1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

max time kernel
1406s
max time network
1405s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

4.8MB
MD5

ecae8b9c820ce255108f6050c26c37a1
SHA1

42333349841ddcec2b5c073abc0cae651bb03e5f
SHA256

1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
SHA512

9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
SSDEEP

49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K

Score

6^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3648	powershell.exe
4524	powershell.exe
1764	powershell.exe
4508	powershell.exe
4360	powershell.exe
5476	powershell.exe
4668	powershell.exe
2404	powershell.exe
5440	powershell.exe
4012	powershell.exe
552	powershell.exe
2812	powershell.exe
804	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
170	camo.githubusercontent.com
185	camo.githubusercontent.com
186	camo.githubusercontent.com
187	camo.githubusercontent.com
188	camo.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe

Launches sc.exe 36 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1312	sc.exe
4672	sc.exe
5256	sc.exe
376	sc.exe
4956	sc.exe
1536	sc.exe
1764	sc.exe
3052	sc.exe
2348	sc.exe
1056	sc.exe
4340	sc.exe
4536	sc.exe
4932	sc.exe
1536	sc.exe
4880	sc.exe
2952	sc.exe
3840	sc.exe
1808	sc.exe
4372	sc.exe
1864	sc.exe
4164	sc.exe
1788	sc.exe
5600	sc.exe
3512	sc.exe
2876	sc.exe
5248	sc.exe
3616	sc.exe
4668	sc.exe
5664	sc.exe
2096	sc.exe
3648	sc.exe
1316	sc.exe
5020	sc.exe
2744	sc.exe
4712	sc.exe
4508	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5848	cmd.exe
5812	PING.EXE
2556	cmd.exe
4940	PING.EXE

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133734933398672568"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5008	reg.exe
5396	reg.exe
5116	reg.exe
5888	reg.exe
1416	reg.exe
5500	reg.exe
32	reg.exe
4584	reg.exe
4460	reg.exe
4492	reg.exe
2276	reg.exe
2240	reg.exe
4524	reg.exe
3320	reg.exe
3016	reg.exe
4244	reg.exe
3968	reg.exe
3752	reg.exe
4536	reg.exe
5428	reg.exe
1740	reg.exe
5240	reg.exe
5252	reg.exe
3184	reg.exe
5604	reg.exe
3524	reg.exe
5812	reg.exe
5180	reg.exe
1056	reg.exe
1344	reg.exe
4392	reg.exe
1068	reg.exe
5104	reg.exe
2464	reg.exe
5188	reg.exe
3064	reg.exe
1312	reg.exe
1904	reg.exe
1864	reg.exe
884	reg.exe
4116	reg.exe
5568	reg.exe
4940	reg.exe
4116	reg.exe
5604	reg.exe
2844	reg.exe
5464	reg.exe
5160	reg.exe
5288	reg.exe
1788	reg.exe
4172	reg.exe
5476	reg.exe
5184	reg.exe
884	reg.exe
5620	reg.exe
548	reg.exe
5804	reg.exe
4592	reg.exe
3084	reg.exe
2716	reg.exe
4392	reg.exe
4832	reg.exe
5156	reg.exe
4964	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5812	PING.EXE
4940	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3060	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
752	msedge.exe
752	msedge.exe
5832	chrome.exe
5832	chrome.exe
5440	powershell.exe
5440	powershell.exe
5440	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
552	powershell.exe
552	powershell.exe
552	powershell.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
4360	powershell.exe
4360	powershell.exe
4360	powershell.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5600	powershell.exe
5600	powershell.exe
5600	powershell.exe
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe
5392	powershell.exe
5392	powershell.exe
5392	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	AnyDesk.exe
Token: 33	448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	448	AUDIODG.EXE
Token: SeDebugPrivilege	1476	AnyDesk.exe
Token: SeDebugPrivilege	1476	AnyDesk.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe
Token: SeCreatePagefilePrivilege	5832	chrome.exe
Token: SeShutdownPrivilege	5832	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe
3060	AnyDesk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2864	AnyDesk.exe
2864	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1476	1068	AnyDesk.exe	84
PID 1068 wrote to memory of 1476	1068	AnyDesk.exe	84
PID 1068 wrote to memory of 1476	1068	AnyDesk.exe	84
PID 1068 wrote to memory of 3060	1068	AnyDesk.exe	85
PID 1068 wrote to memory of 3060	1068	AnyDesk.exe	85
PID 1068 wrote to memory of 3060	1068	AnyDesk.exe	85
PID 3116 wrote to memory of 2988	3116	msedge.exe	140
PID 3116 wrote to memory of 2988	3116	msedge.exe	140
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 1992	3116	msedge.exe	141
PID 3116 wrote to memory of 752	3116	msedge.exe	142
PID 3116 wrote to memory of 752	3116	msedge.exe	142
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143
PID 3116 wrote to memory of 5128	3116	msedge.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2864
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault13808b5eh4262h4982h9db1hb1d29a38e3ab
1⤵
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcbeac46f8,0x7ffcbeac4708,0x7ffcbeac4718
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,1637393633426038587,5388469342832818774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,1637393633426038587,5388469342832818774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,1637393633426038587,5388469342832818774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:5128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcbe36cc40,0x7ffcbe36cc4c,0x7ffcbe36cc58
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:6076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3836,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:5580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4932,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4420,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4696,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4604,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3192,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3176,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5148,i,18106149381649853081,15688723552475084051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:3356

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
1⤵
PID:4580
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:3512
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:2404
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:2464
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ver
  2⤵
  PID:4172
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:4584
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:1304
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:5256
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:4032
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:5184
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
  2⤵
  PID:5224
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:5252
- C:\Windows\System32\cmd.exe
  cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
  2⤵
  PID:1960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5440
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:5160
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Windows\System32\find.exe
  find /i "True"
  2⤵
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd""" -el -qedit'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" -el -qedit"
    3⤵
    PID:2688
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:4672
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4468
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_AIO.cmd"
      4⤵
      PID:2276
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:1064
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:2404
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:5348
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:4308
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:3612
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:2240
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:5292
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:5480
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd" "
      4⤵
      PID:5256
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:5236
  - - C:\Windows\System32\cmd.exe
      cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
      4⤵
      PID:5252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4508
  - - C:\Windows\System32\find.exe
      find /i "FullLanguage"
      4⤵
      PID:1864
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:5604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4360
  - - C:\Windows\System32\find.exe
      find /i "True"
      4⤵
      PID:1960
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5848
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5812
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
      4⤵
      PID:3064
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:5804
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
      4⤵
      PID:4940
  - - C:\Windows\System32\find.exe
      find "127.69.2.7"
      4⤵
      PID:1580
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:4012
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:1760
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
      4⤵
      PID:4468
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:1560
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:2536
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:2404
  - - C:\Windows\System32\mode.com
      mode 76, 33
      4⤵
      PID:2844
  - - C:\Windows\System32\choice.exe
      choice /C:123456789H0 /N
      4⤵
      PID:3184
  - - C:\Windows\System32\mode.com
      mode 110, 34
      4⤵
      PID:2240
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5256
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:5236
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:4668
  - - C:\Windows\System32\find.exe
      find /i "R@1n"
      4⤵
      PID:4296
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4744
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:3956
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:548
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:2456
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      Modifies registry key
      PID:1056
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:5252
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:1864
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      Modifies registry key
      PID:5604
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      Modifies registry key
      PID:5008
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      Modifies registry key
      PID:2716
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:884
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      Modifies registry key
      PID:5160
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:2876
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:3752
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:1008
  - - C:\Windows\System32\cmd.exe
      cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
      4⤵
      PID:3852
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        
        PID:4340
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:5440
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5064
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:3380
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:1416
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:3064
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        
        PID:5804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2812
  - - C:\Windows\System32\find.exe
      find /i "Subscription_is_activated"
      4⤵
      PID:4012
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:5464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5476
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:5240
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:2012
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:740
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:4088
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:5064
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:5020
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ver
      4⤵
      PID:1416
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2556
    - - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4940
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5812
  - - C:\Windows\System32\find.exe
      find /i "AutoPico"
      4⤵
      PID:4032
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
      4⤵
      PID:5348
  - - C:\Windows\System32\find.exe
      find /i "R@1n"
      4⤵
      PID:1912
  - - C:\Windows\System32\find.exe
      find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:828
  - - C:\Windows\System32\find.exe
      find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4172
  - - C:\Windows\System32\find.exe
      find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:4672
  - - C:\Windows\System32\find.exe
      find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
      4⤵
      PID:2812
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      Modifies registry key
      PID:3184
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:4116
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      Modifies registry key
      PID:5396
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      Modifies registry key
      PID:5188
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      Modifies registry key
      PID:5500
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      Modifies registry key
      PID:4392
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      Modifies registry key
      PID:2844
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      Modifies registry key
      PID:5464
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:4668
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
      4⤵
      PID:4964
  - - C:\Windows\System32\findstr.exe
      findstr "577 225"
      4⤵
      PID:4992
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:5248
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:1056
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:2952
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
      4⤵
      Modifies registry key
      PID:5116
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
      4⤵
      Modifies registry key
      PID:5604
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
      4⤵
      Modifies registry key
      PID:3752
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
      4⤵
      Modifies registry key
      PID:4536
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
      4⤵
      Modifies registry key
      PID:1068
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
      4⤵
      Modifies registry key
      PID:5568
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
      4⤵
      Modifies registry key
      PID:5428
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
      4⤵
      Modifies registry key
      PID:3320
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:3840
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:1536
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:5288
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
      4⤵
      Modifies registry key
      PID:884
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:1312
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:4492
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:5620
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
      4⤵
      Modifies registry key
      PID:1788
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
      4⤵
      Modifies registry key
      PID:3016
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1764
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:376
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:3524
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      Modifies registry key
      PID:4832
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:4244
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:5888
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:1740
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:32
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      Modifies registry key
      PID:1344
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      Modifies registry key
      PID:5104
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:5020
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:4340
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
      4⤵
      Modifies registry key
      PID:1416
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
      4⤵
      Modifies registry key
      PID:5804
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
      4⤵
      Modifies registry key
      PID:4940
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
      4⤵
      Modifies registry key
      PID:4592
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
      4⤵
      Modifies registry key
      PID:5812
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
      4⤵
      Modifies registry key
      PID:2464
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
      4⤵
      Modifies registry key
      PID:3064
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
      4⤵
      Modifies registry key
      PID:5180
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:1808
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:3616
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
      4⤵
      Modifies registry key
      PID:4584
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
      4⤵
      Modifies registry key
      PID:3968
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
      4⤵
      Modifies registry key
      PID:4172
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
      4⤵
      Modifies registry key
      PID:2276
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
      4⤵
      Modifies registry key
      PID:5156
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
      4⤵
      Modifies registry key
      PID:2240
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
      4⤵
      Modifies registry key
      PID:4460
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
      4⤵
      Modifies registry key
      PID:4116
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:2744
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:4712
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      Modifies registry key
      PID:4524
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      Modifies registry key
      PID:1904
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      Modifies registry key
      PID:4392
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      Modifies registry key
      PID:5476
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      Modifies registry key
      PID:3084
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      Modifies registry key
      PID:5240
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      Modifies registry key
      PID:5184
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      Modifies registry key
      PID:4964
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:4956
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:4508
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:5664
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:1864
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:3052
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:4372
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:4536
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1068
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:2096
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:2348
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3320
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:1536
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:3648
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:2544
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:1312
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:4164
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:5424
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:1316
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:1788
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:3224
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:5600
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:4880
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:4740
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:4932
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:2416
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:1740
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:3388
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
      4⤵
      PID:5800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version-KL\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:804
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "6" "
      4⤵
      PID:3512
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:3616
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
      4⤵
      PID:4676
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        5⤵
        
        PID:1760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2276
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:5464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:5240
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:1944
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:1056
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440"
      4⤵
      PID:2952
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:1864
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:3052
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:4372
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
      4⤵
      PID:5696
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
      4⤵
      PID:1068
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
      4⤵
      PID:3840
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:3124
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:5288
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:2016
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:3648
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:3956
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
      4⤵
      PID:5620
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        5⤵
        
        PID:4744
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
      4⤵
      PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "
      4⤵
      PID:1648
  - - C:\Windows\System32\find.exe
      find /i "Ready"
      4⤵
      PID:1808
  - - C:\Windows\System32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
      4⤵
      PID:5020
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
      4⤵
      PID:1748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4668
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
      4⤵
      PID:1864
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
      4⤵
      PID:3052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
      4⤵
      PID:4372
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:5028
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:4492
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
      4⤵
      PID:3912
  - - C:\Windows\System32\find.exe
      find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
      4⤵
      PID:1988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
      4⤵
      PID:5620
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:8
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:740
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
      4⤵
      PID:4940
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        5⤵
        
        PID:4648
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
      4⤵
      PID:3224
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        5⤵
        
        PID:2464
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      PID:4216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        
        PID:1516
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
      4⤵
      PID:3616
  - - C:\Windows\System32\find.exe
      find "AAAA"
      4⤵
      PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"
      4⤵
      PID:1304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4524
  - - C:\Windows\System32\ClipUp.exe
      clipup -v -o
      4⤵
      PID:1756
    - - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem15F.tmp
        5⤵
        Checks SCSI registry key(s)
        
        PID:5804
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:3616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2404
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
      4⤵
      PID:5116
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:4056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
      4⤵
      PID:2256
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:5008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
      4⤵
      PID:2544
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:4392
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
      4⤵
      PID:3388
  - - C:\Windows\System32\reg.exe
      reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
      4⤵
      PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 10 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
      4⤵
      PID:5764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1764

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:5424
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temF922.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bfb818d686e7f72525d62d091d79b812

SHA1
13fb22899e4708fd797785cc467c120800a1e7a1

SHA256
18387fd10ce3af04d83d16a245e258ffdb46bb69e4ee6c240ecf460b9a6e8d8e

SHA512
41faa4b8a187a950359b2b0b63cdca6b2579dd85d11cabed9770236f9231218f80362c473e530336e8f56321a3f4172f8ab52802061413a3a962945590c05325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
215KB

MD5
1585c4c0ffdb55b2a4fdc0b0f5c317be

SHA1
aac0e0f12332063c75c690458b2cfe5acb800d0a

SHA256
18a1cfc3b339903a71e6a68791cde83fca626a4c1a22be5cb7755c9f2343e2a5

SHA512
7021ed87f0c97edc3a8ff838202fa444841eafcbfa4e00e722b723393a1ac679279aa744e8edde237a05be6060527a0c7e64a36148bd2d1316d5589d78d08e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ef4119973248c4991a56dc2231ed166b

SHA1
2f385deaaf8928b9d7b101db65c038699adef91b

SHA256
6bd89a824d1bb54446edc19d5fa118f0d8061d1f61db7b2af055d43a29e6a1b6

SHA512
88ff3cf9127b31591610cb313c3d7a3cfc33f8bf37786c2cece53d1d49ea8e65f26e8e4b24f504793b3ea9815ca914a74efd0ffc0fe647238def4022e247fb6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
89e95d66f6c0ee1991c95a99a7b37d58

SHA1
2ef77201fde6ab2c421ae8b72ccb20b504b8596f

SHA256
165bb049f68a803dec45c26c403bfdd11a092482c54173b57aa10923465a19ae

SHA512
d20d9bc0fff258179ffb5a7e318b8ec3ab20fe6c3f88082847ed79b46760c9cb6cc32cd636c78f02c51b71d91c4df63ffa9a8600f2c26f4b0754701d64d3c296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
1eb03fe6ab9f14fa922f1b3685fcbce4

SHA1
d29d668e8d081d2cdf50499b7b3c5daf5096bc61

SHA256
f8ce2cd4774d1c297d4babf386581fdaad6703bd36ec74ac6a21bb4e7325868d

SHA512
0b18333f0d83bbc3094ed03a92831f7d9ecedc098fbba03f9990555fc43be43b0953c890c7a33affca5346c59ecff2c015bae7c03e80b22e9548df5807d98788

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5144091ff216f6c62b195df3621e05da

SHA1
d6222829041ccb1f29762e69010459876ea9fa1d

SHA256
55a2f2c15c73ab3237d17e76d32e8715e5cf1e56477e48ea8139db244f256278

SHA512
3024daf602a7c92eed58ca34a135b7d28634375d2268fccda04765704f0b8d7d086090fa144407b387efddf4702a2096d5ac070b75c893ead31803882199189b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
98473968d590647405f90ffb117de9ef

SHA1
b9c03dd8760d5a0bbf02cf338a59e5d6b7852eff

SHA256
c7f422f207bbaf8a07a0ac38c099ec5cf9e80c936f21b6bca07da076f35e62d1

SHA512
6534045b10280baf38f5d0e8c09f84b474f5bc1e92c418c3adc373db2d1294c391b6ad30e8f6c348c4309d40820fff34d50218bf3abed5ec400c96d0db54cc0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc325ccc5df558c3ecf19834fee7c743

SHA1
954abefa7a6bc6b77fa2683455db3b6e62543014

SHA256
94c15e1feab720e82513f115c4985cefea8ecfee62753c1f2f48500d1dc56478

SHA512
f2ae773ce268fb093a82b9d482c692ac33fde557d4dfc7c75993cc3ef9c3bdd2c0fd038666ff12c7272dc555048d5a67f99a29ba18a935eabca394048a5f4015

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
84af35f89c86664748b2bbdc3fc2cac7

SHA1
842a63b19d0db4698137189feafa0b4d8d8567bc

SHA256
bf4056ded404a7371874ce045208796ff0f88001dfe649f33e026daeb7d4e302

SHA512
10b064c701cc10b248b73a6f51a59e56fcbe6da2f90b780e1a744dce0a5cd0235408509d6298615dfe68296393cb3b2946d03932ce6569750c17f9e010844824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
276b5c8697a7e73fa3a1793ba29456b9

SHA1
4ec24f5bf64b61106397e4db5b75781b503d2204

SHA256
ab6d96ed57fe3c4323ac64be778d847da8767a9dfb5971142f1eeabe1f80dee1

SHA512
3509b44477fc7d30426c9776f9ae545e07324669315b67dbe9fc76ae123b1a07b124f2eddcba784901e927a9012e1f0e2a3fd63b95f91a1010c37c2cbf5042fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa85fc0ee5a0c69fece5f3e4beeb7fb6

SHA1
3596a36b5c72cae298457a1dfa87f7c9faf12639

SHA256
c36bfa28e38d85e9310a73710ce87a1dea939172813df7e32ff9a8d1db7c75e1

SHA512
357a4afa8fb2f1850abba8de3517a2c1bf5391c5552fd91727a7a251dee24ff9204fbd7205a6fc38854bfd03a637eef618b8533a3012a2d5c12a32f2063cc9f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
56c73a71294b4e358d57d8666f394d34

SHA1
3eee0b82bdfc69845e3fe8a12089ad055baf2d9f

SHA256
b1b6669129e4ef743fa877e250b963e5d95af2023b05e458cf71942bc2ba8413

SHA512
18b1ea5e124d3fee8d3b9f6c522e45591e9c0d352c8572eb2406aaf96f65ce696d7503f686f54751465822bfbdc120d6a9fe07ac8609cff7bb4b32d2813239f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
37aa47f321c6be5135df63fd8dcb4f9c

SHA1
cdf44754291d00f8b3a9974bbddcb40b23781325

SHA256
58296bd35cd0d062b882bd24ea1de49e268ca85c2815afc57ddc3624a3525c6f

SHA512
df578dd403dd6155cdbf57db7571c61ea769ceacc0281cdfe4a85726b81adcf3710b62df7c046b701f00ba0d0ddc0a10b8ecf4487eecc34e33bbc5ee2ae8b201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d643bcde4c0636bfb1f72343c7741c4

SHA1
1ce2590f455c6f2da94aa4b50d1824b47debd73c

SHA256
6cc8021112693b5435350762ee6f0159093c7e8d14e385fa32f349cbfcd9e774

SHA512
380deaa2b165856184a2349f03b3edb0f5a44ba5abb690c109babd60b7b34c6696b8ea6c25722b61a416a1f3ed90b8315987b6b99946416b8168cdf6c7740eee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
147c30adb404a50484fb6cd996ab7abd

SHA1
c870c23f308f7f4eed3e41937ee2e688830284ed

SHA256
15f810bf1677454cd746ffbbd8400530a9acf23d5682c8b94f508d6ee95a35a8

SHA512
2212fce0d34a6306bb291c68789f52935e716016b38ddc157509558a4cfc214f794043b14bcd20b1c5a9611c12ec4401628cba0b090608ba15b816e37705831e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5e976314f8a4908e3acf5d848b350fdf

SHA1
120fd83542e6341ae7ddce9fcb43107122482aaa

SHA256
265231f3610b211eee72a4d6f2e9b2d3a1c3c19816465afd303e3293843c53be

SHA512
6d60ea09fc28e691f972d0ccb6daa71089de0b5feafe34b696990ead2aa99fca612898c2fb012e276c8986eeaa09a97cc87b081c269249555ef0d2d2343e5d59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7afed36eb75a077fda9ec5c6468841d2

SHA1
72f51b633c1d5fa67a9186089c5dbd86e2c1ebb9

SHA256
8c4ce2af2af349fb235222004091ed68d948dc49da58bca14a98651a68c44f62

SHA512
8608f03331081109c2ddafc3fa4f514d81f428b52f0b64f10f30bd59943b5540ae481ec24325dcc806f3fc3a9567f08073435bad96c86c5b3dc6043e60a62464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2bf560a6baae0b567f7038dd088711c6

SHA1
bd4d7c19ef536fab371de55d77a777febe7beced

SHA256
5e51f6220e679f7c3d9ea0326dac461d431434bd7ff265a7490ece9a55d95787

SHA512
d5288321339b79582fd9cc7fa5336f4a3247bb6e5f5669f8535df91b9deaf80cad9d39af4228c102d93e2905e4f0c8346ccf0b60536a1d60aa019ed34a13306d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0f1286124a67cd63763a1fca325dd67b

SHA1
a8a18954b1fe769f11a20bc0edc9cd53a76b3d56

SHA256
677d1c706910382a1b042b831506e0ea031fc97d49a66c84190c07b354cf6bae

SHA512
9d902377f1aeeb1d6b1e909658c8384eadad0b5fa179a19530ea32db6abdff5c6563738f6d3840551f4d485f82fd16b6d6d29a2f23e6aacec6b9bc8ec39c0ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d4bbfd8285238eae8c1efd5b160dff52

SHA1
2dd1b9159455d7d0183bf1c8b0f13364672cdb93

SHA256
75e3357a3b69c478232978a2b38eff5185f980a36ba2ec71043519afb6e6c7c9

SHA512
f60b7555debb3ea7df0671803f97fb566ed63d94841870c6da0c4251502727235683461ee37d40cdca490f2236015e80eb0a9e7c7cbbcec74a95198adb6280fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b07900e7fa979de5cb28988784015c29

SHA1
a193426532fbe14c6eb7e3f7f6d122302204539e

SHA256
d10488f8851e0abfb58127e5bba6822f9879a42b6fd31c59c2133be11b92ce0b

SHA512
56cf76f4c2af71a34a2a944b1d7d8a2033a64bcf7fcc4fcedab7f5823f2b4f2189434afa1c676c6babb922b28ac1f3927f2560926a826e5071a7f02576b2e2ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2b7d103e45648f2a300ffeccefb66d5a

SHA1
c0d1f71be776314452523a448654856742a3c06b

SHA256
96e210932e8c2ef3926c83fd9b84eefe504d59978576682cd90c7503e7271317

SHA512
1ab1cdae5c0e9a84ef86ce1bb46e00dcc82f6aef22573c8b83e1e5802967abaff988357d90044e26da200e6e3bc61887a467f28546cedd7ff904a9ea6b49cfef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6821ca8a6e82132b07e3601ba11b470b

SHA1
e7839d3d184a72c4f8f62428e19544e9643b5020

SHA256
2126e322fc7ce07d07afb4388d502aed0de646b3fa8d4aa8d7d4b95577a4ab5e

SHA512
57c59654590e5b0b6e841dfc93f267633a51bd235a192d321ae3e49f4860f1fd81b2cbff6377996978cd417a3e55d0c60a0f25234cd01fc836a029d9e47f4262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
22a21532707de0eff932817d386cc5d0

SHA1
e026786f8f392c306a9677b75ee4fca87976d7b2

SHA256
d043469e72dec9437a4b29077432e74efabd66d5ecc9eaa56494a4a26dc2caae

SHA512
aee13e45806bfc9b2b6a475cd11fe819e8853a3109cef173329725422bdb030ce346c9a60a794642bcc54efa6d3df15bf808e6342596098cf8f52949a9a6d97c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f92addbf1ab3b74f94b468170f0ebb8b

SHA1
04a48c059afc5e85d475b44f85724117ced8d34e

SHA256
cc459467ba82ddded188df9ff7589cd7b4286062bb364b7cbe464e6e23e4bd65

SHA512
5296c86cc01d874e4b0ca842e55fb48b0be1a21eb6516d6599224c1eab0aafaa96fe8a30988a16bc7bbb92a91069fcc8211f08a824b30815a9c40c2cdad18a09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3d5d9988cb58eed7104161140e5bb92a

SHA1
ecdba30c08fb0d6cc6c409e45b0995927930b5d9

SHA256
ef7de8b644f33f3a49fb5ce977dcb1f6eab8b9e25879d3d043402da4d42a0984

SHA512
be2ef5f08348be70d6e629969757e06b4d86686bf672e2bcd75eeb51cf89b036865fa242030568c508505d5ddc3c85374ee35742c1eb2e5f1ba08213a5f18099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a7f8eee587c03642a8a71f6229c900b7

SHA1
9d965ec44bc8edd54c951d6d836e24bffd3b147f

SHA256
127a10dfbf8cd9dde9cc8fc767129b2b230431938df444a6333942eb918a534b

SHA512
d3ac101efa6f13c9780d771a6d180793bcd4e70952ac0eaaa37bb1fd19f074bc7b3b794a5c651361aa48bdc2c245b7b7cedf197a33253dd3d808af2a4bb79782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
123f9e94a88e185387f215926f9b04fc

SHA1
b863b9bcf559e0ea073e0508edce950f446ddc7d

SHA256
9b688ae8c4e771610df33308ef4e0ce6d84ed99f12bd6b99e5c30125dfe8a920

SHA512
260416e15b2550f738e206be540cc984ac88ced6e6b8f916243942668e29c07cd3ce6167700210fb8b3f0f34c91e57661a4b9fabb2ebb67bc0928d7896e9be5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f217dc1fdc9fd9bce22f3f3dca0631c0

SHA1
0783b919ad9b89799d612a21b111dab7f43bd133

SHA256
ec9f425739e2d43c8191e37865242281f26254622e3b16f539fa4035811d5fb3

SHA512
818e8528f5b258cb71f3e174cce20c9ca6e6f4433de3b885d057d28ba9cc9ca1598e88d40769b10839b90270c2e1ce73d3127d5f3c3d52d5b687355f80fff961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
82c3866da7fbdde5eafacdecdb2725d3

SHA1
5b2e4e3224c1561da037bce84afdf59f74d47ff4

SHA256
2f489336254e364da296e9d17744c9fcf2b8775e265ed4445a25b66f8dcbcdf9

SHA512
a5ec0ba46316aedce85ad0512180114422778ccbf7900049db0075127fa137ba38eca228fdf37c32c358c27e82b24e1ddcab82e8f648828e31b59bb870a9941c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
77ac38bfc40f6ca0fd8cb29d946c89be

SHA1
354a116d3bfda7f99bdf765c6e9bd35fcf25ba4b

SHA256
24f087df908ca4f733bbb15ab41f02bb79209e5ff19abf9a08b5db282dedb165

SHA512
b01fcc55dbd2b523d4b407ddaa636868216f7c6d7e629383e2714af708724da583dfe1bedac3dfd420be9594af6873d6da2b72654cf7ba9b86cc4b11fd4261a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a242e33c4fbefbf20b408cf5fa1de28e

SHA1
f7ed83967ce0941eff6e64a7a3c0676e0a085f60

SHA256
1b9c984fbe4a17c154b405aa6e81da36cff4fd5eeca2b404172551400eb823a9

SHA512
a5bd0022f3936f0547f4645e875b70bf247cef5cabdf7efb854d6407523734d15843ce13610ffc0bd1d3fa2a71c28aca0acc76f1f05130f9c5ec6c053a1d9da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
69d8135dff871ec3124f0d410a137bb5

SHA1
fadaf1a69becec4774fbf4fb92675033f903f801

SHA256
4201635ec486ed35b64d2f98e1af6f6c79875d82e5a147e37babb434b616e67c

SHA512
67c45120205bce7c353a7e2656eaf53f4f1abba9bc98933114d729bf045c7a2ac55042358534b98dfd5d708186c4806d423e814780503d3aa84810cc72dfd860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6c87829df13b22f09334ba6c7229c210

SHA1
e59c4c7041e28d1f5e26abe2b1baef51b2779077

SHA256
984171c2349648c3d7428260727e4e9f76c99301d796891ccd0fa107252afc02

SHA512
f55a8b3a1dc75f70fb52df92bcf8418a5b901ffba7be543d7a14db5231e1ea01deeff5ddad54f04da2109f4fe71c3007314446f8590a463031ef5d6f8d43fcfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fb72cc1a33622f9a839529d89a1fbd04

SHA1
97b5db2e21e6ad0b33caacc464e9d6d84419ef83

SHA256
acd4e88d9963b8b26aab6925b00c6dc8ae94b71fac934fe0d82ae325f0a6c269

SHA512
58e514144346165018af660be2bb0aed42ffe9e30d179bb0dc02b5c113ff3a46474ea2bf66db1d95465213c540a9cba462ea1f8b7328082ebf049ffc1a52c722

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2d4470e23b9c778037dda1d1e7c0ec7d

SHA1
f50b00e19047c4cc46bf809ced635660b85a4ce7

SHA256
5cf00962b9ee5efd1c63efc135913e78d44517643b630643efde33a3588f83e1

SHA512
110f4120d32eff02611888b00f99e02ffd8151944761fddf127282e2ba90d25eebd1666b411d42ca737f141b544bc8d68073cf7487f0cc2a896214888640e525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7b911d2efb6d69384c5698691c96c242

SHA1
032734f7ce9b8b8402237186c019dcc03424b8b7

SHA256
9a202ca90467d18eb56670819cf12b66de2d74d60ffb86d7ff055419979474e6

SHA512
e35cb8acd4b96d6267725dd60473195c9c946e89c913d74a910be2227ab33f680f965deee63c24cc8cc8fce7c1fcd749aa966d6e73ba1f07d92eafafa2e7eb9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0d65a8c07e15a09c062485af9747e870

SHA1
fbc0e2cc1fee0c3d4d6219ff120413c2d489cad9

SHA256
4ec3f2a9a0a5bebefbd733916854c148949255e1ec09194771774b5d4906d1dd

SHA512
b99885d413bb7215d0367c834d7389d4cc08e2c724413c1b9c234447a7f7826e18d4895be8c4c5f0ee9ed6656aeed1199cc88f13cd59a9b6ba6461fe744adeb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1066d3cca736d3d63637a10417c2ce61

SHA1
07797805c34a79640ce01f5bc2244a5f378d5e16

SHA256
e00e342d2850cb3ef125fea081c0a929505d6467fbe55aa9722aa3a31782d947

SHA512
e5627b6cee1f7f9c622ec61bc89c2d402a4a2cf2dccbd245415b7cc4b85840841b4cd2628358a592b2ed4cbed9f5e9bd79f45f3ca1b3db629c7a8b673101b464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
897044cd7f658705f4d140b13f75d049

SHA1
df8e3b906eec0f2fc51a1e80c355f8ec6a249654

SHA256
b2a684a6453a36b53c0bf087b62108a8d90464ae446265379f893eeca7342985

SHA512
cea8981a5b0d12a44c26b64397e75160c07ea42102bda61aa7ab76f399ec63f0788c923f24f3fac70e324f6b63a561e4f662ba0b3d8be1934cc8e62a895f73b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7d3abf872e5177edc4cadb0eecef3573

SHA1
98344fed7f5393430969e969e6a235107d70a8a6

SHA256
e052fc766753a36bff6d9e1a768d2ff403f7391d1fb3bbea831bf44e5b600f7b

SHA512
83207dff1aca64cb0be4382c91be04f6aa4684e87d08263a2ca1af292b0ad855f3c83dfd3b417478e72c52bdb3d3a060403f99b4665cc74eee2a1e96983ae661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8de3a74b26dfabf3c8cae68dab868bc2

SHA1
a2d22bba739fca41711fcc7414f4119d6e6abd2e

SHA256
76d3993e1139f553858a6970f1d5a8eddaf85a1440c5dfc33943cd72f240ecb1

SHA512
a333f9d9d1382d99b3e37570761c2a8dcc0e7aadb4409648b4a2ec1df147e85e5724a1ebafb89d0bb03f4e7c1d04ec5839694eff8164a7dcd6f339e0742199ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
046a08651e0e449c24957d55851c12f8

SHA1
117c22944bab8e3fc9706aec8990a3a5f62e771a

SHA256
973e81780fd5dfc7afb09fcb51a5c1761fd4e175a7da256cce224ad2b4829861

SHA512
6c8525fdf40e19e259a82f41acb4e15c0fbf85061772363cffdcb1c717dbe60e3cf4c76237fe64dcaad316cecbe8ab9d421528012825a9e9ee0eea92611a505b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b40b3259e4d662f517e38a59f307b7ef

SHA1
52a079d8b5092ed35f81c49531449d89eda3713b

SHA256
e524830540edbcd736c2da4cbeb782f463a46f4e120e798477eea74ed51b7d19

SHA512
ce0878b14d7f191f34c7152ad1104f6326ae8d91f5c520b40138ce4eae23ea6acb771299e455bb718ad261159c132ccbb5282a17a070642b18d7d965c6febbf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
78bd3502386e81a29aca1741f48e1110

SHA1
11a36eb398719501c111e8b2287a91413408ff84

SHA256
048691656e5c8ebe2b630de010481c01bf9a1533ac680a1b5a97c0339f977f23

SHA512
61e6b332acca0070fdb7e86e2d3a20f80384c9f6322c4527f6266251a7f35d2ff64c5b364683198e890f8fd874b93fc2f6b12f158370968c9ece55088fdbafca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
429f4adde7f2379fa78873071e6dca5c

SHA1
4d0503e7f769883b9d516510ec41cb9a7105b629

SHA256
9ef01848323a05c0cbab1eddf36cbce3cfe9e4936c419e44024377d72b816de4

SHA512
849231bcf0deef7ef3d1bc7674ff5d81de6e8b13fba298f96222a49a68a8678b6ecbf46db21628f78e230bbd09493108ba80ebb88a16a5d05413a5bc9b04bb36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7e72f1864b99f36f871456ba2e09c4f2

SHA1
cfc4976f42671909b18ce3378f8e27977733a44b

SHA256
19369d15ae562292028d4ab019ee83a91d46679f13b63f05313011a5adb480ae

SHA512
fd467bbba92f75c9293938c9771213c78f9c59849c72d7144326c5833351fc386cd1651815f4a7002b0e38f62c55f7a1566a803596a3c0c9fd43fe26414594ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f59f22e7d2dfea4550eb0461782a0e59

SHA1
98ef9b62727f80c5fb001ccf6dc9e19c36c88282

SHA256
9898e26d90469a557028ed247f6011e1328c3034a3a820a527dd2d4d04f82b7b

SHA512
524d1387d2ae9295cd6bfd36af006ad4fd101f1435ff339059c00bdd692b0b6bf4b225fbe23c1e70835e3e21e40f145859f5ef85e661df8fc64489ae1856d7dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c856b90954be9dbc5d1b762c42175fe7

SHA1
548363b4046170eceb60797b1c4d9875ea137d8e

SHA256
75248aade44357fd6464559fe8b34a949cce0949fd6667ec2973da3b81ee2a3f

SHA512
101b62a14b0ad04c81c612aa992226097f0802debe35f4accf3d7b9cee0859db7884fe3b241cee8daa28cf00fae1b8e4761e4c2b6bb6d86315099772903a7313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8c963f4e5519d715eb5d2144d01bee07

SHA1
1e7675c98c69a7b055db181e6344effc1463b132

SHA256
454f2c4c209c1900d097d2081d9694b421ea5841320b42de1777463663a71f7f

SHA512
e2dc017ad6a33e8da6ed2b79f3f0cfcdeeac99e2845efe4037091e868444e174874f66324ca4a06fd13e049dffa7b5024cc22d5435523a74fa28f8257a6dd94a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
577de32bd26e01bb69dec56031ad25ea

SHA1
807d4697a30649d8c8ad7e51d35a8216af82e1df

SHA256
e0d643ed614bd002d9d3cee507327d7795cbe33443fa2ac2701e86183f14671d

SHA512
30f9a1895f97e0e8a622745cdf55dcddd6fd49e73834b97b6ec64cd7eeff291606b438fa68c1b61e38baa64f2698c91b1a968440afdf46554cfd64abf1f3db4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
041cef67c6c3b534cb3a8da3b9a05865

SHA1
8526ddc4e5370fdac7ce7b920c7545b38ea9138b

SHA256
cfafc41d6ff6d3b4990931504ac66fd6438491b81040bc71253dbbdb0c7a59ac

SHA512
a7d2cb1ebb26b4ee292317539d0804a6a033676c6e345ae6b539dbd6bb726a30beaff2910b9ff5c4e47599527602f49520f830c989eeeb70ccd705e6061b991e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fbbbc249db1829eef5764fb120daf320

SHA1
702f7b007d2c3d8c2f786c33ea041f98969126cc

SHA256
44aec91d2836f4c4fc07037051a7b139396f8cc042d69a4b6088ca4736386f30

SHA512
2e889c98f7b9b0a1354226aaf19d8114c9093a7fb3cf70dc4dbda74c4c72fe425a53b21df4125983615471c044dc97576114b2e5196505c217bc69b04fb199e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
818be8b69bec36a49c73bb613c9d9d79

SHA1
2773ddd18ae7f12ea70a527362a90b71feb2d43c

SHA256
67b5a26abdfb36b62220de8c6db14a0ac7de6efa989cfd8ef0dd7ce4423cc11d

SHA512
ea5312785057417a879eabafbcc820e81689dcd3ee3a803ffe83257b8d8b256510bee69b800032fcfc8e50fa8644d99103d24cb94bde514bfbb3aa160f69bea0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
289fcf095ae0a8524b6c94da0ce96b97

SHA1
912a7e3c6e0e15b2c717cee6c53d1b42645e494d

SHA256
b765043d7402096865ef7a9838ed025f08bb27047a9a56bf69fd8a766ca881bc

SHA512
77357511a90fe7786fb4c13e16b30f7a1f8f36ec18d1ab4fa9ca50dafd3cee6e7fcd91effb3920c246d4413a0c2a75b91856d973037c67890ee1b83360f68a6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
38bceee3e48d1833ab88cb519c591e33

SHA1
277757a900882115f8676173593c5afe7dbb43db

SHA256
b6fb833fc8455bb3368837a34c4f258a185c4025872fa7edfdad2675816d2ab6

SHA512
36f37dc65452f1ce78ebb2177dc185f50e1ef1190c7dae8e3681677b41d6ff0464347cc214a3eb5fbfa6528bac8e42b14b117ddd944e6ec8859e6f1a05567644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2319bb661b9512e482041f03ad8269e3

SHA1
ad43e78aedb719cb29decb52bc64bd3fe4680c2f

SHA256
d0a3bba79390c2381755024c17f8b5b5a348e4b84e42ca39641b264ed70a494b

SHA512
450923a131920f01a000d5afbf0139929d3b214e17169afee82648d3e48d3e69dd9df949afb89285f73d18a0c8541861a3d14011d82b412bd01026a01928340b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5af1decad9d17a0f066250d2622dc311

SHA1
51af411d1d3e36764bf9d23bd1d8b91572af9f8b

SHA256
18546e707079b00c36004541a844196b5ce835958083b98cac187691989ef1de

SHA512
d80f855eb9f5603881291133ef5e2598f8ddccda5c1e5952988a1227c24a5438c512308023ce4dd0a574e48aef872584eb9d9ed0fc06ed2049466d1c0104a5b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
89242e6673f2bb75e3816acdb4aeec88

SHA1
e537ee6a877c4f066d32514b00662204021b11e8

SHA256
52d9a6ef588179af1afe6ce5c6bbfc89586cb51bd3b18a0437640e505dbabffa

SHA512
58bdcb31ff73e72b8862c94c11700617f90d205699f95b15cbd92090cdf0fc85fcdf717cb5cca9a88f9c82c87baf28d32478598b53908fd71aeaacc30c425b0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
668ad7c007a29f8db482d60f5747ba90

SHA1
563eed234ebb264e0feae6f7181f10ba680c942e

SHA256
3f2036eec57470a0bc74f1908e507308f24f712a952b250dc9d6d25db1f1e76d

SHA512
c1aa3c944ff09bc511e85c1dd451bea64747938dd7890b6e436837c8b4b6aabcd1edcb5795b6efd1aa0e90076fef306c8879de0a16681bda16209e50c8ffa8fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b322a77bb5626dc6afdbe57966c20b3c

SHA1
25333edd0a54dcd1db1f3e024f7971e042aaeb6f

SHA256
bccffd172b0d00ab3e56ebb312a7c86f5493a70c1db6debee3a808afa041373d

SHA512
ff78f4b7b460b95dd2ad0eafcf80f5626f260bbbf11808c6f5b1e938faf0aa36ec5d9f63f0d150ac5aba98faab41bacc72822f83c5b8a4c34481815d7888dce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
36f8306ee7b4a094808dc270172b5702

SHA1
a720d149b65bcc36c91df80efd0bde09702428ff

SHA256
54ea6d84b14082ece6dcd4cc03b872dbf7b490da622cf48aa433af15c381921d

SHA512
e035346c5e8fe7987859dc27c339579747cfc492605bc668c0660ea8f3daf4e10ac1bf4ac3d003c7c04ab65e41633566abddaffef0490caf5378d9d6befe50ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c2cc27399a83c6b0495a98be11747932

SHA1
047781f947f0759ddbd71f5d13bb63b7257182ca

SHA256
7f80ba3127aa69185fbcb1d29f866c10e004b419f265a1b899ff6bf6629d8805

SHA512
b07c495d07f45b7963e57e04be7a1b21920cde03f8fd00c002f7778ce97e168203e452637a9bab841d208972bb54558e3e87d0dfb470e27e522ac763d85a181c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a777ee0f8a0fd36783b5345d68eefe65

SHA1
71d6f53c97d309a16a6e813a20d0c395755807d6

SHA256
144ed2f2607284de8abe27811a6691acda9e0ed08a46878d92fa371f3056f011

SHA512
55d550fa071251153f566303d69151549bf8ba1477f40371f17d6c9754246a220f2d608d3c719724927aa43d1f58994918615966f8e32b6cb8588403e9c75e7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ffce80032da81d7f7c7f47d5b9cea63a

SHA1
736475f6f6b0f8181016fd2333f2039f5ed646ee

SHA256
d21da1ec89b9959c40ecb73427350d27dd4dbcc296417e876b51a9942d2ee0ed

SHA512
7fc2dc35a56aa7c739104955a41299f845d586475093e06f6825f6ca635f93b66471b18d5df1e46c7ede030e2093e0c03cc257c3fb5c003e0a0615947c6328c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9dc3234c1d7b4ed1588ad83b5270762b

SHA1
9500621169852c2f7be709ca95c50ed3bbd0bf9e

SHA256
7a8e88480059d9c85f95c30e2fcbeec47f267cdb639be8285db9b1e684a8fa11

SHA512
65c59e9282b7998375b4632eb4ba4d51617f9a823f8a4aa9cc05ab71ffcc13928c5d9efd6b51cfe1a3ff3874a01407000f71ee551bedd43ff219100d392538a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ae2f030d5fa91b9d6364ebf4255d33bb

SHA1
534a478b1ead81981ee910925010965ee93cd81e

SHA256
38050974e71e8a73d62928e40a75f3aed36cc72a1676e2194d7cb0d80cfd919d

SHA512
f0d9ec4d0e6ca9b328facb613a7e3e3714112904694713323cb2cb0fbb00ec1747b8ecb5e9d2160e2ab0fb119ee982e30069d1e876844b205de7519c3973ecb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1f0c2790b2a6cb612a1cb72dff93dbf0

SHA1
86f33f65e169d50388e62729ae7e27a25fb4c6d2

SHA256
4b5e0629225059b9ec68cfd0f7d3d6a16dc8f93ac714b698618284b8171b844a

SHA512
a6deb26c72de6156a8136fb09e651cb09438fa300dc290b60c7a6ed76894956b25f85f5c434463e0033d0112542745349eecf34a207a0895994254a559dadb1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d968f7f8918b8359cd18ec968dccbe0a

SHA1
e4c6cfe066a72be57d7434c85173af413e7bc50d

SHA256
a2c9f6344e5bdd0069d983b3aca52576dbc811024fe72d3a66b774b8e0166899

SHA512
e0b335f58460db6bbbab08b81bf08bc142b39c483be887ee4677c32011863a0676cb91b7be476523fa1291ae74c16cba6c54eeb4e5d33b5e4eee3624ae3cd61d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
bfb2eee8b1af9decc831261a3839e160

SHA1
9c72b7a07af045420d4eb16aa1835e75ee8ea528

SHA256
ed5e07d17fe66dba7b4cdb3a3f112b1d0f1147b719dbd6e3e19b16b6426bb1da

SHA512
63a6a21ba4e46eeab70382d641ec45598c1394b2efff2d39201236a79a352962e3adbfb7efe2d9fdb587787529185866c8d79c47bf9f8a313b85de5ae3feb891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
94179937d8af91a46bbebcd39a8d17be

SHA1
dd72e418120f70d60590625c44303fc21a1fe709

SHA256
745c7bf0a607aecf20dd99a0ca4f38ba95912ca44f3b57a955bcec1404ab1a64

SHA512
93c9a0aa15fb7d3cab76d833cc98df0129072ae4b9b8b3210de7f7ea3cd0f6d9b8351f91edfe6dd78b529cce6517b0195f6412639a908f89a22e21be69431fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c84258bef267beb57ebd78db5a4a841f

SHA1
a7c14ba706aba7b0378ddbd24273f4d29399c94a

SHA256
817cf9f5238cd08df649cc3131f039795ed880e086823f06454618db6adc2df9

SHA512
ce1099475a155ee791c663fbb953e03d395bf83e0c555b5974f42c96bebfc25dac4591cb66004ea613522f5774e2709dad2b83b0c79b0026cdef655bf349bba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ab508c943f4f7a9e335aadbe1210fd1d

SHA1
4341ef0187db96ac0e94ce91d23b72076f06d9fc

SHA256
2f235eeafe7f715aafb254c3f8a53a8bed51394c54ee6ec501b7d4b0faa6d38c

SHA512
d49a333351446abce51750194b5bacb84f61bcd228cff42e128a91bde1afb0c6df3bd31f71bea9e99f69aa8d41ae9bd49898ea0279399fe69808fa1883a27ae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5029d55149294dbfcea5e302ead1c179

SHA1
dcdfda7e5a75a53030d2a95975fc934287e89c0b

SHA256
5694215456f550baa7d284d2c4e7bdea37f1567661d8e762e4475a335a3bb038

SHA512
8e76958bfc1809429f749c4c601a3b0c0a070f0a18a6a22c6becb480a8ffeffb9d883225ecf842b7696aa5a82df567daca169e5aa4d818dccfe77dd7cf9ebd7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d7d808fa95f829029507bd69480b6b8f

SHA1
78ba4ba8953503e5a642b459612e54dda6b6ceaf

SHA256
f1bedbcc109575158fb72195e50e85d48990ea88ab59abb796a6a3d3e2250d59

SHA512
8da95253792f5a1f49f6ab2582b078b090727f37f9408a6a14c2d83d73e7542a8e018ba12251a8cb1e22e24565310a88d530306f3ee84beed560a620784ef8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
95b456a2d697d3f290848bd784f8aa0a

SHA1
2a4989c7953cc67931eb418dea8a73fd26ad533d

SHA256
db7cdb248dd8ffe5520781af36473e085becce28b8307b3c529ab18523a9b31d

SHA512
16f4cf6942f119911d1c4c5de01e14a998031f1a9d91eaa24fdf32deff8aaf39944f1bfc3fe8a8ec58a6c9f2a6b32cce578919f79542ff4c8f3848959ce7c655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cbe65129b198c1bafff7fd0312266be9

SHA1
7e75fe7ee81ca1ea6c34b9e33cae35100b3699d3

SHA256
9b9985407b4fb03eb7acb08ff4d4a779e0624a251a7b916adf3d9190100e6496

SHA512
55a3c88735c49e13adbbfbfc6483c4b90587e492c15593691b2aeffef95852f4f9bbe1866ef564d1b968ad99ac7c6eb38ffc2136ea1acfb0800dffab7d0aeab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d39309a14f3231ecab568d1f54064212

SHA1
915af59ce79a60525c765afa2cea17b0a2aa5f04

SHA256
8208178af473f7c0a0737ce5d02dd2e162ca0ff8c32dea8e62659d5117f691d1

SHA512
ea91036726f5d5ed5170fc7bda8afb53f1f5fed92f137d3d94ee5c5c4e6211d822ed3beb5d6fdf3719416232726dd2b499d8f5bead79de0a07a5c5b6b361cf57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9b2335e35c15dac2d115b0a122158f02

SHA1
6873f90da09b94b547c848d652fd658e728d2508

SHA256
dcb109e1dab578d74ac14669aff8fb808d71e2171f9a507b36468f9f23dfafce

SHA512
801723c9661cc35f6dad70c8d9dd4c3b3d6beb9c2efd5eede7104a890e09578726b58a3ba439fcdfb61943aed8bc43cfe9a077fa4e5dffdc4d1ce137d2daf26f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7a2ff67cc9b5570474a5681ab8692724

SHA1
45b116c5bc321d8cd02d3b9acd5c68e84bdecf1a

SHA256
2ff833ba3cecc3360ec8d1f6c5ae3fe8ab29cbabb2d48da8e737347fab596f1d

SHA512
1c6fa21b7dd3ce5344b757e41b07b513e585a33b25024fbe3c8e60bba9b721ef28353c7bad5828cd114eda719728ca01506cfc4bce1a74f8598d5f6b66339ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
20e6a85cc7b3633099ce66e24630dc73

SHA1
eaadc53ec2ff5be9c0e245d47e733e187b8e5706

SHA256
2f5b929d32e55c74e56113ebe3a676212f1c91ad52a601284957d4554263aa74

SHA512
d47bf36acf2dec193abd58afa91f1eba55f40f45b9945f0a414687e098d84eadb3b52a0a2c487462182c3fd845c14ef2f17810d02aeadb88e6a37fa210103d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
276803a244ac21d45cded93e1c5273e3

SHA1
d54de197e57fdc4817183ee7b201855f5596e69a

SHA256
980cdb90c8e67168516e9546d04f1ba47417dd55d7d599bd49166621abca6daa

SHA512
81b7dbe30e2405de1047049ba92124bbb66481c152b7dfb765c45ef340361bfbc94d097810c7ddf1e1654dcc06ba724c87a4633db182d828cbfdf2fcb7239610

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
219c7c0b60cf8b17ef2a0d900e642735

SHA1
3ed32380bc6d3c33c8b6f33b0849dbbab7355a3d

SHA256
bbf0484bcb40cb76027c7e5d0f6b5b4385fd19ecd66c35e393ba91dfc417e04c

SHA512
8e1dee651d9189a6ee6b82fa072e22cdb66e8ba2474c28b3931a7ce557f066ed6d18ef38ae8cbe33c818a89519e84eac419a9c84a34c713372455c8868eba3a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3edd2a3d336f9929c0f75dbcf0ed909b

SHA1
4a1c15b37fe9edb9b4b99807b7d3fe0dc55e0697

SHA256
bcf815307b1f63b7a5a5583a7db8295b9652fae3c7077c3b1eb9bea1677a2f56

SHA512
3f38ff371daa2936e7973d81bb51de5c788b9c6c6a2e1046228ca55ac1d612d26cf62e869409c998f73f8896506fbcbdd335022448ad478c879a28ed9e719ca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
02c7ff466e41bbfeb53cc258c1d48101

SHA1
b420053921f4dfc3c2bf4fcc53030de1270d5120

SHA256
0dadad91838a026be4982070c0998080f854a6dee3b266ddd5f7ad57cce78c13

SHA512
e56ab03f2448147f0f986982b520e8c8d4e0a93dd490efdeaef6061385ce2ade8f4c39b4535ce0ae0e3d33601fe07ace7f7ceb7d48000f9a176ce04f286b9673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
bf24819c0be9ce47932a82b97df75270

SHA1
15d9d94833e87d59eac7d354a5c0048777ff59a0

SHA256
e04c33f0e437b71a105d0d61125c3279d6b0c7e065d01ee93f493ad73f77b432

SHA512
2716388f6df7d88da13a01d7670d5c6e1a4a3be7f1a378a1e38e15dc9e79b2e0d27bd03b6a06fdc2f222c345207f4a66df1aee8cb2a9c9ce50dfcfa59bd32d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
351fdebeb0751652cd9066fbd3112753

SHA1
801885cb0071316e5cc57a5b39b4e5b2a4fd902f

SHA256
175868cf600aebbc994098c84ccd6cece17794be64d00e31b36806b0a8c04f41

SHA512
1a32a0d8af8dd64ea62464d6fb23fb32f1973ac98e6a6823a85a7d1598c28e890dfa9482b05e7ee036c9fa1b97265cfdbec889f6cc17c9c9277b340b1f8d7d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0280eaab418f943cc6b41deaaec68b52

SHA1
dc2a2259c99bf7f3ec10c7b75ca72c4b10d3793f

SHA256
3dc3f31971976a31ba2219ac1f33f26b75823a8708fd42c155c6f70b70ca4578

SHA512
161a8e917dd0a9ac1ee339b26acc7ccae6ef28ac23193beb196e128e77d84164f3382484d61e4b198618cd4e2d6cadcdfd99142dc8b66694adc45717728a562e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zfkfwlr.fkx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
c0e0b2ba160b697582345c76245e8c3e

SHA1
56f1105d5934792fec142175236123969974e701

SHA256
6b4ea89c459a538e95f3fc5905cff4845bb641784553aaaaf8e97e7489ba4aad

SHA512
6157d83dd30808ed1064d2a2106dafaf103e6eb666b1584867586fecfa7584bb9cc459ccb581cbf75470e1cc4c2b87966021c3aae095272d7db42ea2509e2ac6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
136KB

MD5
1d5f76df2588a5a4032d4f32874a4618

SHA1
810d88e6bf82d4545313a7bc0a52dda282309a88

SHA256
cd25633ef602296a1b85e07afc2f92b8ec7e02d686874071a214aaeadc1320c9

SHA512
fb05c82d3555d425d7c67808630351b9495e301f5e563047510e37453d6f54297824e2556f6f08102dbbef854d55d26648249bb8f36acc35da5ce19f4ed81e19

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
37KB

MD5
2217b1869118f22208c95b96050b71cb

SHA1
0f8f7a8f5dc1e3e614f93bf419f68b525510a897

SHA256
bcc22bab1e260d7f5bd01471cb1946285175cc45c0b1ad3867760abd1c606c42

SHA512
844b798d636188abc171f6b018c7f207f5a4ef57f0a018ed054a83fad5c4f40b71e39a3d8df16e79227eb87defc7f12a905ac7dd3938f66b0603e2a233361ff9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
60KB

MD5
df97837b206838ac42359b4677fac41a

SHA1
52ba76afe87fb6897046e2e79d22d5356eb9de7c

SHA256
49bb25658d544543c0d6c93cd5347577808581f5bef5e4ca0e40e9260234342a

SHA512
91592d3af9e8e87e7a541796434687bb73d2d62ca17633c2eb2c4bf04a887e69b46903baf5db2efa78db97658707f645285ac423b2e95b06bc94e3454d459f23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
87KB

MD5
22a6f2205d7b1b41b470317330fec144

SHA1
7a123dcd79266529053c5d69f87ed3354348def9

SHA256
0edf5dd62ceea3e9f95934dc57220fed59683553ad54a8ed36931d92460da881

SHA512
db6e93bb2e6be533906df79b419f8c26060c08cd19841fda1732f2f4b36b2f78253b0ea6acc1ff4320998b6e6ebd052350d20cc51778a541a6637b78b781a1e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c05565ca5c00a6e34e822be34899a8dc

SHA1
6d4218839c663e53fe9bd9f4d4089fad8cd47af4

SHA256
41e239a49feff143e390fce6b391de600d9a01ba6945ed6a624f9b939dc32ed2

SHA512
01076069630db214241d236378d612581688c35b87d4457bd22db24ad10865ec99b62a5e0945aa4bf022a94aa28a29da4af2df8f8fda50a0d76dd08dca3425d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fdcfd6b3ee1645fdc2b978dfa884079d

SHA1
b477a58e45b859f56e187fc96ca2cb92dfbd9a55

SHA256
c4c39c9799e9861c8d811fbf6a66312d16e6a767e7ac73e5b6211fcb057647cc

SHA512
574fd1e0222f577279eac988755c598c738a25902e64c9fe764a6d6a9be62d62833058f01dfbb635505d25249a4fa5f2cee7c20faf09bd188f7c9006fde23d1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
21bce94fa2f5d19077f86712e272f39d

SHA1
8a211bddbdc821de351fb0e756683ac35c2df278

SHA256
a4c0da5ab8c1389af975994a49d176ca00b8c60a7cdf60d140aefa66e1a38807

SHA512
461b7ff1f6dccd44a1d28f8af16829fa7b4c53d306009bc5c0031c80f78c896c4899c03bff584b71453e720ca23bd45e059f67abc8f1f16637ebd9270c388120

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
2b9a211713a3eddd9a1470157c587137

SHA1
4747266f6de20417df15f8e8ffa14625596854d1

SHA256
3443f121be0e13d3cfb2b95a6e508155f7030856ec82c358c55fb64123f77b91

SHA512
24cc33847670b444c55b010b42866ed30759b6c518be591abc5e776c67d603ad55d4977de7e317029059d3a226a583c70646ab9f2fc3f9396946dfeab353679a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
595e14da83b0285ba75c65a723df40e3

SHA1
15ba833762a502a9bfd3f31a073c92060b270ae4

SHA256
a8893567d1392ee7d2413efab214a9fc1a6c558111701181a286d3617a1f4bd8

SHA512
db5f74af39fe12c603210e95a372235eddd1b3a268e9c631d2cef448b820ad5161b6fee46d73093d589d473b265b48b2d7ba0ce15c9e84e83af6dc5b22340a8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
da410639b21de1fbb4655c58e3ab5c09

SHA1
8a234a8210f21976b6fb908a8a88179629b88f71

SHA256
f45c8c41415ab470df4d507cbab6848e297eecf5365cb73f86bf5f19364303a5

SHA512
d88dd8326d07c949f59637dcbbbc2f2fa70d4186cb48249e682475c06953bfe8d58b9820d8bf47d2cbc0ca98dfb8667f91ea589ce38b43d09d4ef895354ff8a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
6eff2649bd602433a45e5a297c181b1b

SHA1
253cbc10a1f3cc1e9e6256e5ca3986d3eb4638f1

SHA256
0ab44d2ee1d6721613999a25ca00c0e144b5e30b5534e257437ba03b2f61a1b4

SHA512
5fdbac0322d9f03a08bf17f14d69a101c5146ce69cf49c33ea96540398974c93b16fd3fd1b6e2c7cb2820e233fa562922e84f9c6623caf38ead7db171b6724d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
f9aaa0e3e993120fd6d3483bd6b67af2

SHA1
df2386c1cd782e8a6e98a449db441680f668475e

SHA256
b82188a279c5a1edb05b0d5149756a1c43ddca00a85d689474a9a6ee6a0b87cd

SHA512
eb0069381608855b45345f30285d3cac74a81b4448be34936621bc241a98d17c6890b9df9cd42c8bce7dd0b394591681c643adca0a9c33e3bcd4ef80f191e6f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
88eb45d64800a1a5f20581dd2c5b3603

SHA1
f53127daa6037a8a64c457059f03771ea580c29a

SHA256
162763f48a73f08cab59f387eba00162f9b0cbfc1cdbbe8c68a63cdb22501a75

SHA512
0bb7a0a7ec55aafd4d2f91b7f2e0618f5e3bb0a7a097bfb7cd4b4c13219d466f01f3b9611a705552eb1c953ac56c51e7e3c459d7ca54f4321c2de96aa43acc2d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b0594b3d55de2a50bbdb019d3b909510

SHA1
00ae693f6fa078a2d37b0e9863445ecf28d70cc6

SHA256
389f395d823a8cf597475f3af01c2127f6c432d355c654e528b1c725ef95a62e

SHA512
3b18a484e8e823f83a47b4a4e291186e61e5b398dee846b83e5d7e30d9d8ac072ab7bab8294368f2380ce37ce3735c568957f0ada12ef314b001a62275f5c707

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7377c6959fc7db3b1298f4df40f55f3c

SHA1
b4988630b578f087f0213c95b44eb4a305dcb7a5

SHA256
78b364913c551e60c933ee465ee3476b6d46b13c16a59ccd1a7fd71a07296959

SHA512
0cc9e7b1ea1b0489619b39d0b6b5352c7b87773dfb35608bdeb2da15b512237a645b10d833d0cd68ed11a698654f08150c511e2196bfe12bb35521926c6a4f7d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7c4e58ffef707809f41e3af99c455873

SHA1
82832229653082bd7eb60eeadce24496fc7e09fb

SHA256
b97ba98fe5e9a46f68ca2c70679f757a842a9d51d6e9f03b0a3f56d0b42c61f4

SHA512
8e7e6f9788689a1c60fb772f27f87e7cb69fdcf2eed6cf4983f1ed848d7fd05c83b2e91cedb8071032b14c10fa3cb1b0be804a961c32b9d39db6a66d2b02de9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b5e43580a0ece157c8889746061740e5

SHA1
c2e810e213a494494756aa8cfad5fa6f49b2038a

SHA256
0b512021159b94237693d81b1b546ad59d5401ca7a7bdaf9eadbd44159a606c1

SHA512
47fb6c0ad675bb0de02409cb60cf1c61693146830ef7a76f338243e0e94f01b7e30b57a2701a5f48bc979bed065652a7c8f15f2f573f25a45f8e3c0bde1d63e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
474ceb0e9058150d11223bd014e9e930

SHA1
cbc13ed6dbb19983742aff708ee6788a5f9be752

SHA256
5ba61a474101310099d2af7f79f64650cc417528972b560d67a528bd05ed5176

SHA512
ade065cee4b00eebeba7fb8a77e8a575de82c10e422d1bde29a2acb322b7afc509cad662ac980f814fcab6b0db0e381552aeccc259899811705fd09e4ca39125

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4a7b289b43742540b090cc49698fe353

SHA1
50bda2b38edc78aff3716ed0de4bfc2873762795

SHA256
1448676fcafaea5209cef1a986fad6733a447e2c97d5b96afad9563fd0590e82

SHA512
649c42fb4bf9e122c45fa4d190dc844c1f522784d795ca5ce9ceae897107dc9ab36fa3bb1532341e62c7b9b5a71d1c557003c04ad3b044228967e1c5168b212e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5dcb1a647ed607bbd1fc6a2d074ae929

SHA1
988bdee49ee9bab3256e85fabbe7adb25d5761b8

SHA256
be71c4b147c475b8c49f33086d69706e7a5d1d99db28773564598a7b1d61c7e9

SHA512
9a6927c3a54839b8b21fdafc0da1e9f7cc38b0246a69a0ac460048b508c8cac9ee3ccd4b140bbd6e335464a40588efd39204902ff754b66750efa92dae2ff694

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
c0af6cb7e6c95e5b7f6a7c67749d1630

SHA1
d528ea2c41e5f3efde67ed71d706f77eacaa4568

SHA256
355d4ce9455769f077bdbae7cfcbb4aba0714989c4efdd199e625cf85b1ed8ef

SHA512
d82424de4cba6b526b89af43ef470520495e219a85dcf7b29d497bf3cccde13e9c5d307e01f7f1dc8249a7948e22aa6e65f289afb4203a47af7dbb439b549cf2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
00feab4ee2e0284bce976279e772830c

SHA1
45c4739d6edde6a3cf7277b34ab45e37a237a3fb

SHA256
e8d2d17b4dba1ad135e05a01a25abf1f51c6836d2dadb6fd4df8791c5e77584e

SHA512
eefb5eaf49b390461507ce9e6375caef553eeceb48e2beec72646a97d180b74b44c0edfc5f90ffb0c4679ad66bb65c9a40675b93790c22d6a108dfda8c4ca12d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
853e6b7a01ad77837393afda8fd5ebd4

SHA1
168d198beabbcea611fad1f344b9ff9a4663d565

SHA256
eecae04d420f90f2377f75f1f30cd9b9ef4901419abc59f58f4215a4da7c6bdf

SHA512
cd902359f739bd70291f8320dc3a9bc1b24bcad50a04ba577439c1d42f028e020636dfda30e9aa45d52be8cb0eaacd2d39c1f8ff062ec70158465926ee728216

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b9b02a003480cb4a787829280635f28c

SHA1
b2890ceeb730ad86662c2e4a7f846cf8c681875c

SHA256
a4bdb70e92fc87f33da5dc96e9e75934a3a1cb1dc96d03dfd9980003adf277d3

SHA512
2394a4d5aa47ba4cbf7284c03e5dc7bc1415aa63f542ea1543f79753bb75b298314b774eb74751de3e82ac56769ee755121f36a790c70a738d9a12e92cbb95a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
edc53f6d00d7cda6d1c58bcf0e862ed5

SHA1
b135395d889e5b9b91983e604d0d2697c7ca0ba1

SHA256
6365c7045b71a510ca626ce8aaf0826f2c4cfbe20dba7b3b900b8986b9138d1e

SHA512
d6482b9f8e533d1ea5ff5e23c94e460b616eee96c9d777cc042b950390ad6ae11c9aae03dcdb677c9de783adbc8dfe6fc172bb3ceaa3f8d98f952f54c439928a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b7d8b319e3170ff1bd650b6ddd6cea32

SHA1
7fbfd6082d0b0eaa7eaa207fdf6a47c0714feb8c

SHA256
4d136766836f64aaa8bd4f22027f480804a3405cefaa6bc3ad3edbbef3334c1f

SHA512
3a9b895ea2bb7e60f91d9fa93a80ea56aa80efe2516973199d8c53381158d8f86aa536c08744d4ce8cd91e89a800de38a6c2f9115a88752b0ace1de3466e0b09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
7d62a7b6c8df1761f30eea2c9bb1c34e

SHA1
46ef33e20ca39b8436a7b1ad43db5b94441a4f56

SHA256
36b42034ba1539868a723011e46be047288b5f3076c927546c650ccddddeeb0b

SHA512
22622d0807656c6d16b8642773f5358366abac681ff78911b474567b21d2557914d203c31f6947036a4e5ba6b601998c14ad92a27a05ac4c07b8eb1466057503

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b8cb013f0d43ff81c8149bb13397167c

SHA1
35e378977be352581d0fb71637e40215b182c006

SHA256
f82d835c44250c0c9fd5343b8b619f5e4559ce79b3562078a044f939d076b6cb

SHA512
d009bf71aebdbb44745efc812a0bb3ac7bd8691cad8db2d766e88f03def474aaa86049c4d6cf10aa485eff67b0c8621fca24d7ac8e56f170cbbfc19ca0edc360

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
a3f9deeb38cc3c8062cdb50668551534

SHA1
19f34c386bd1b79dfc1d8e63960e99500b96a523

SHA256
53753f7bfa8ae63b72e4a4f3a5b9a2296930038568143d1ad8238ebbc91a714c

SHA512
54885cc4535b3d712ede64e4c5dfab5a5d38e9d40440b500d7772908f8043bf361165f40c659a527d81991c4233af7f0232f38ef30f87154c161a2f32ded6bca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1e915832db2b17a37451dbefac0ed430

SHA1
2fdf89d5e154a2a60f8eb6569c437402cc1a664e

SHA256
e2db2e22c9572cc67eafdee153fdcc5afaa566a4a69119de76643a6e491d2c5d

SHA512
fcb77489bbe4b6849863ccd1217814b92328c4115c843b211de26ba76fe1a651de13d122613338dc6b5bb5b2efbffeb5f013218a0510974aaa84895ee9e12e7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cbe640f04affb528df59f57cef3ae514

SHA1
2852be0d684302710e6fdcc174acba720ac24dd1

SHA256
1dbbf5a2a2e8d71a15db1c02fecd5cb7515a3f91b83a06e10a5999ae7b0f6fbd

SHA512
46554829e5e70ccd463a2852a99dd948ed8ca84fafda3a6d0abe6e0cc231c45978f4e44e1fa6a3412548feaf9ad1a586a653d737a19a0205662bcfd2b1d05a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
35b8b1306df9998dc2d2b70dbdcbe890

SHA1
3013e143660e4261ac2760d20411db9f48d0958e

SHA256
5ff48da1a0e058c3cf49c3bdaa4ccf35cca0517a57ddbb99f2a9b8296bb13064

SHA512
68d5cf79ab6f57ca30118159ff813a9db6990b59ebbe6af0a54f302bb975d46a27db16127044bc1f6ca1b1aa610d9d08210508ae6376b7818eb0e9f8a4afd284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
87896e3affabb1f9a6171aa0954d5b3f

SHA1
eb222cdec92ace65448e6e48a63eb0151ca60a2f

SHA256
4840c38bc47eec48d1966cb7934213342e623333444370ec57259229ee3bb244

SHA512
c244eab1ed72f3f4d8efcf1f9f05bf05408442b69b7830984a5620a8574a5c84c903c4aa6530b76c04eb31b80c0206b0ef6384e5993e9a915eadd53266983889

Download Submit
C:\Users\Admin\Desktop\CompressConnect.docx

Filesize
19KB

MD5
c635cbeb2db82d693a49c383693814cb

SHA1
fba468de005cbbb84b156700b8e419a335b28b32

SHA256
ad99a631a3c42857e09bc1cdb14c8cc094fd9d3f939f4e61e6c59e55cc3a29e0

SHA512
256c11908b8348c1bedb854c9e90f269dda2ade568e757057eebbde7091340a44e1ca1b19bdcc95ac9132589ee6e077f9c8210e3ec5fafb3313701db220be06d

Download Submit
C:\Users\Admin\Desktop\InitializeResume.ps1xml

Filesize
162KB

MD5
c19f2e3eb128aafc6c2f2ab589acb4ae

SHA1
851dd39eb1a89e695fdbaef23b72c2889f4802ca

SHA256
cd50a95c662879b5babc76d3b567243f7b4256ce37fc679dea4b0ba7b45724b0

SHA512
4eaed556d9b2aba7a3d2dfd18677d80c43fea8808b8b37196fe2b3060f3294f7916c60da7d2e40652ea488e62e1e9305b9ea9e5bbf26c9872ac40deba464d945

Download Submit
C:\Users\Admin\Desktop\LimitGet.ram

Filesize
410KB

MD5
402d6d139c0fd0ea841e540ced3e8319

SHA1
32f5634367776ea588d57f012dc3eef7e2e94a1c

SHA256
e299c579eb6bf75fe8ae3c112c301bf8a639c0476498c7000f19037b50541f17

SHA512
c2c5bd5ac6f006b4587395cb481e0f858cc41aecff2529df19706f56cf2fc95968603db9192dadd35bc0ab82c7c01f458907529d7101d767f81751713f6ddc85

Download Submit
C:\Users\Admin\Desktop\LockConvertFrom.wmv

Filesize
342KB

MD5
cae537432978cb4bfbf521c90321a75c

SHA1
748075ad06c540b789d07d8decc67b3461c33921

SHA256
abc9935b4f123f3e8e9f910b96e73132e0335cb108b4e357e19e07d8e0742af3

SHA512
88e8e23afc55754b3cc48be45e821ca8c9124ef30d491a867c53e4c3449a1451dba9477705488b9df1b20c9bac6e08bd6404bba6cd5f4112253da7ed75e6e805

Download Submit
C:\Users\Admin\Desktop\MeasureRegister.png

Filesize
432KB

MD5
2a4c0341ce8a5d88e72fcdea23582838

SHA1
b3a614fda6e98b92b940356ecf0b712d237fd784

SHA256
8fd03f4a4fc3fea1349b425754b31c5ad0272347f764c39c49442f0d4f67f56d

SHA512
4a63ba1db6c854a94b7a485a121c08d47d0b52b9b1b284e7f6d6a3012f151aba13e032bb50213cf484058a963c10b6f9512ab333891619349323727cfcdca106

Download Submit
C:\Users\Admin\Desktop\OptimizeMount.lock

Filesize
207KB

MD5
3b125ed84a070c0595c5c3be027ecbb6

SHA1
958825cba79efd861404b682050d13d65081dd38

SHA256
3a26b124c955dde36c5b56820a6f7e5ee6b8897f89b98e9d58bfb66f673d38a2

SHA512
ac2f7efa72a8bbd1559d6d690822ec20617da53a9228c5a5154f8250bb6090d86b0940dbfabeb77b4b90f7c648a5d9670a2ffee8346eca7b85c5f171eb27e130

Download Submit
C:\Users\Admin\Desktop\RepairNew.i64

Filesize
151KB

MD5
e9d91ab8d39cc1784fac11755eaaec30

SHA1
fece8cdc963d1a5770e1b5f3888872a58dcd5bce

SHA256
d2f0a9bf5f16253ced9233254b1c015f9c810939a5955125dfc229cab6bc6a44

SHA512
65a75225fe88af5fc042736518cac059af77681d93482bd0915c0ee599b6dcd2d19c94ecf0e6374c596f66020a0fb72ceb3944226cd65b0bf25b82cc70261567

Download Submit
C:\Users\Admin\Desktop\RestartCompare.ram

Filesize
353KB

MD5
54aaa2fb7b19b59c5af5cf29605453f9

SHA1
a32d8e9114e249f2b7020f22afb418e8ebb61846

SHA256
90bcdedfe00d63467bb128d282dce032ed35230dc9f2a4559581021e52c50d84

SHA512
49d1892427220576f38b7f6ca5c2655f52cc6a482209abe48a0a0f99340e5ac3b485b77210b2371bd9c4d431f86832726bdacdf179685304aa62362f0660d274

Download Submit
C:\Users\Admin\Desktop\RestartInvoke.xls

Filesize
286KB

MD5
538a48aeec43a1d273b401bd41a15f2e

SHA1
f38476c81414e1b79fd95272fad5eb5d107e8abd

SHA256
ad9c9f4b898f4a826c9b4d0eb83e4e5175c0339b241539b072729a0acdbe81d7

SHA512
9503945dc5ebae166cd2492056cf77bd688848067e3724c0c2df223769a29b54770a65b4b56b311c5939e9393dc0f2069358db8727f22aad66957b05439b2302

Download Submit
C:\Users\Admin\Desktop\SearchEnable.docm

Filesize
264KB

MD5
5ae48d4154cc432da189e0e7e66dc7b3

SHA1
297ec459da4b1886ddf58181766a9ea084f2bb28

SHA256
d6ccc8b4af7d5f3bb103b58347fccee063a5ab2b3dd9eee83e0733b0ffd9a3b1

SHA512
9f1442cf764b08e1dfc10783d388df83bc46bd12809e579883bfcb6dd11f7506734e6cef2d1fe6db946de1dfb8fa438224966fda80f8d18a8e2c2e08f28d50ed

Download Submit
C:\Users\Admin\Desktop\SearchTest.xlsx

Filesize
11KB

MD5
e73257820a3f605cbb9809159277a71c

SHA1
664aed4cdca597eb71560ed298831e7acb3a73eb

SHA256
988158331c06be339e5e8e8531bf023429461f0fb8d54cbf37143fc4b568dcd8

SHA512
278715041e7b575788e44b7cb12de93b743ea7c5d1ed56800a9892afdb9b5f7ee757781eb04bf603a29d5fd38970ec2ee6a7a9fed7920cd4f98959340f7d4955

Download Submit
C:\Users\Admin\Desktop\SplitClear.ppsx

Filesize
219KB

MD5
5bf7866a93c29decbc21ffcf909bf3f3

SHA1
34cdc0a39f7461e804198ad50197e8611ebfc407

SHA256
57321d8d68c911ed239b16328fffd40675d06cf991d3bf39ef5f6f5d5a6d7251

SHA512
78f2f5b6625cbe602ff1f187470dcc8861a513d52792e02e4b9e9c334b459bcb3b0835948a0865a01bce59b63a04c976be9cc55a63d60774953a25d619b8d0eb

Download Submit
C:\Users\Admin\Desktop\SplitPush.i64

Filesize
174KB

MD5
c49d858bb19c374931bb824b485165ef

SHA1
146fa9797f1daaf32ae695f3fe17285f913c8d8c

SHA256
a37cf3a55bbbef8fd40c087a414279ad90334fe89a2b11b9b44301e5524e6d60

SHA512
aa9d1e29486c6ae0970de279e4f54c1082dfcdbbb7877cbd595aa77e01d84b63ee5d628f216771fdb6005511f29d820dba64d0024579bed9541aa95ae750f180

Download Submit
C:\Users\Admin\Desktop\StepFormat.ico

Filesize
230KB

MD5
32090d243d49ecc854eb053cf3e14e20

SHA1
860a594501c07df10c4feec8ed28ba0834a705b7

SHA256
d72fc7f49abe4e764d301d40b7c2be68aa99268b58bd1c99b6cf30902343d81c

SHA512
608dc55f059b484bdfcdf79a1f92abee52764a127b5ea14f0bf92038f91e1304599f27ad76dfc35c058f77946ee3d3c3c2d8caaee2057921fba7e6fb67f2fe32

Download Submit
C:\Users\Admin\Desktop\SuspendConvert.dotm

Filesize
320KB

MD5
0770f040a926c8568a4df8c1c2d7038c

SHA1
0e32de93ba8eefd964d7c681b72deecbba650603

SHA256
fb56cebdc4d73c9d986986591c6581c93da1dce370544af65b70a1bb008c815c

SHA512
d47ca89622edc48be7ec588398a4d10d24ab80ff2a8dc5996e7bb37b70c0dee94a9ea33bbe593e73d15e3274584b820d3568a974a1c75cf42fbf8a23ef816cd3

Download Submit
C:\Users\Admin\Desktop\UnprotectUndo.docx

Filesize
15KB

MD5
035e7ad4afdcbdf26f6c91989f8281c1

SHA1
6224952e5f17c1699fea269f8ffc6c112147359d

SHA256
aa0927ef2e8de727ab4245881f6cc8b9ece2443ef9528fbbb742c687c78ee91c

SHA512
28f664c25f7929a3ba4e03fd7bbd290d7a914e339c44660f16d3df5054192a3f281ac6df96fafa1873ad3c907e651ece58f24109e28393087223a65ed4b6e071

Download Submit
C:\Users\Admin\Desktop\UpdatePush.mht

Filesize
398KB

MD5
a8a1152408a29342e44464800a4f4197

SHA1
f3312ff7ef489d8d0d4aebf3e34462e30742140a

SHA256
41a9029eb397349e561f43c923733aa91d8e163328660b08d7997573543cdab4

SHA512
6e2924be2dd418adf912b375bb9e212b111f7e28ba76b189e07dfee9c232f98f4a47e564a8ff9ca8e0d34b8dbc4c62e44f65f58cabb2737ebb7b81133a093774

Download Submit
C:\Users\Admin\Desktop\WriteSkip.svgz

Filesize
309KB

MD5
3f86a5794452502b745c1bb691edd264

SHA1
d5a42c37f4aaaff37a8936186ed75c52116b4462

SHA256
8efffecea786c18a78e579ee65b9a2d97fccc717f7833ce7a02b8986db27ee59

SHA512
a9025af5fdcba50bd938f793216e9c98cb020460b156b1da438b0de7c8ecab70e5a7ce33bff0d2be604bd72b0560207c54e1ec6774c8f6aaf318c4aedb5d0669

Download Submit
C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip.crdownload

Filesize
310KB

MD5
3973cb0da65fc881008031ac388046b2

SHA1
24dd6e62125508a6db5d53e087bddd37451ed4b8

SHA256
26ab9df0d662009aaa45693d94057f0b5ebcd83859772a4c082914d1d5b7ae68

SHA512
bc7d0254f23e1328d46b11834856cd72ed4ef54b90adb40540cb1dee359e2e7e977811da4cddff7c7e711b35c234a867fb15c811ad928db78781b67cffcef38d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
5120931921bffd1031ce80023e6bacca

SHA1
14f04720e68c9feb3c9bedfaaf2b44e33994f358

SHA256
766cec83331fb9a964881dba8a4d6f764e7fbb05f73d1f6ba73257ec9bfc8312

SHA512
ccd7bd8e8eaa6afba4caf95056d29ec4716aa7870384da4b56c81a2ecfc378bb106677d0bec937adf9cd43502f746090b82f2e3bd5b6ae3cc3aa0b553fa52df3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
14bda2f1ac3ff6639c3c240fbfca881a

SHA1
5850f40a49e51fccfd4c45fc251b6e76d1d91d44

SHA256
13530fe3ccbf7c3e7e3f57932e2d86174041250362f350f87f9ebcc1a8a16eeb

SHA512
f2ccbb9706ae08e591c2dbd21c5c5bd289ca3772be1dc7bf970bac6fc31dd5aa283d66425cd1ce04d01a80ac9f50e1315f0700878fd35387bc97dd791c9b7993

Download Submit
memory/1068-394-0x0000000000D24000-0x0000000001D11000-memory.dmp

Filesize
15.9MB

Download
memory/1068-395-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1068-2-0x0000000000D24000-0x0000000001D11000-memory.dmp

Filesize
15.9MB

Download
memory/1068-1-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1068-7-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1068-234-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1068-233-0x0000000000D24000-0x0000000001D11000-memory.dmp

Filesize
15.9MB

Download
memory/1088-323-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1088-307-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1236-305-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1236-258-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1236-271-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-325-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-12-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-41-0x0000000005710000-0x000000000572B000-memory.dmp

Filesize
108KB

Download
memory/1476-313-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-267-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-38-0x0000000005710000-0x000000000572B000-memory.dmp

Filesize
108KB

Download
memory/1476-344-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-328-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-331-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-42-0x0000000005710000-0x000000000572B000-memory.dmp

Filesize
108KB

Download
memory/1476-239-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-334-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/1476-351-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/2864-350-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/2864-337-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/3060-314-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/3060-352-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/3060-326-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/3060-2100-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/3060-10-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/3060-241-0x0000000000D20000-0x00000000021CF000-memory.dmp

Filesize
20.7MB

Download
memory/5440-854-0x000001FB65650000-0x000001FB65672000-memory.dmp

Filesize
136KB

Download
memory/5600-941-0x00000194D8010000-0x00000194D8186000-memory.dmp

Filesize
1.5MB

Download
memory/5600-942-0x00000194D83A0000-0x00000194D85AA000-memory.dmp

Filesize
2.0MB

Download