09d90d044f2f6fe62
SHA1 fd4f0d2e0bd634e858480d6f40c41e503f5e0ef0
SHA256 b5bb644ed9a5592d807b06450565234e335e9f8dabd5478ad84c8c434a6fa712
SHA512 9a5e9f5fa23166c29ab2f4f91383acb55e25b6a473cce76f6a5c713d97d4e32f17e0780e46b5c383313f72c500099d83b95ef242a19dcb99303c94d0c56fcf38

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a51d9ba58f9d1de8cdfa4017d5a26ed3
SHA1 b46a2d04ef6b7b3ceece2911742ff517eeaf8684
SHA256 c87efd7399e9fc18910612d3ecb2d6c374fb49af42b2cd1f33b72dcc09fef3af
SHA512 c7f1dbd0933c2754f11540db104ae26b7f5cf8a95c4d6b0dbc2dbb5dd75e04c548ebc4c3ae2f8a4d9508deccbf7aa7aaf85b47d5ad16943c989a12e078e98736

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 12b7b2aa79a2377d17af09385b7d07bf
SHA1 ad0c7cc1fce55abb4a3973e142d7d4afff26cf70
SHA256 cc05fe4b8ed4bf5c2a421d6838bb29a695db965425c99a84c82b24a45ba09174
SHA512 859af3995e390c460a02d9a68caa90a20f17b50ebe1e543abbd78b59104e599687578fd6e31ee4af0e0df20dbb38091da4707387f394c39ccf5e379264db47a9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 394b9e5ca67e79b96013c6fec7e7fe0c
SHA1 6c254bd09e978e9d2f910aed610c71763bdbd2ee
SHA256 38d2dc5d63fe78464b241aac1285d063b3a12054ac24bdd10eb805f2dff733f7
SHA512 e42a55dc9282668251f5441b573659ba09f9ff11ff274b456c8ae5fc0cc5263cdd2b1bd3d10721c325ca7abb0524ca77854b27c6166ebfb31434140fcd0f5158

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\hrd[1].css

MD5 8fa25b1b1147660a775d31cb82ae4b4c
SHA1 4c2e4f2f11e843a47b472cee9cec331c5b40bc92
SHA256 a179bad5af9f3240b7d0a9858eeca55def89872332b11d9190b3489be77ff440
SHA512 d3d92c13c7ac4a2d3931cf038a27c5226b9c9e9c068f63ecf291d9d6407b06450ed245c5bc0ef953e9cbe2fe112bc5080c190dcb311bb3a62b3f3a9bfed03226

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\jquery-1.12.4.1.min[1].js

MD5 dbd7b1d283bb02ccfb777c11d73d9056
SHA1 31459140706b1a8a5ba0db3ec72b2184eb4ed64e
SHA256 3ac82b5a773ea82258a30c60d277acffa832ce446397fcb6abf39726c4330fb5
SHA512 bd46b6a103733f2320ed8c9b140602c2dc56a0cc35a6a0d300dee303a8194b464b23b8795efb406fd44ca0a3e94ee342d3d9c4a0d533730d11d4a1749c14fae6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\hrd.min[1].js

MD5 e051edec194749aab43851567a27c286
SHA1 ae34370f5f74ce740be0aab15c5231042094147f
SHA256 282e4d51d2b827c4d52d7219febb54e8068aa1f9e5981a2ca4d9fc1ef89892ae
SHA512 f3da52ed0df9a417f6d3eb936d8dac906de6a43bafc381a42094ed25322ecbaccf7c8652c0323f0b8edd7eda0c918d501281760d473d956fd8bfa8991efb8c93

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\jsonstrings[1].js

MD5 7bf7077081c36cd1c279edd956e28e12
SHA1 75f18bcb3dcbd851791db887baf6d2e7f822d1d3
SHA256 bc813f4e19b7c3a0d0df54256ba40cd8a935f7561c84501ef0281ad732d92c6f
SHA512 fb8a882a5a8180f678b64f976802ba470609b94eb96d55b866549c5a47e6b7035067b0066899ea3180bd5a311155982f7f6ec8c950af225b2a48ceb42a1fea34

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\CommonDiagnostics[1].js

MD5 08fbff79b5eec28ddff4d772223b81a9
SHA1 aaabd7e0b32698e8295139c4868e9aee5edbd112
SHA256 773a678845579e6334f19d4e62f29446e7898bd816359c74574e37884503f909
SHA512 f94a2c8d756313a616f4e3dbdb9661af3cc843f74cf066243c649f943e4aeab696e01e37e33cc57df16f73504b529702d28c779931adc2630c6d4fd318ffddc7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\knockout-3.4.2[1].js

MD5 e956a74c005b7a243f0884d67e60f8f3
SHA1 c4fda6eee21550785a1c89ce291a2d3072e0ed9b
SHA256 a305fbb2ba223bf3b56bb8776b85f6f40d60dd082a74dbe28d143b5794c7e393
SHA512 eca283f482092f7793b4c1580cc834f59bd1f958b61b20af05ac1c5c20499676dfb99b58bffcf8ef0b166fa0481850bf78b1f4f4e5450116a0361d6cce950b34

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 736cd3475e87f0db7f2fe8c3b8e15d0a
SHA1 051a35833c245f806362f44a52a92197c6c5c8da
SHA256 64bbc7951902b6ff10a835b6dd0dafb102bbf1d6a6279f1e691c066d22b75a03
SHA512 5338709b4c103d19e15451b1d16dbe3d2440f7e53ba15d9623516759903da2634680c6a5ac951ea063c251757a0c15e07d85e7fc6f7442fa737eb633b167e454

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9c866c417474bfcb040a7bedc60212aa
SHA1 6d7e9a9ddfc685de61426af3ba6798b91d543fd1
SHA256 b07be1699c7398f6a16bdaa7f39175fa932e26c45acfdfbdf3e603077a0d2e2f
SHA512 3ffcd030aa60ce964f5b4e7fcc0031d4aa57161cb49003a2af0f8aaab4709ff1f16bb5930ad39c24589c7ad50a0edd63c1cdffe4feff0cf69bb7971db25c47b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_outlook.live.com_0.indexeddb.leveldb\MANIFEST-000001

MD5 3fd11ff447c1ee23538dc4d9724427a3
SHA1 1335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA512 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

memory/5332-2612-0x000002619A2B0000-0x000002619A2D0000-memory.dmp

memory/2240-2682-0x000001C2D2C40000-0x000001C2D2C50000-memory.dmp

memory/2240-2698-0x000001C2D2D40000-0x000001C2D2D50000-memory.dmp

memory/2240-2714-0x000001C2DB320000-0x000001C2DB321000-memory.dmp

memory/2240-2715-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2716-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2717-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2718-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2722-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2723-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2724-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2726-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2727-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

memory/2240-2728-0x000001C2DB350000-0x000001C2DB351000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a0b4b9f24e50d08b6332b965d8deddd1
SHA1 634bbdc4b9a3ef537f6d3c3d2fa936327462288a
SHA256 efe02cc052d6e5121d905fa5e8bd762ab3c7bce40b6ed010f8f1e77d763b35f7
SHA512 07cf239e72566c147b81f4e724d27b164d5c43dfa08826ca49cc2bc17e78a81dfbbdf33756847e42b46506805312ebff8a80dfae8065b5d65d8b65dee6f76b00

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4d0f2f590c8938cb24e1403c693af314
SHA1 b1c14a19b49a3e76a3474089d1d00815ba64ad93
SHA256 1f4cda04d50522f5de78e48ce83dd01b7991ea686eb30c8f7e7b79c0e275127c
SHA512 b14aeabc0cd55cacbee0a25a636e8c54fca81b9a0d8c68de9a6385fef907e42b42d84e87c504f157bb0ee0bba07113e0c8b8ec2f750c61dc97ea012dac73afdc

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\b515e778236d075fb60ed7266f260eaf90fab988.tbres

MD5 a71b58190ec957a901493aad0aee9376
SHA1 74725d0b0d56f59652726c02353e380f22b20f95
SHA256 f640f3be4e2923aa3ee64b82a7be4ff77559adfc77182bdce1d9aa1ecb5970d1
SHA512 284b49d1dfdee691270ba3c01e847e13744907a60deccd28d73a9ee9a44fc48bea645f87147a20854a8b806f1783884e9a8e3e379d452274ee633116090a3d60

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\6386bdd51a3972bfe10f158d594c808af29a2432.tbres

MD5 9aec6dd5aeac90b41b839a362f7d41d5
SHA1 aaf698a061bc54ab73f397347fd494c5fa8c1d23
SHA256 ee1ca9aa1de5492b413ab1dc2213fbddba858b93e192e6aa9e51db1ac65e99a5
SHA512 afd34183d28d21c97ab65baf1f5d13d08f0442378fa2ffc0b83020e393894dc06eb2444928604910a25b8a170610135115061dbc32d5edec1de0e52e8546599d

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e35b480af2edfe0aaf0a0d8204630ad8db7dce6b.tbres

MD5 4b65b241c19ed576a7091dd414136a54
SHA1 497e95c2d7de74d5994ca8f7ad2ec7ae61494437
SHA256 03ce65972a7cb816536b4b17d662ce53b55640418d301f0fafcfd50f6cca66fb
SHA512 f78a70b6574a8133ad141d979a12c5c9b3e79e1f7a1892bdde854c13da001a2ab57d3bc46c8d068206ad4ba191e9b1204208e27707b7aab4a0d72c59a96d1da1

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\427a833a6fd8c60b323447dd7e7cbf9705d67d5f.tbres

MD5 e795bb071ae45bcafb34d26b6979635b
SHA1 6f0643459d037f0cb1227eca6562a35f6f08081b
SHA256 18ff082f8e51c3edd00518f7136e60f9029cc8b0ca642b8121e610a1639cb7b2
SHA512 a4d96e96a57c6f4f20e1e4cce5272aeec9796917cbdb36710d5a3af69f00a669f6aaae7a499e3077119e9631f6769d90d6b738107a508064511e171672c42598

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9b0c889ff339813be4d0dafa66cc5844226f38e2.tbres

MD5 1eddc4a4f525a2b364cd2e9ab76f9d3d
SHA1 0d1662ef6d64ecd1f8408de1e7309a804d6de22f
SHA256 f56ee404dabba29bf1a1a4d889e61511992d86059757f40bab3fed6fb5132ee9
SHA512 4959075dfa4ba2fb1b2e45ecc4b552271b75dced9b94c644f8d0831a4e0de8ea6fd187073cee9d60fa908db8c8c6417edd25305760932173d8374ca59f10e704

C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\edb.log

MD5 4f4d4d09efe62331cd4224a217863422
SHA1 93920aab0ce893bd6ca92b7608094af6dc50fb0f
SHA256 078eadea7e5d8ad2741c8eaa1462c28094864ca2362153718ba562bbe9bf3f95
SHA512 62a7c400d1832090d9498941b7a12228b11453f3b673f558bdb93591c6192db0e2dcd400698c42537e5f914b27a73f285fa23be1b1fbafd15b0e6aa96850ec76

C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb.log

MD5 fc53efc8046748a1708e527dfd2c28c7
SHA1 b57b22b10cd3db380dcdef6436b592d8561cd25d
SHA256 e2e7af783840333e1356601dc4b4afffd4e7edd874a4fdbd5f659bd7c5f2dee6
SHA512 1c6faa46bdb7a3ced6ae0840e62598e07bb226dceefe06ec768ac40c3eb989a4e3f596cfd89b275bdf17a583953dea79781c6e9d24e8f5631e97ee3e2c567aaa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 36e62fbe08b0a7466ed7d581b30bb291
SHA1 203665a2e979c020d3b7e4eb8b65d88fc583bb0a
SHA256 402d9866ee19776ebcbf5e1585048c2806beaf554fe925af490a174ff233dc85
SHA512 8fc2efa1a282c2e1ccd658380ef385fcfb978ab435dd034aa3d2014cc5fcab161602db6151c29d2ac7a1497c9e25f46301e6202b727fa96974eac7685be63599

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 1348e4e8fc451e8021f935f4b1376c95
SHA1 c6fecb47e09a1a255cbe9a9f03d91d2100cd1737
SHA256 cdf0440a375c4d4a180a358ea3c87448482622fbc71833bc797ec1410e54bb01
SHA512 ef23469825048d1fdc7f693a9efce5a1bdb8472743917288fa06244c7172d933347d8403440598a9f4062b3514ee313462655e21bc1c1a8dde78cfb607796703

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 a2d5c41311177bf18a795638cc4e2777
SHA1 40625aa169f3bceb6b96060b8a0634bf8cf5eac1
SHA256 63b9d5b599c016878ea7fa9de88fd0a6e89b09210475f4869b0d8e5a71946c23
SHA512 e5c5cacd31a05a67449ea44fd403f4585960ff3a45104bc1044d2cac2acdc1a3e309241092a327df4f186367cde75355c7622d213925efbbd813cdb22fdc7ec0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 861844a1e60337f63283dd46f927efe7
SHA1 58d8936597bc3f4486ad80a30009c5e7d0afec82
SHA256 40343f8b1fb6d58b69502eb2c7bb660484f6e8c2b9bb188576465debb6067227
SHA512 7feb5b6bc8d9b465da384b5865c3a2d20c3079ebb44891da4915dab637ad3ef3ad35f7a489d9b5fd1c634ffa2b448e19c957c639ddf94e9d610dd6272162dc6c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 c75fb6c2f7d4bce3e92e71212aa9f908
SHA1 2fe10fb75576fd0835f9e8cc7787fc9cf6f44957
SHA256 ef0026722623f63e93c756aea62689193afec567768013c438c3283e53d2fe3c
SHA512 47f9b982ef1f5970ab9028e5647c16c8d3b547541e6b8f80404c25c7a3d1d0ede2e1c184cf40186e26e735f5d8bf8a3eb5eec4363f38c2d5c6f4f4b07730ec63

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 878f1b9f64e4fb5fb252a5e9c4165ba3
SHA1 5fde0f04f6f2d5e871059897877ce7ef54280411
SHA256 3dba58f72ddf8c89e652b88de57b0cd4c10f3de0a5e6b459351e6709302a8ef9
SHA512 cc9399d06047efc6e91de71a4a3b2a0e3601fb10b2ea0589847885a0849dd145f525f239d00ee0a5cf423c9e6cfb2ea3f89f4e19c249a42aae00b825acc209a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 b1967c3d3ddfdd9d53833305d8892aaa
SHA1 0d3ac5311d921f4bba94b84c49eb6e6c858afb05
SHA256 fccfaa31a572f29bc74e62b33d00e01453c086912bdd4c397039988d703f5cbf
SHA512 51ccc21759b7ff7df4e91ad464e89479a23a17079d9ef072f3c8846bdf47a50fc2ff14e174acde3ba75bd90d47b15b8e9baf23bd4c291905e7ae4edcdb77cdf4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 9c32516132d3fb495845fc6d80d03be9
SHA1 b0f9a7898309c2fbc5538bd10065cced3f6d7114
SHA256 a0533c03fe02f9d7956c3b3f1e1a85fa9da7ac5004f881f15dc2a793abc52a22
SHA512 e1a8488d25e72557007211b49c0606bded23b04e7d0844611cbe7e9b6cd090c35758fa56c08fe48f4f3b118fe939926a30db24b4cb513d14a8a64200a8caa051

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 b742e2b02e010e4507d59ab375513174
SHA1 05458811335e96fd069dd3d164927513041c7b4b
SHA256 e8d103e92fbaf535f09c8328980ef1f9740a5eec44c1e5fddd8c8586a969c44b
SHA512 38538de76e552f7ac059e3697ceaee9f64a55aca7d7ed667d584dc07b99d057f93dd91b768ed54c846eb884034da5e85f6497eb9876338586bcdf93ecf5b1536

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 1ef45d5fbc69215234805a431a6b631e
SHA1 52eda8754e902c7f746a7e3d27bc1dd6c576efe7
SHA256 1374c3682d657eceab5ef8fbd5a8e5656e25e88d5ac5c695ede082d287237e8f
SHA512 5f74313320525fa24d65b0b99d63556943d68cf233b230e7a162becb45e49f38851243215eaf23df0577e1c4578ce3d44a0f346ee7925938a929af60a6314a16

C:\Users\Admin\AppData\Local\Temp\TP_3A77.tmp

MD5 11b8a58e4630b73c48180c5e812dfc1d
SHA1 d79ab1567d0dd76985f18c337aec6fa9e14b375f
SHA256 da68ef21bbee40fd047143031d56ab3197d7a4e5f9be63d60e7aaa643d90ecb6
SHA512 bddb041ddd3cac8cbef1fb3ef5ccc71b011847dd6ce021c9f83dad68cff1fe53ecfbf36a20efb14d79b21e5ccdfbff01e97c51fe9c4229f0d5f15093847291ef

C:\Users\Admin\AppData\Local\Temp\TP_3A77.tmp

MD5 0aa0806ecc2f4db6888f0b6055c551a6
SHA1 792ff3cd4c37e77ec7c94e7cb5c380e5516ba5c5
SHA256 b3473c2c13089b77ec4a7cd1fbdb5ee42ebc10bcd5361a339e5378e3094b0865
SHA512 b935daa3a2fcf2361a24ed5160e8c021045176b31e516e9de6036dbf406f199e3b384becadca83dc60b721b8018cdbb255ecf50a66611650ed0b3aa80a36f758

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-index

MD5 d97ad49ac1d46f679503a535eb6b0156
SHA1 5728e67169b78a54b2e1dfc8da0b29256fb0897e
SHA256 0c3e5886f456d8d0cc2358276cb6b650982750ac47b5252eb182fcdc8ccbdaff
SHA512 642c2884bc5e29e563154a561a2ecda2b2950939e2a8b42798924ee81673712d3dc8a385134f1e58f868155f17f901d279d508adc6ccac026669f59b56088a53

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-index~RFe613cf9.TMP

MD5 a3dd97c608c032d3e79bf108d8f1500f
SHA1 3c8f836e8ba640418687ea8e8f81ba4acbe952e9
SHA256 87370627f0e009e2a2739429a2854e2491c0325350811fb4d36b087f533e9d30
SHA512 d5f91476a3eaa8576a7bf2879afbb34c9f5d522e37b32211a45d2c20b5f825bdf33afb5fa6ed86777e1664d8d41e2008994ad8a8811e9c3cce0eef0c624e6054

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txt

MD5 66d2cebb55cbdcf9ccc8635cd56c0c5f
SHA1 4cb0722b4f53dc4f03d4ca630ed3489638ab62ce
SHA256 bca2e98693e231f372ff811d1ee558d3790b7e6c6d48c0340e5dc4cf68a7f19b
SHA512 8dcc6431a2b402376c08b387a445e86464c95cae16dd3aca48e094e7384e984ad118979dccfc7f41166228ed9bd7b71e6295ddf85e989e25cb42c30aac50d48d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txt~RFe613d27.TMP

MD5 cc7b03102ca98962821c1feec5b833bf
SHA1 f8e7dcd7662af6c7eefe731f415a1352a41bc904
SHA256 26d505b6c7eeaa9ab806d5050cdbad6cc8021fa3bac1ba85ed1d82e0aa3260f2
SHA512 89c2a93cbb7f85916baa721d8f646df84b137d3be5c2faa137b1119f0e7667513a46d4cf630a8656c4f0453a40cb869185cbb4ac09af24cf2effe8ef411354c8

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

MD5 f90121b08e70c4ad8cb1670f4a527fe0
SHA1 c7320b27a68a09096d0499eb60c14c1c506e1518
SHA256 23e2025142db1d38a5304d52125825c4ceb13766c3a0ebb32f1ffbeab8d9a087
SHA512 024bd78e31e16cb452b9d5d8ac2f1da2cfe062c5691d220a98f08807461f2f005d699584aebfa90f6dc7369b8bbaafc4aab83e76169b2f47c4d564dc96a41dee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt

MD5 378276438abf4b12461b5575e175733f
SHA1 82a6b2c3a7ae702b72beae6236cba5f10a79cfee
SHA256 ecc825ddde07c7b981fcdd825a2d9820e3c21460ba1ec409468c088cdeef95a1
SHA512 97d8b5e3af0cd531c54ba5de7273d95d5c070220a6384c3be9ed150198f06498f3829260ae1c7c38816b9a623e285319499318767268e49ceea9f74e250c71db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt~RFe614862.TMP

MD5 0fea942f43803cb87fa48442a5c90c34
SHA1 c99d9b82a78c61d33f5988332a424a93b8a5a071
SHA256 0394c9b9aa3a1ea3c7b5e523a7b5738e52889f12d41bbfe23ef0b9213139d9d0
SHA512 9198ff12aa6fcd167ba8c5e436c3e30266144592f3b3544e75952d9a1ca216fda5d2f5c8a757ac25871d7ae6f837e96e3b71623eb4939c94956de473957a60cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt

MD5 b44bc8bc0db9431c30193a77bccf2f1b
SHA1 f7c41ccbc7ef13596ace28e3762ebdd94af5319c
SHA256 be0a572425d0f41823ff2a6cd0e26f30f82b5db7de65d776e236684298685d18
SHA512 2eb8caf795f0de22784d460adff9bd084707496bf7aa1d8b23382f2d0f2b570e81b0e8e04a3988c816e0778933ff21f88083422c1c51e923069b857180cfe508

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt

MD5 60792ace472681e4e7af06ea7311e2e6
SHA1 f3559a5432a78334e9ef427300f25882cf98726d
SHA256 6d8e491eb0036c2466e67ca60ae33c6bb7480cd46cd974d7a9ebcf418bcadd71
SHA512 2635a3e6e52fe1632bede2fd19210405733d65005fd4784833fb0226345a1c62a1f5fb93a20cf95b1bf18a8e2e1e9f4b0d2b7e2aae91e1f6dfb6044935ed1085

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt

MD5 342568911a0c69f88d977c579dca65eb
SHA1 21205c31c2cefc7689caa612b92bbe59c69e76cf
SHA256 31c61250923f7a0d1dd71e3180bc62f0f8fcea59af3ea403399c9b2ce61a522d
SHA512 5b0e20b8e78ed5cb414a8f968faf6153a52d53e3026f10ebf7ec0b7cb8e20a522ce2a1149d86453a32e12dc5431b4c0a9c094aee970cf6b0a441b15f40d83d6e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt

MD5 1c400a98ba1985e15dd9b66ef46851fd
SHA1 3360163c876f8fedf944378d956c1e9cb2dc3d84
SHA256 9ad8af62597cd6b904cf43fcdb4ad7054cde38eca2175f4393f1ea8c90b3a81d
SHA512 7c9e4675990fb8f0e97f0b6ea884e7e9e9088243703d7fb5b8b2bbbba67ebc8e32c0b9b6c39fc69903be394117050d2ec74d323d167202653c0a95b581778930

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt

MD5 75bbf54f26efab926ba975f24262f4aa
SHA1 e594adfc5cece11a6962b87aa54e7eeb095d57d3
SHA256 84aa77d07f05c613d3ea60969b990a42c7f797c341ffa719fa512e22bc2e4a30
SHA512 02aedf9fbe9c5906b8718ee0ee518f9715c88b4f596246cc3c81d71232953363ee41ff0b162c31e8672c1c074fddddba32a3e0410747639914a646606598ab52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000073

MD5 1784d82edabfbc66aca767eb7becc500
SHA1 6b5e78f735d0d09fec5ff94efc3374af2a75ad74
SHA256 7ea81e7c911e5ba134b67278f0d7f2baf4e652243c57bb699030ecc77e85619a
SHA512 852dbdb202cd0e83dcd4b2e83a9875db060cc2202d55b9b37c3514e8e63f1d12178a3ba24ea6e2cd10b57888c56477d18a6883e520bbf7092c3f9b2d33746849

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\96ada297-d9c8-4138-bebd-29db841be4c7.tmp

MD5 c8b49426fe1210ce89741d17bc603b0f
SHA1 eaa86f4b435364e8c6da32e800bb1d890d25f249
SHA256 a2ba83321fae2e4c878fd3acd512752d0bdf21d1007873e2d755ea119c72a2f7
SHA512 a4c94b45c648fdb59e9b9cd889f1a0ed282e78e037a267e103ee6a8cb6ed9d41768c8f51431eac523f60d4c355559101705cc51ab4cdba61127e0a483369a793

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000d9

MD5 1ddfad63e0fe9b8f7fc8f5c0a50380ef
SHA1 0e10fe40a9757af729195af1afaf826c6b1d277d
SHA256 d63a4170e2e50c23971a8b98381fc2afd9488998737e147a5a130e431b708980
SHA512 ef5989bc749208a0de56e14048276132eeb5d945c8d92f7922ba5476747ebf02dfc0959a06e1ee21beb31cec044b69591db04145789bbe54af7763c67f3de4b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 9cff2861e70e46a581c46580bc0cc64a
SHA1 bfb77ac471e29df39a4d0f908f977e51914975d5
SHA256 a06aef3700510e2ccce1cd60f4b4ab12c60bf2297abcef90ceca7894f931bdf0
SHA512 38448eee75c38d57f14e4d5aa3726135f517f602e8b77dedbdba2a05055c6afe91c5c88baa9cd331d82c283763d43ff0f24cce80b3841b0ac40356532b44bdb6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b3590e172b42df49d99767291c76e925
SHA1 c3044490806af5b806c4c976bbb0d1a212408ec9
SHA256 82c6861e246830e9b7c8fbd252442811a42ef405b1347de16bbba88b03bab158
SHA512 d73d5d02c9011e4a2cd45ac8323a59a067c39e2ec27faefae442e9dc973f58775697b3a15f0c149aaba379629025829e965ccd6f87824cef1afc96f0a5388804

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 23073689bf885e2f6a8f477c97d79f61
SHA1 1348c084677f13adee8c753093b922459fbf02e7
SHA256 23f82c123fb43aa3a1509fb7e4b6fff32e6eb657cca6e61460b07924873d23a5
SHA512 89f0fb6b60c65d13dbe42df259a95bc3b6fa0c1ce42a954f7301dc9fe7e57fa144a2e48cfbec28b406b9e3940d2ed6550d9579780d3407b20fff8d538a997b8b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\6742526c-4550-4ded-bdb3-e284e891eecd\index-dir\the-real-index

MD5 4bdbe9f036c51fa27bef75cd51662bc7
SHA1 fd3b804ccdf95337a49bf4df9e507dc7665e5933
SHA256 f3f1f69241c037ddb2cbfc9c51b6bfd3d66c3cad1d8825d946b8f3a4b8e7a68a
SHA512 9f76938db9202427102bf451cdb9d7b5c2ee8338601e8af825de63b50d725a6e768e87391c31877651951e93de3831316fb946db75f66d16fdccdd6146e0ce0e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\6742526c-4550-4ded-bdb3-e284e891eecd\index-dir\the-real-index~RFe6196e0.TMP

MD5 0f987e9bc585b500f093fc57dcccdead
SHA1 b48e81f9c2fdb2b9baf30a04f776ab2fa33e18db
SHA256 bc65325c1bad7eab010ed20371d24fe02c4b34331b5d867cca61376aabbca6f4
SHA512 83523684a387728e3685b98e7126226a3d976a8a78a76869aaafe14baf60a9c56284a0b7ffaa07795e4eee47923d68c6dfff6037366839b79083d37674a60f92

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\2B15BCF5-27C4-47C0-BB1E-B34F330E721B

MD5 2f82426450332b558a61ae9ca551abd9
SHA1 abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d
SHA256 57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52
SHA512 dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\EDE1A75C-3BF4-4CE5-94C9-2D5E10C38D60

MD5 85ad173999ed440af6120f3b4fd436fa
SHA1 eebe3bae40b0c82db581b905e2a4c4a90055c9b3
SHA256 2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165
SHA512 3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\index-dir\the-real-index~RFe61a96e.TMP

MD5 51bf0864496dd1c6766df5ac6d8f4423
SHA1 a8a0929ff9386c79c93d98b39247b2ef6f8b56ba
SHA256 296237b87601d70f6cab7c618e4abd1a6850f34f8e86a099e6e3ef21b37bf6e0
SHA512 d6f3e64fc9261e5218bf84fc0a0da8642429a41a9988b7eec46b06153f68b6e1cc0502aea1ecd2c4408904302e79e38df4521a9c67c0707133f7a70f0d863007

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\fbda03fa-bf29-4e72-a1d6-1be629ee0b47\index-dir\the-real-index

MD5 79a3e83a5f85d233ee8057c5ab11bd38
SHA1 de307ae53c184fece4666ccdb32dd68b3db33c7e
SHA256 4f6e3cdd7faac1e812554a28371c036f70bdbe50116d419a2f70a7a37731ee67
SHA512 3b08cf0bb911c8720f2631f9ece83f239d8166f06bfc11ee8e5fcb6ccc9bec788dc29bbc8e42df378f5b538b0e0f868ef94dddb1f4d96badc44fbaf5a238256a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-index~RFe61ac7b.TMP

MD5 7d708560d7c48eaf77e5edf8a6d31338
SHA1 dd750aa801c193c80829349ca1738862c530407b
SHA256 8bea4a6fa07eaa72b6ee1d5100e977f40d9874db617d6b183b2eb071d3e5fc08
SHA512 31dc78b0dbe0c262e995f8eda49a39cc959f76b1cab0d134147935be3f2b68625a04495fb8eeb0b8ad052fdbfb5739bc979d7dcae54e8538a3007eb3ac9b4124

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-index

MD5 ca64c5e4cf2949ef9b81e9bfd2570708
SHA1 aee486ec2a6cc77d349a391e7757dddc4766feaa
SHA256 7fcd5cb39378bba9b9a88d3c790432b596e7426791a91c17208375510ec70c04
SHA512 01f1ca256ca7f5267198184c7aec019abf3f806671a0ee08358c012d913e8e3f4f75b055c8de6b5436700816c0f0a274f7209da9e889f3fa3cf3bf0c1411bd8f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt

MD5 0ce6042cb591fec35169d1c4007c1b87
SHA1 fccf7e0822f6536f4281ac44d90a331f3f8caa27
SHA256 f6cf29495f5a6c54b8f6d14e63e79522aeb88ed45a7331138bbeaa04c78cd29d
SHA512 1cf15685f1cf68a934b452c1f553b273a456b3a4e3e924f03d8efa53c9ed5ae6aa70d7259ba9e5a914b39b80e7894af98ce782984c290152364b75c9c1ce2646

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 593a3e4e0e9a50485833bca9e3eb2ec5
SHA1 a2bcde9909a04ddc71b31512e880cac32f6b01c8
SHA256 ba28c6bdc71efb704a6a2c48da79cd78e4e170c39af27f51b552a93bbe878681
SHA512 1cc6bf852c5e6d10d96b255960a96dedbccfd6de75d03d994ada8191d764d3dce7dbdee5db162b86fe851f5792ebeae843dde0c9b679f8b9210044c2c54f091e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 678089ac5f0ebc80ac98acee9ac27841
SHA1 6e377f6df307a3f3b9ce618bdcf5603772216519
SHA256 4adcd0e43afb8b5785382be2e9bd56389e8eb1660d3f4cf42bf8e846c80e330c
SHA512 a0ca2d378b33fbd3942296abcf145471e34cff11f2c174793b157bb4dc7c2de0ef4773ea0238c5e68f84c1bcb2242819bb0929343dfc58d1a7e16611bc28e5f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8bcca50d36a1d8e3e20f09c64178b59b
SHA1 e8ad3eec32d4193892c2416ed831bf1307362902
SHA256 125e7780f9579fbfcc40a5d1f70f4236a7473e711e3aa7b816de0ad56ed47684
SHA512 fc018182d1bf64e1733d8f0cc7dc570d785cc150fa01369edf1366a3a3d690d9bcdc1b60ad1655aedc689c0b4727a0b6185a4e5583257bb4527812c06d630b20

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 84393f6249b14b6e0f5801a026892665
SHA1 3a2ae966b62a49095be2364066b1faf30146409d
SHA256 bfd358a00c62ebb647a9f8ef4852c0bb67b8340444f9f6c8d8804fee7bc23d7d
SHA512 c1d08f94b93e04a8a37a8db73bbc175dfadf33864b17f66544b1df309048822b1e5e0c3328bfdef4b02763007f24dada09b68cbe3dda5ea55149c6862a4010ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\8a36b19c-35fc-4e31-bb96-4fffaa06b4df\index-dir\the-real-index

MD5 6cb762347e9e87aae96f4a5a2448513a
SHA1 2a4d9380cfe7cab9e7de790c34db4e13675e1432
SHA256 0954574ff443d12efbc7b57d48cf51ac63992770423bc876f99c26d40df1b70a
SHA512 83fd1b41fb2a1701b8f55366dff8b73f8040231fc5eb8c59071845e8b9a2dbb372c85ccff54883114da458e6376b63bef5a494359f4adfc4c69228ae24e0bb49

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0fd363c28f48d10795b5025db8cbade3
SHA1 b540f44e2b8d67e1749a5b7152f95c63d9bc7df9
SHA256 7004537ea710f2a6a3398d2429930406993052525a92a32853ca3da5f4328d81
SHA512 faabd5f57bfbecdf4accfbba5f915a05ad49c109b97b0fa417cfaf4b2efea1a403b0efaed3a79ba6fce18b35f33cb237082807c8561a66e3ed68ab016037265e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 27d6feb11e97cce605182ca0ca821c7a
SHA1 d393f7e9c4017c12c4e1f2c54400fd6e14eb3aac
SHA256 9a504e11771fe54dc8ea2554595e22d0a9959240919c97e9769ce0b0e65b61cd
SHA512 2576471d1a57f51e593f50c70c08f75b199258097ce6535ab06d22650b7c4a66b3e36347eb678ebcc40787e0d2b593ab1a76fdae51f054f4d266127559d2eb3c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\72978804e7724d1ec1769a0999d234ab4b7b3fc4\index.txt

MD5 4c938d6eb665658e7275cfd722726e4d
SHA1 0c8de1ac38aeac9d4e299c0b6383b880e98f055a
SHA256 d37cc09a6470ded4f8b56b90e54094ea5e99dab8f605bb388c3b5e48206c5ed5
SHA512 b03712310148c9c181fbc9bd3fc55ac2a374074d7cfcae17977bb73890202599b01dfaa6de7161b4a09dd76e6c540bdb6c92e4da0dbd075c68e23c394180151a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fd197c24f5db8f68c34fcaa823aa1cfb
SHA1 e731220406002ef30bfc04d6287b6adb66d7440a
SHA256 bcc036b8a233dfa4292bfdd47903ee8141eedb25c289c15db5928e588caa5692
SHA512 62941d60407baef0d502fcdc2d3ac185c81395804e653366a3ce3e6576b5249a2fdd52b528e16570fea1a3dd6156e7d48dc3e37299c560d22b9170f5a08bcd3d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7bb4abd9808fa1239fbb08061fa90d04
SHA1 32b3a8e94c28137148f038179ff12890630c0b9e
SHA256 7f42c279494da7b5a4dc9c3eeb9dce0c16bb2b5c251f1f9afcbde522032d8b4c
SHA512 4f005f32957a7d3d1115e4677fbce2b21a7f391c3e1aa87bc68789d7e5a3bce8ace9ca940119cb5f0384d3033b56e39f31dbfee3762ea1a26cabe0be8748385e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3d09c308514b4293740f16a7e94fa953
SHA1 4939c879b7bf497c554cbd76891d02c5a48e6b73
SHA256 e5ff2cfecfa9ce6391c98994369216a15037253b4c50c2533a5cbaf6ba3300de
SHA512 bbfc7cb0b9593c9526b84328936bb9ee095493e1be587fb8894e682f222f22f74ae58a664cd4918fe6b05541fa8aa641873e406b80fe1d53c6363aa236c42803

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e8ab30682a6621d761eac609abc45c3e
SHA1 b155bfcb5bc5633298a1adb800c1cead775768f2
SHA256 4a2b7301fcbb1e3ea80fbcbb46ac605d10573bc663490b0687ac6c992858fde9
SHA512 610be783e0c840862cb5c759a37d7b963efc90a1082d9fffd9991a48bbc81e7388e1c2ff00883ab424e00b75607b6a8f1e546d62e41feb9f736d1aca67eebecd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\cda3e0ff-01f7-44b2-b397-83fff0d87947\index-dir\the-real-index

MD5 82302bb17ba05dceca8a4b2f64a32d63
SHA1 701095341fda0309a1f65939dafe8e22b09fcb7e
SHA256 90e18370f8ccfa2aa8aa5fbd848a1b11fd87986a21c6dcc6a5710f75d61d473b
SHA512 72fcd9f6fa0496821922c736fe049ff3f7b4045fbbaa497f99791316fc06bb39d2896fdaebfd6e1df202d18f809eefbc0889b976ed767a26b6be76bb2107485d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\0f48a22277f64c442756e922770a3faedfa75bed\index.txt

MD5 519e3b6864f0c65b308aa491028ebf51
SHA1 4ba0d6f37045aa5e5df4ce34eb73d26f3d96bc88
SHA256 d684f5b1eda9a073502582d572e3a1869e6a1e5f6b7cabfb3b554d939a95e4ea
SHA512 12f7b6db65a06230202cddcbd26ffb78fecad1619627c1335c41d476d82844617a43c21d7415e283e76df3235bc30fdff89478364449ad1ce56328ef3017ee16

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f4fcce1495995658fef7e8836f8303a9
SHA1 2fac1b22b1d31713090a31bb9f39791b32ccd183
SHA256 3f947a891b8f8af11d64613aa3bf17174eea1cf69b7f7a16d71dfb8c65e3aac2
SHA512 19357e9b1700f7c67260cb5f2c87bb8246c6c335e3ac6043d10012f2209420b50ae5e07995e0298f69393c7df56080f71c978a038023ed22bd911d42eb213fd6